-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sign and notarize macOS binaries #514
Conversation
Love it! Great idea. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Before I approve, do you have an example run of this action so I can see what the signed install flow looks like on macOS?
Edit: Of course, you already supplied a link. Thanks! https://github.com/ldennington/git/actions/runs/2580040902
Hm... I don't know how this happened:
So... I've lost execute privileges on the Git binary! So the |
This was a great catch, thank you (and also a good reminder to me that simply making it through the install process is not enough)! I will investigate ASAP. |
@dscho @derrickstolee - I think we are good to go. Here is my latest successful run, and I'm currently running the version of Edit: Now we should be good - had to fix some whitespace and newline issues 😬. |
7f458bd
to
10600e3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good. Sorry to bother you about it, but could you rebase onto vfs-2.37.1
?
@@ -168,7 +168,7 @@ int main(int argc, const char **argv) | |||
"usage: git credential-osxkeychain <get|store|erase>"; | |||
|
|||
if (!argv[1]) | |||
die(usage); | |||
die("%s", usage); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you working on an upstream fix for this? ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes! Today 😆.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we could add a step that mounts the .dmg
, unpacks the .pkg
and verifies that its git version
works and shows the expected output? That would catch issues similar to the lost executable bit in the future.
.github/assets/etc/gitconfig.default
Outdated
@@ -0,0 +1,58 @@ | |||
[core] | |||
excludesfile = ~/.gitignore | |||
legacyheaders = false # >git 1.5 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have any code to handle core.legacyHeaders
at all anymore? I do not see any, it seems that this has been removed in v1.5.3-rc0~218^2
...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I actually removed this file based on your comment here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I don't think we'll need to worry about the legacy headers...apologies if I'm overlooking something though.
Will do - it's no problem. |
I think this is a good idea. However, it seems like we should add this type of validation for all the installers we produce. I've opened a separate work item for this: https://github.com/github/git-fundamentals/issues/965. |
Update macOS portion of
build-git-installers
workflow to add signing and notarization. A few notes reviewers may find helpful:This change removes our dependency on the
derrickstolee/git_osx_installer
repo by migrating theMakefile
and scripts we need into Microsoft Git's.github
directory (or a subdirectory, if applicable). The following are notes on each of these files:.github/Makefile
: This file was changed substantially (i.e.TODO
comments, unneeded variables, and unneeded tasks were removed). Accordingly, it merits a robust review.git_osx_installer
repo and should not require a detailed review:.github/macos-installer/assets/etc/gitconfig.default
.github/macos-installer/assets/etc/gitconfig.osxkeychain
.github/macos-installer/assets/git-components.plist
.github/macos-installer/assets/uninstall.sh
.github/macos-installer/assets/scripts/postinstall
.github/scripts/symlink-git-hardlinks.rb
The
ubuntu_build
task was updated to also use the signing scripts added for the macOS workflow, allowing for removal of thesign-debian-packages.py
script (which had hard-coded Linux values rather than OS-specific values passed as parameters).Compilation of
contrib/credential/osxkeychain
failed without the small change I made incontrib/credential/osxkeychain/git-credential-osxkeychain.c
.Finally, here is the latest workflow run in my fork testing these changes.