Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes all notarization issues #859

Merged
merged 1 commit into from
Jan 16, 2020
Merged

Fixes all notarization issues #859

merged 1 commit into from
Jan 16, 2020

Conversation

jonsmorrow
Copy link
Contributor

@jonsmorrow jonsmorrow commented Jan 14, 2020

Description

This changes makes the neccessary changes to enable the pkg to pass apples notarization requirements.

  1. Update omnibus and omnibus-software to versions that support deep signing
  2. Drop 'Developer ID Installer:' from signing key. This lets sigining pick up the correct key for what is being signed.
  3. Add bin_dirs and lib_dirs to gems and git-custom-bindir software definitions so siging can find their binaries and libraries.
  4. Add software definition for rb-fsevent-gem so we build the gem. This resolves an issue where the shipped binary is build on to old an sdk.
  5. Patch rb-fsevent-gem build to work in our environment. Set minimum target to current os and discover the sdk version.
  • Note it is currently pointed at branches in omnibus and omnibus software. Let's work towards merging this and we can do a follow on change once those branches merge.

Signed-off-by: Jon Morrow jmorrow@chef.io

Related Issue

chef/omnibus#924
chef/omnibus-software#1146

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Chore (non-breaking change that does not add functionality or fix an issue)

Checklist:

  • I have read the CONTRIBUTING document.
  • I have run the pre-merge tests locally and they pass.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • All new and existing tests passed.
  • All commits have been signed-off for the Developer Certificate of Origin.

@jonsmorrow jonsmorrow requested review from a team as code owners January 14, 2020 23:41
@jonsmorrow jonsmorrow force-pushed the JM/deep_sign branch 10 times, most recently from e21166e to 5b92b6f Compare January 15, 2020 22:05
@jonsmorrow
Copy link
Contributor Author

Ad-Hoc build for this pr: https://buildkite.com/chef/chef-chef-workstation-master-omnibus-adhoc/builds/182#_

If this goes green and passes notarization we'll merge this branch so we can begin test a package out of current.

@@ -0,0 +1,36 @@
#
# Copyright 2012-2014 Chef Software, Inc.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is going to seem really silly, but can we get this to be 2020 not 2012-2014

@@ -1,7 +1,7 @@
source "https://rubygems.org"

gem "omnibus", git: "https://github.com/chef/omnibus.git", branch: "master"
gem "omnibus-software", git: "https://github.com/chef/omnibus-software.git", branch: "master"
gem "omnibus", git: "https://github.com/chef/omnibus.git", branch: "jm/deep_sign"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reminder to update these to master before merging

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are going to merge pointed at these branches to test get a package out and flip to master once the underlying branches merge

@@ -47,6 +47,11 @@
# for train
dependency "google-protobuf"

# This is a transative dep but we need to build from source so binaries are built on current sdk.
# Only matters on mac.
# TODO: Contact gem mainter about getting new release.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# TODO: Contact gem mainter about getting new release.
@todo Contact gem mainter about getting new release.

Copy link
Member

@marcparadise marcparadise left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM once the omnibus/omnibus-software changes land and point to master.

This changes makes the neccessary changes to enable the pkg to pass apples notarization requirements.

1. Update omnibus and omnibus-software to versions that support deep signing
2. Drop 'Developer ID Installer:' from signing key. This lets sigining pick up the correct key for what is being signed.
3. Add bin_dirs and lib_dirs to gems and git-custom-bindir software definitions so siging can find their binaries and libraries.
4. Add software definition for rb-fsevent-gem so we build the gem. This resolves an issue where the shipped binary is build on to old an sdk.
5. Patch rb-fsevent-gem build to work in our environment. Set minimum target to current os and discover the sdk version.

Signed-off-by: Jon Morrow <jmorrow@chef.io>
@jonsmorrow
Copy link
Contributor Author

@chef-expeditor chef-expeditor bot deleted the JM/deep_sign branch January 16, 2020 17:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants