Open
Conversation
Signed-off-by: Jonathan Schwender <[email protected]>
93c32dd to
021ad25
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This script automates the signing, packaging and notarization of servoshell on macOS.
This is a first step towards: #40031 and #12532. While we could let a maintainer code-sign and upload the signed release, probably this should be integrated into CI, which would require additional work.
This script started out quite simple as part of
./mach package. However, since the script has access to secrets, it shouldn't be part of mach (to minimize the amout of code that needs to be trusted).We also needed to save state and be able to resume operations, since notarizing can take quite long and the stapling needs to wait until notarization has completed.
Since notarizing can take long (up to a day has been observed during first tests), we save artifacts and the notarization ID, and add a
--check-statuscommand that can be used to poll if notarization has been finished.Testing: Manually testing required. A signed and notarized
.dmgartifact has been uploaded to zulip, allowing others to verify the notarization worked.