fix: perms for macos

ipfs · Apr 9, 2024 · d59dd9c · d59dd9c
1 parent a89d599
commit d59dd9c
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 10 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -66,9 +66,11 @@ jobs:
         continue-on-error: true # skip if no releases
       - name: List ./releases before
         run: ls -Rhl ./releases || echo "No ./releases"
-      - name: Set up rcodesign rust tool for OSX code signing and app notarization
+      - name: Install dependencies of sign-new-macos-releases.sh
         run: |
           brew install ipfs coreutils gawk gnu-sed jq
+      - name: Set up rcodesign rust tool
+        run: |
           cargo install apple-codesign
       - name: Import Keychain Certs
         uses: apple-actions/import-codesign-certs@8f3fb608891dd2244cdab3d69cd68c0d37a7fe93 # v2
@@ -77,7 +79,7 @@ jobs:
           p12-password: ${{ secrets.APPLE_CERTS_PASS }}
       - name: Verify identity used for signing
         run: security find-identity -v
-      - name: Secrets for signing with rcodesign
+      - name: Secrets for signing
         run: |
           echo -n "${{ secrets.APPLE_CERTS_P12 }}" | base64 --decode > ~/.apple-certs.p12
           echo -n "{{ secrets.APPLE_CERTS_PASS }}" > ~/.apple-certs-pass

diff --git a/scripts/ci/sign-new-macos-releases.sh b/scripts/ci/sign-new-macos-releases.sh
@@ -1,6 +1,11 @@
 #!/usr/bin/env bash
 set -e
 
+echo "::group::Store credentials to avoid GUI prompt in CI"
+    xcrun notarytool store-credentials "notarytool-profile" \
+        --apple-id "${APPLE_AC_USERNAME}" --team-id "${APPLE_AC_TEAM_ID}" --password "${APPLE_AC_PASSWORD}"
+echo "::endgroup::"
+
 echo "::group::Unpack any new darwin arm64 and amd64 binaries to ./tmp"
     # ./releases/{DIST_NAME}/{DIST_VERSION}/*_darwin-${arch}.tar.gz
     # -> ./tmp/${DIST_NAME}_${DIST_VERSION}_${arch}-unsigned/
@@ -27,12 +32,15 @@ echo "::group::Sign and notarize the mac binaries"
         DIST_NAME=$(basename $(dirname "$NEW_DIR"))
         DIST_MAC_ARCHS=$(gawk '{ print $2; }' <(grep darwin "./dists/${DIST_NAME}/build_matrix"))
         for arch in $DIST_MAC_ARCHS; do
+            # create destination dir matching .tar.gz structure
+            mkdir -p "${WORK_DIR}/tmp/${DIST_NAME}_${DIST_VERSION}_${arch}-signed/${DIST_NAME}"
             # find executable files, and process each one
-            find "./tmp/${DIST_NAME}_${DIST_VERSION}_${arch}-unsigned/" -perm /111 -type f -print | while read -r file; do
+            find "${WORK_DIR}/tmp/${DIST_NAME}_${DIST_VERSION}_${arch}-unsigned" -perm +111 -type f -print | while read -r file; do
                 echo "-> Processing ${file}"
                 ls -hl "${file}"
 
                 echo "-> Signing ${file}"
+                # TODO: we can use  rcodesign if we ever swithc away from macos runner
                 rcodesign sign \
                     --p12-file ~/.apple-certs --p12-password-file ~/.apple-certs-pass \
                     --code-signature-flags runtime --for-notarization \
@@ -42,11 +50,7 @@ echo "::group::Sign and notarize the mac binaries"
                 # TODO:  ugh, rcodesign uses different secrets than old tooling, and we can' generate them easily
                 # rcodesign notary-submit --api-key-path ~/.apple-api-key --wait "${file}"
 
-                # Store credentials to disable GUI prompt for password later
-                xcrun notarytool store-credentials "notarytool-profile" \
-                    --apple-id "${APPLE_AC_USERNAME}" --team-id "${APPLE_AC_TEAM_ID}" --password "${APPLE_AC_PASSWORD}"
-
-                # Notarize with Apples notarytool for now (only reason we use macOS runner)
+                # Notarize with Apple's notarytool for now (only reason we use macOS runner)
                 xcrun notarytool submit --keychain-profile "notarytool-profile" --wait "${file}"
 
                 # Verify produced blob is a-ok
@@ -55,8 +59,7 @@ echo "::group::Sign and notarize the mac binaries"
                     exit 1
                 fi
 
-                # Move signed binaries to a directory matching .tar.gz structure
-                mkdir -p "${WORK_DIR}/tmp/${DIST_NAME}_${DIST_VERSION}_${arch}-signed/${DIST_NAME}"
+                # move signed binaries to a directory matching .tar.gz structure
                 mv "${file}" "${WORK_DIR}/tmp/${DIST_NAME}_${DIST_VERSION}_${arch}-signed/${DIST_NAME}/"
             done
         done