Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PR: Fix Codesigning for the Installers and Run Workflow on Schedule #21334

Merged
merged 7 commits into from
Sep 14, 2023
Merged

PR: Fix Codesigning for the Installers and Run Workflow on Schedule #21334

merged 7 commits into from
Sep 14, 2023

Conversation

mrclary
Copy link
Contributor

@mrclary mrclary commented Sep 13, 2023

Description of Changes

  • Call set-key-partition-list after correcting the codesign executable path
  • Set the keychain timeout
  • Run the installer workflow daily at 06:30UTC
  • Run the installer workflow for PRs only if relevant workflow files have changed
  • Run the subrepo build workflow only on push to master or called from within the installer workflow.

The first two changes listed above seem to correct the issue where codesign would hang while replacing the signature for conda.exe, independently.

I suspect that a gui prompt is launched, waiting for user input and giving the appearance of hanging.
I think this may occur under two conditions:

  • set-key-partition-list may have registered .../spy-inst/bin/codesign instead of /usr/bin/codesign, resulting in a gui prompt requesting user input (password).
  • If the keychain locks, then a gui may be lauched requesting user input (password).

The fact that both the keychain timeout and the location of set-key-partition-list appear to resolve the issue independently is strange (I tried each commit in isolation).
I would think that they each should be necessary but insufficient. 🤷🏼

Also, I still don't understand how napari/packaging avoids this issue.
They do not use set-key-partition-list at all, just the timeout. In my investigations, the absence of set-key-partition-list does not work.

Issue(s) Resolved

Fixes #21302

@mrclary mrclary force-pushed the codesign branch 3 times, most recently from d13be2f to a9bd9fa Compare September 13, 2023 21:42
@ccordoba12 ccordoba12 added this to the v6.0alpha3 milestone Sep 13, 2023
@mrclary mrclary force-pushed the codesign branch 3 times, most recently from 6a8d376 to cb22852 Compare September 13, 2023 22:40
@mrclary
Revert "Merge pull request spyder-ide#21305 from mrclary/no-codesign"
2d59bab 
This reverts commit a2ba458, reversing
changes made to 007d8d4.
@mrclary
Setup ssh near start of workflow and run detached.
1cf0312 
When ssh is selected in a workflow-dispatch, this will open the ssh session at the beginning of the workflow but allow the workflow to continue; no need for an error to occur.
@mrclary
Use strict channel priority with micromamba.
94d7a57
@mrclary
Move incorrect codesign before set-key-partition-list.
df581ce 
This seems to correct the issue where codesign would hang while replacing signature for conda.exe.
I suspect that a gui prompt is launched, waiting for user input and giving the appearance of hanging.
I think this may have occurred because set-key-partition-list may have registered the wrong codesign and that is why the incorrect codesign must be moved before set-key-partition-list is called.
@mrclary
Set keychain logout timeout.
384bb67 
This also seems to fix the issue of hanging during codesigning conda.exe.
I suppose the hypothesis here is that the keychain locks before the signing event and a gui likely appears prompting the user for access.

The fact that both this and the location of set-key-partition-list appear to resolve the issue _independently_ (I tried each commit in isolation) is strange.
I could believe the keychain locks before signing, but then that may be intermittent: sometimes it locks sooner than others, but shouldn't it be required that set-key-partition-list be set after the incorrect codesign is moved?
In other words, why do these work independently? Shouldn't they each be necessary but insufficient?

Also, I still don't understand how napari avoids this issue.
They do not use set-key-partition-list at all, just the timeout.
@mrclary
Run installer workflow on schedule.
ea9dd46 
build-subrepos workflow should also run if the workflow file is updated.
Only run installer workflow on pull request if relevant files are changed.
Run installer workflow daily at 06:30 UTC.
Use subrepos in installer on scheduled events.
@mrclary
Make build-subrepos.yml a reusable workflow.
903acff 
Do not run on pull requests, rather have installers-conda.yml run on limited PRs and call build-subrepos.yml.

build-subrepos.yml will run on push to master if relevant files have changed, providing caches for any PR based off of master. PRs that trigger the installer workflow will trigger build-subrepos from within the installer workflow, ensuring that it is completed before the build installers step. If caches already exist and the subrepos do not need to be rebuilt, build-subrepos should complete rapidly.
dalthviz
dalthviz approved these changes Sep 14, 2023
View reviewed changes
Copy link
Member

@dalthviz dalthviz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @mrclary !

@dalthviz dalthviz merged commit 343e780 into spyder-ide:master Sep 14, 2023
8 checks passed
@mrclary mrclary deleted the codesign branch September 14, 2023 20:03
@jitseniesen jitseniesen mentioned this pull request Jul 28, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dalthviz dalthviz dalthviz approved these changes

Assignees

@mrclary mrclary

Labels
Installers type:Bug
Projects
None yet
Milestone
v6.0alpha3
Development

Successfully merging this pull request may close these issues.

Codesign hangs on macOS installer
3 participants
@mrclary @dalthviz @ccordoba12