Add codesign/productsign for macosx

aliyun · Aug 29, 2023 · 864dd49 · 864dd49
1 parent 2732cc1
commit 864dd49
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 0 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -33,15 +33,36 @@ jobs:
         uses: actions/setup-go@v4
         with:
           go-version: '1.20'
+      - name: Set up developer id application cert
+        uses: apple-actions/import-codesign-certs@v2
+        with:
+          p12-file-base64: ${{ secrets.APPLE_DEVELPER_ID_APPLICATION_CERT_DATA }}
+          p12-password: ${{ secrets.APPLE_CERT_PASSWORD }}
+          keychain-password: tmppassworkd
+      - name: Set up develper id installer cert
+        uses: apple-actions/import-codesign-certs@v2
+        with:
+          p12-file-base64: ${{ secrets.APPLE_CERT_DATA }}
+          p12-password: ${{ secrets.APPLE_CERT_PASSWORD }}
+          create-keychain: false
+          keychain-password: tmppassworkd
       - name: Build
         run: |
           TAG=${{ github.ref_name }}
           VERSION=${TAG#v}
           CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags "-X 'github.com/aliyun/aliyun-cli/cli.Version=${VERSION}'" -o out/aliyun main/main.go
+          codesign --sign "${{ secrets.APPLE_TEAM_ID }}" \
+            --entitlements tools/osx-entitlements.plist \
+            --options runtime \
+            --timestamp out/aliyun
           tar zcvf out/aliyun-cli-macosx-${VERSION}-amd64.tgz -C out aliyun
           bash tools/upload_asset.sh ${VERSION} out/aliyun-cli-macosx-${VERSION}-amd64.tgz
           cp out/aliyun out/aliyun.amd64
           CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -ldflags "-X 'github.com/aliyun/aliyun-cli/cli.Version=${VERSION}'" -o out/aliyun main/main.go
+          codesign --sign "${{ secrets.APPLE_TEAM_ID }}" \
+            --entitlements tools/osx-entitlements.plist \
+            --options runtime \
+            --timestamp out/aliyun
           tar zcvf out/aliyun-cli-macosx-${VERSION}-arm64.tgz -C out aliyun
           bash tools/upload_asset.sh ${VERSION} out/aliyun-cli-macosx-${VERSION}-arm64.tgz
           cp out/aliyun out/aliyun.arm64
@@ -50,6 +71,8 @@ jobs:
           bash tools/upload_asset.sh ${VERSION} out/aliyun-cli-macosx-${VERSION}-universal.tgz
           # generate out/aliyun-cli-${VERSION}.pkg
           bash tools/build_pkg.sh ${VERSION}
+          productsign --sign "${{ secrets.APPLE_TEAM_ID }}" out/aliyun-cli-${VERSION}.pkg out/aliyun-cli-${VERSION}.pkg.signed
+          mv out/aliyun-cli-${VERSION}.pkg.signed out/aliyun-cli-${VERSION}.pkg
           bash tools/upload_asset.sh ${VERSION} out/aliyun-cli-${VERSION}.pkg
   build_for_linux:
     needs: [create_release]

diff --git a/tools/osx-entitlements.plist b/tools/osx-entitlements.plist
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-executable-page-protection</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.get-task-allow</key>
+    <true/>
+</dict>
+</plist>