Skip to content

[skip changelog] Update notarization job, now usable with p12 cert format #1062

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Nov 13, 2020
Merged

[skip changelog] Update notarization job, now usable with p12 cert format #1062

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
fcf942b
update notarization job usable with p12 cert
umbynos Nov 9, 2020
d6b5276
Apply suggestions from code review
umbynos Nov 11, 2020
098f431
update nightly.yaml to use p12 cert
umbynos Nov 11, 2020
a875e02
replace third party action to handle keychain with shell code
umbynos Nov 12, 2020
d553c68
revert to previous gon installation
umbynos Nov 12, 2020
e020098
forgot to modify step name
umbynos Nov 12, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 22 additions & 14 deletions .github/workflows/nightly.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,27 +46,35 @@ jobs:
with:
name: dist

- name: Download Gon
- name: Import Code-Signing Certificates
env:
KEYCHAIN: "sign.keychain"
INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12"
run: |
echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > ${{ env.INSTALLER_CERT_MAC_PATH }}
security create-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
security default-keychain -s ${{ env.KEYCHAIN }}
security unlock-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
security import ${{ env.INSTALLER_CERT_MAC_PATH }} -k ${{ env.KEYCHAIN }} -f pkcs12 -A -T /usr/bin/codesign -P ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
security set-key-partition-list -S apple-tool:,apple: -s -k ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}

- name: Install gon for code signing and app notarization
run: |
wget -q https://github.com/mitchellh/gon/releases/download/v0.2.2/gon_0.2.2_macos.zip
unzip gon_0.2.2_macos.zip -d /usr/local/bin
rm -f gon_0.2.2_macos.zip
wget -q https://github.com/mitchellh/gon/releases/download/v0.2.3/gon_macos.zip
unzip gon_macos.zip -d /usr/local/bin

- name: Notarize binary, re-package it and update checksum
- name: Sign and notarize binary
env:
AC_USERNAME: ${{ secrets.AC_USERNAME }}
AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
# This step performs the following:
# 1. Download keychain from GH secrets and decode it from base64
# 2. Add the keychain to the system keychains and unlock it
# 3. Call Gon to start notarization process (using AC_USERNAME and AC_PASSWORD)
# 4. Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
# 5. Recalculate package checksum and replace it in the goreleaser nnnnnn-checksums.txt file
run: |
echo "${{ secrets.KEYCHAIN }}" | base64 --decode > ~/Library/Keychains/apple-developer.keychain-db
security list-keychains -s ~/Library/Keychains/apple-developer.keychain-db
security unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" ~/Library/Keychains/apple-developer.keychain-db
gon gon.config.hcl

- name: Re-package binary and update checksum
# This step performs the following:
# 1. Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
# 2. Recalculate package checksum and replace it in the goreleaser nnnnnn-checksums.txt file
run: |
# GitHub's upload/download-artifact@v1 actions don't preserve file permissions,
# so we need to add execution permission back until @v2 actions are released.
chmod +x dist/arduino_cli_osx_darwin_amd64/arduino-cli
Expand Down
36 changes: 22 additions & 14 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,27 +41,35 @@ jobs:
with:
name: dist

- name: Download Gon
- name: Import Code-Signing Certificates
env:
KEYCHAIN: "sign.keychain"
INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12"
run: |
echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > ${{ env.INSTALLER_CERT_MAC_PATH }}
security create-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
security default-keychain -s ${{ env.KEYCHAIN }}
security unlock-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
security import ${{ env.INSTALLER_CERT_MAC_PATH }} -k ${{ env.KEYCHAIN }} -f pkcs12 -A -T /usr/bin/codesign -P ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
security set-key-partition-list -S apple-tool:,apple: -s -k ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}

- name: Install gon for code signing and app notarization
run: |
wget -q https://github.com/mitchellh/gon/releases/download/v0.2.2/gon_0.2.2_macos.zip
unzip gon_0.2.2_macos.zip -d /usr/local/bin
rm -f gon_0.2.2_macos.zip
wget -q https://github.com/mitchellh/gon/releases/download/v0.2.3/gon_macos.zip
unzip gon_macos.zip -d /usr/local/bin

- name: Notarize binary, re-package it and update checksum
- name: Sign and notarize binary
env:
AC_USERNAME: ${{ secrets.AC_USERNAME }}
AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
# This step performs the following:
# 1. Download keychain from GH secrets and decode it from base64
# 2. Add the keychain to the system keychains and unlock it
# 3. Call Gon to start notarization process (using AC_USERNAME and AC_PASSWORD)
# 4. Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
# 5. Recalculate package checksum and replace it in the goreleaser nnnnnn-checksums.txt file
run: |
echo "${{ secrets.KEYCHAIN }}" | base64 --decode > ~/Library/Keychains/apple-developer.keychain-db
security list-keychains -s ~/Library/Keychains/apple-developer.keychain-db
security unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" ~/Library/Keychains/apple-developer.keychain-db
gon gon.config.hcl

- name: Re-package binary and update checksum
# This step performs the following:
# 1. Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
# 2. Recalculate package checksum and replace it in the goreleaser nnnnnn-checksums.txt file
run: |
# GitHub's upload/download-artifact@v1 actions don't preserve file permissions,
# so we need to add execution permission back until @v2 actions are released.
chmod +x dist/arduino_cli_osx_darwin_amd64/arduino-cli
Expand Down