Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a Python script to codesign macOS binaries #84

Merged
merged 15 commits into from
Sep 4, 2022
Merged

Add a Python script to codesign macOS binaries #84

merged 15 commits into from
Sep 4, 2022

Conversation

lopopolo
Copy link
Member

@lopopolo lopopolo commented Sep 4, 2022

Add a Python script to drive the Apple codesigning and notarization process. This is a set of automation that will allow addressing #18.

The script performs the following steps:

  • Accept a list of binaries to codesign and additional non-binary resources to pack into the archive.
  • Create an ephemeral keychain for the codesigning process and allow it to be used by /usr/bin/codesign.
  • Store codesigning certificate in keychain.
  • Store notarization credentials in keychain.
  • Codesign given binaries using /usr/bin/codesign.
  • Create a disk image and pack the codesigned binaries and non-binary resources into it.
  • Codesign the disk image.
  • Notarize the disk image.
  • Staple the notarization ticket to the disk image.
  • Verify the notarization ticket on the disk image.
  • Verify the signature on the disk image.

A minimal set of python devtools are added to a requirements.in. A Python CI lint and format step has been added. @dependabot is set up for pip.

  • Mount the disk image and validate the signatures on the binaries inside it.
  • Delete the keychain created for the codesigning and notarization process.

@lopopolo lopopolo added T-aarch64-apple-darwin Target: ARM64 macOS (11.0+, Big Sur+) T-x86_64-apple-darwin Target: 64-bit macOS (10.7+, Lion+) A-codesigning Area: Code signing, GPG signatures. labels Sep 4, 2022
@lopopolo lopopolo force-pushed the lopopolo/macos-code-signing branch from 5f95d07 to af69af0 Compare September 4, 2022 06:34
@lopopolo lopopolo force-pushed the lopopolo/macos-code-signing branch from af69af0 to d5c79ca Compare September 4, 2022 06:36
@lopopolo
Add python CI job
0edc065
@lopopolo
gitignore
e0fb807
@lopopolo
Prepare codesigning script for use in CI
f00e6e4 
- Set GitHub Actions "output" for path to dmg artifact.
- Emit information about the GitHub Actions build in CI.
- Add more docstring comments.
- Tweak CLI args to accept release name as a leading positional
  argument.
- Ensure at least one binary arugment is passed to the script.
- Ensure unexpected arguments result in the script exiting with an
  error.
- Ensure that trailing `--binary` or `--resource` flags are treated as
  errors.
- Make script more friendly for local development by building and
  outputing dmgs to a git ignored `dist` directory.
- Unnest dmg codesign step from an existing log group.
@lopopolo lopopolo force-pushed the lopopolo/macos-code-signing branch from d5c79ca to f00e6e4 Compare September 4, 2022 06:44
@lopopolo lopopolo added the A-build Area: CI build infrastructure. label Sep 4, 2022
@lopopolo lopopolo merged commit 7144e03 into trunk Sep 4, 2022
@lopopolo lopopolo deleted the lopopolo/macos-code-signing branch September 4, 2022 06:45
@lopopolo lopopolo mentioned this pull request Sep 4, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
A-build Area: CI build infrastructure. A-codesigning Area: Code signing, GPG signatures. T-aarch64-apple-darwin Target: ARM64 macOS (11.0+, Big Sur+) T-x86_64-apple-darwin Target: 64-bit macOS (10.7+, Lion+)
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@lopopolo