Skip to content

verify code signing #213

verify code signing

verify code signing #213

Workflow file for this run

name: Release Dash Evo Tool
on:
push:
tags:
- 'v*'
- 'v*-dev.*'
release:
types:
- published
workflow_dispatch:
inputs:
tag:
description: "Version (i.e. v0.1.0)"
required: true
permissions:
id-token: write
attestations: write
contents: write
jobs:
build-and-release:
name: Build and Release Dash Evo Tool
strategy:
matrix:
include:
- name: "linux-x86_64"
runs-on: "ubuntu-20.04"
target: "x86_64-unknown-linux-gnu"
platform: "x86_64-linux"
release-ext: "zip"
- name: "linux-arm64"
runs-on: ["self-hosted", "Linux", "ARM64", "ubuntu20.04"] # Array of tags for ARM64
target: "aarch64-unknown-linux-gnu"
platform: "arm64-linux"
release-ext: "zip"
- name: "macos-x86_64"
runs-on: "macos-13"
target: "x86_64-apple-darwin"
platform: "x86_64-mac"
release-ext: "dmg"
- name: "macos-arm64"
runs-on: "macos-latest"
target: "aarch64-apple-darwin"
platform: "arm64-mac"
release-ext: "dmg"
- name: "Windows"
runs-on: "ubuntu-20.04"
target: "x86_64-pc-windows-gnu"
platform: "windows"
ext: ".exe"
release-ext: "zip"
runs-on: ${{ matrix.runs-on }}
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Cache Cargo registry
uses: actions/cache@v4
with:
path: |
~/.cargo/registry
~/.cargo/git
target
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-
- name: Setup prerequisites
run: |
mkdir -p dash-evo-tool/
cp .env.example dash-evo-tool/.env
cp -r dash_core_configs/ dash-evo-tool/dash_core_configs
- name: Install Rust toolchain
uses: actions-rs/toolchain@v1
with:
toolchain: stable
target: ${{ matrix.target }}
override: true
- name: Install essentials
if: ${{ runner.os == 'Linux' }}
run: sudo apt-get update && sudo apt-get install -y build-essential pkg-config clang cmake unzip libsqlite3-dev gcc-mingw-w64 mingw-w64 libsqlite3-dev mingw-w64-x86-64-dev gcc-aarch64-linux-gnu zip && uname -a && cargo clean
- name: Install protoc (ARM)
if: ${{ matrix.platform == 'arm64' }}
run: curl -OL https://github.com/protocolbuffers/protobuf/releases/download/v25.2/protoc-25.2-linux-aarch_64.zip && sudo unzip -o protoc-25.2-linux-aarch_64.zip -d /usr/local bin/protoc && sudo unzip -o protoc-25.2-linux-aarch_64.zip -d /usr/local 'include/*' && rm -f protoc-25.2-linux-aarch_64.zip
env:
PROTOC: /usr/local/bin/protoc
- name: Install protoc (AMD)
if: ${{ matrix.target == 'x86_64-unknown-linux-gnu' }}
run: curl -OL https://github.com/protocolbuffers/protobuf/releases/download/v25.2/protoc-25.2-linux-x86_64.zip && sudo unzip -o protoc-25.2-linux-x86_64.zip -d /usr/local bin/protoc && sudo unzip -o protoc-25.2-linux-x86_64.zip -d /usr/local 'include/*' && rm -f protoc-25.2-linux-x86_64.zip
env:
PROTOC: /usr/local/bin/protoc
- name: Install protoc (Windows)
if: ${{ matrix.target == 'x86_64-pc-windows-gnu' }}
run: curl -OL https://github.com/protocolbuffers/protobuf/releases/download/v25.2/protoc-25.2-linux-x86_64.zip && sudo unzip -o protoc-25.2-linux-x86_64.zip -d /usr/local bin/protoc && sudo unzip -o protoc-25.2-linux-x86_64.zip -d /usr/local 'include/*' && rm -f protoc-25.2-linux-x86_64.zip
env:
PROTOC: /usr/local/bin/protoc
- name: Install protoc (Mac x64)
if: ${{ matrix.target == 'x86_64-apple-darwin' }}
run: curl -OL https://github.com/protocolbuffers/protobuf/releases/download/v25.2/protoc-25.2-osx-x86_64.zip && sudo unzip -o protoc-25.2-osx-x86_64.zip -d /usr/local bin/protoc && sudo unzip -o protoc-25.2-osx-x86_64.zip -d /usr/local 'include/*' && rm -f protoc-25.2-osx-x86_64.zip && uname -a
env:
PROTOC: /usr/local/bin/protoc
- name: Install protoc (Mac ARM)
if: ${{ matrix.target == 'aarch64-apple-darwin' }}
run: curl -OL https://github.com/protocolbuffers/protobuf/releases/download/v25.2/protoc-25.2-osx-aarch_64.zip && sudo unzip -o protoc-25.2-osx-aarch_64.zip -d /usr/local bin/protoc && sudo unzip -o protoc-25.2-osx-aarch_64.zip -d /usr/local 'include/*' && rm -f protoc-25.2-osx-aarch_64.zip
env:
PROTOC: /usr/local/bin/protoc
- name: Windows libsql
if: ${{ matrix.target == 'x86_64-pc-windows-gnu' }}
run: curl -OL https://www.sqlite.org/2024/sqlite-dll-win-x64-3460100.zip && sudo unzip -o sqlite-dll-win-x64-3460100.zip -d winlibs && sudo chown -R runner:docker winlibs/ && pwd && ls -lah && cd winlibs && x86_64-w64-mingw32-dlltool -d sqlite3.def -l libsqlite3.a && ls -lah && cd ..
- name: Set VERSION
run: |
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
echo "VERSION=${{ inputs.tag }}" >> $GITHUB_ENV
elif [ "${{ github.event_name }}" == "release" ]; then
echo "VERSION=${{ github.event.release.tag_name }}" >> $GITHUB_ENV
else
echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV
fi
- name: Build project
run: |
cargo build --release --target ${{ matrix.target }}
mv target/${{ matrix.target }}/release/dash-evo-tool${{ matrix.ext }} dash-evo-tool/dash-evo-tool${{ matrix.ext }}
env:
CC_x86_64_pc_windows_gnu: x86_64-w64-mingw32-gcc
AR_x86_64_pc_windows_gnu: x86_64-w64-mingw32-ar
CFLAGS_x86_64_pc_windows_gnu: "-O2"
# Install the Apple certificate
- name: Install the Apple certificate
if: contains(matrix.target, 'apple-darwin')
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE }}
P12_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate from secrets
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
# List the keychains and set the temporary one as default
security list-keychains -d user -s $KEYCHAIN_PATH login.keychain-db
security default-keychain -s $KEYCHAIN_PATH
# Set key partition list to allow codesign to access the key without prompting
CODE_SIGN_IDENTITY=$(security find-identity -v -p codesigning $KEYCHAIN_PATH | grep -oE '"(.*)"' | sed 's/"//g')
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# Export CODE_SIGN_IDENTITY for use in subsequent steps
echo "CODE_SIGN_IDENTITY=$CODE_SIGN_IDENTITY" >> $GITHUB_ENV
# Sign the binary for macOS
- name: Sign binary
if: contains(matrix.target, 'apple-darwin')
run: codesign --timestamp --sign "$CODE_SIGN_IDENTITY" dash-evo-tool/dash-evo-tool${{ matrix.ext }}
# Package release
- name: Package release
run: "${GITHUB_WORKSPACE}/scripts/pack.sh ${{ env.VERSION }} ${{ matrix.platform }} ${{ matrix.ext }}"
# Sign the .dmg for macOS
- name: Sign .dmg
if: contains(matrix.target, 'apple-darwin')
run: codesign --timestamp --sign "$CODE_SIGN_IDENTITY" dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }}
- name: Verify Code Signing
if: contains(matrix.target, 'apple-darwin')
run: |
codesign --verify --deep --strict --verbose=2 dash-evo-tool/dash-evo-tool${{ matrix.ext }}
codesign --verify --deep --strict --verbose=2 dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }}
# Notarize MacOS Release Build using xcrun notarytool
- name: Notarize MacOS Release Build
if: contains(matrix.target, 'apple-darwin')
run: |
xcrun notarytool submit "dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }}" \
--apple-id "${{ secrets.APPLE_ID }}" \
--password "${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}" \
--team-id "${{ secrets.APPLE_TEAM_ID }}" \
--wait
# Staple Notarization Ticket
- name: Staple Notarization Ticket
if: contains(matrix.target, 'apple-darwin')
run: xcrun stapler staple "dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }}"
- name: Attest
uses: actions/attest-build-provenance@v1
with:
subject-path: 'dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }}'
- name: Upload build artifact
uses: actions/upload-artifact@v4
with:
name: dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }}
path: dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }}
release:
name: Create GitHub Release
needs: build-and-release
runs-on: ubuntu-latest
steps:
- name: Download Linux AMD64 Artifact
uses: actions/download-artifact@v4
with:
name: dash-evo-tool-x86_64-linux.zip
- name: Download Linux Arm64 Artifact
uses: actions/download-artifact@v4
with:
name: dash-evo-tool-arm64-linux.zip
- name: Download MacOS AMD64 Artifact
uses: actions/download-artifact@v4
with:
name: dash-evo-tool-x86_64-mac.dmg
- name: Download MacOS ARM64 Artifact
uses: actions/download-artifact@v4
with:
name: dash-evo-tool-arm64-mac.dmg
- name: Download Windows Artifact
uses: actions/download-artifact@v4
with:
name: dash-evo-tool-windows.zip
- name: Publish release
uses: softprops/action-gh-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ github.event.inputs.tag }}
files: |
./dash-evo-tool-x86_64-linux.zip
./dash-evo-tool-arm64-linux.zip
./dash-evo-tool-x86_64-mac.dmg
./dash-evo-tool-arm64-mac.dmg
./dash-evo-tool-windows.zip
draft: false
prerelease: true