Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: Sign MacOS binaries #1060

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Apr 18, 2022
Merged

feat: Sign MacOS binaries #1060

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
feat: Sign MacOS binaries 
This fixes virus warnings when launching Coder on darwin.
  • Loading branch information
@kylecarbs
kylecarbs committed Apr 18, 2022
commit 825ca4092a4db8c1d79b3afe2b6157c8d8e61e7e
15 changes: 14 additions & 1 deletion .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ on:
- "v*"
jobs:
goreleaser:
runs-on: ubuntu-latest
runs-on: macos-latest
steps:
- uses: actions/checkout@v3
with:
Expand All @@ -14,6 +14,17 @@ jobs:
with:
go-version: "~1.18"

- name: Install Gon
run: |
brew tap mitchellh/gon
brew install mitchellh/gon/gon

- name: Import Signing Certificates
uses: Apple-Actions/import-codesign-certs@v1
with:
p12-file-base64: ${{ secrets.AC_CERTIFICATE_P12_BASE64 }}
p12-password: ${{ secrets.AC_CERTIFICATE_PASSWORD }}

- name: Echo Go Cache Paths
id: go-cache-paths
run: |
Expand Down Expand Up @@ -53,3 +64,5 @@ jobs:
args: release --rm-dist
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AC_USERNAME: ${{ secrets.AC_USERNAME }}
AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
69 changes: 58 additions & 11 deletions .goreleaser.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,24 @@
archives:
- id: coder
builds:
- coder
- id: coder-linux
builds: [coder-linux]
format: tar
files:
- src: docs/README.md
dst: README.md

- id: coder-darwin
builds: [coder-darwin]
format: zip
files:
- src: docs/README.md
dst: README.md

- id: coder-windows
builds: [coder-windows]
format: zip
files:
- src: docs/README.md
dst: README.md
format_overrides:
- goos: windows
format: zip

before:
hooks:
Expand All @@ -27,15 +38,44 @@ builds:
post: |
cp {{.Path}} site/out/bin/coder-{{ .Os }}-{{ .Arch }}{{ trimprefix .Name "coder" }}

- id: coder
- id: coder-linux
dir: cmd/coder
flags: ["-tags=embed"]
flags: [-tags=embed]
ldflags:
["-s -w -X github.com/coder/coder/cli/buildinfo.tag={{ .Version }}"]
env: [CGO_ENABLED=0]
goos: [darwin, linux, windows]
goos: [linux]
goarch: [amd64, arm64]

- id: coder-windows
dir: cmd/coder
flags: [-tags=embed]
ldflags:
["-s -w -X github.com/coder/coder/cli/buildinfo.tag={{ .Version }}"]
env: [CGO_ENABLED=0]
goos: [windows]
goarch: [amd64, arm64]

- id: coder-darwin
dir: cmd/coder
flags: [-tags=embed]
ldflags:
["-s -w -X github.com/coder/coder/cli/buildinfo.tag={{ .Version }}"]
env: [CGO_ENABLED=0]
goos: [darwin]
goarch: [amd64, arm64]
hooks:
# This signs the binary that will be located inside the zip.
# MacOS requires the binary to be signed for notarization.
#
# If it doesn't successfully sign, the zip sign step will error.
post: |
sh -c 'codesign -s {{.Env.AC_APPLICATION_IDENTITY}} -f -v --timestamp --options runtime {{.Path}} || true'

env:
# Apple identity for signing!
- AC_APPLICATION_IDENTITY=BDB050EB749EDD6A80C6F119BF1382ECA119CCCC

nfpms:
- id: packages
vendor: Coder
Expand All @@ -50,7 +90,7 @@ nfpms:
suggests:
- postgresql
builds:
- coder
- coder-linux
bindir: /usr/bin
contents:
- src: coder.env
Expand All @@ -60,7 +100,14 @@ nfpms:
dst: /usr/lib/systemd/system/coder.service

release:
ids: [coder, packages]
ids: [coder-linux, coder-darwin, coder-windows, packages]

signs:
- ids: [coder-darwin]
artifacts: archive
cmd: ./scripts/sign_macos.sh
args: ["${artifact}"]
output: true

snapshot:
name_template: "{{ .Version }}-devel+{{ .ShortCommit }}"
5 changes: 2 additions & 3 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,8 +88,8 @@ provisionersdk/proto: provisionersdk/proto/provisioner.proto
./provisionersdk/proto/provisioner.proto
.PHONY: provisionersdk/proto

release: site/out
goreleaser release --snapshot --rm-dist
release:
goreleaser release --snapshot --rm-dist --skip-sign
.PHONY: release

site/out:
Expand All @@ -102,4 +102,3 @@ site/out:

test:
gotestsum -- -v -short ./...

17 changes: 17 additions & 0 deletions scripts/sign_macos.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
#!/usr/bin/env bash

set -euo pipefail
cd "$(git rev-parse --show-toplevel)"

codesign -s $AC_APPLICATION_IDENTITY -f -v --timestamp --options runtime $1

config="$(mktemp -d)/gon.json"
jq -r --null-input --arg path "$(pwd)/$1" '{
"notarize": [
{
"path": $path,
"bundle_id": "com.coder.cli"
}
]
}' > $config
gon $config