fix: switch osx build to codesign and notarytool #1078
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lidel
force-pushed
the
fix/osx-notarization
branch
from
aa5cca7
to
d59dd9c
Compare
This comment was marked as off-topic.
This comment was marked as off-topic.
|
Good news, confirmed both signing and notarization setup from 69c061a produced amd64 Mach-O binary that is signed and notarized. Tested on macMini with macOS 13.2.1 and Now I will clean things up and merge back into |
lidel
changed the title
this is wip, we will pick this up once we have to move away from legacy secrets from PL times switching to rcodesign will allow us to run on faster linux workers the downside is that we need to generate new secrets related to notarization, because old user/app-specific pass no longer work with rcodesign APPLE_APIKEY_ISSUER_ID APPLE_APIKEY_ID APPLE_APIKEY_FILE
this hybrid approach aims to allow us to sign using existing legacy secrets on existing macos worker. we replace gon with rcodesign for signing, but do notarization with notarytool from apple
lidel
force-pushed
the
fix/osx-notarization
branch
from
245eef4
to
55e0117
Compare
lidel
force-pushed
the
fix/osx-notarization
branch
from
55e0117
to
df36118
Compare
|
This change produced no new differences in built artifacts. |
This was referenced Apr 10, 2024
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR replaces
gon(no longer maintained tool for signing and notarizing macOS software on CI) with modern/new CLI tools provided by Apple:codesignandnotarytool.To be honest, I've been fixing signing and/or notarization of dist.ipfs.tech or ipfs-desktop at least once a year due to tool changes /deprecations.
Hopefully, using official tools from Apple will reduce surface for breakage.
Closes #1066
TODO
gonrcodesignmasterbranchAppendix: why we are not using
rcodesignright nowThis PR was exploring switching from macos runner to linux one that does signing with
rcodesignmentioned in #1066 (comment) (Used by Mozila for signing and notarizing things like Tor Browser).The downside was that, iiuc (not a macOS person), we would need to generate new secrets related to notarization, because old user/app-specific pass no longer work with rcodesign.
New things are:
APPLE_APIKEY_ISSUER_ID,APPLE_APIKEY_ID, andAPPLE_APIKEY_FILE, and they likely require uber-admin of Apple Developer Org to do special dance to generate them, which is doable, but would take multiple days or weeks to do, bunch of unknowns / extra work because of where we are with IPFS/PL/Shipyard nucleation state.To avoid unnecessary time sink, I'm parking this for now.
CLI Tools
codesignandnotarytoolfrom apple seem to be good enough these days. This is approach big projects like NodeJS use (#1066 (comment)), and allows us to fix signing and notarization without having to switch org and generating new secrets.Obligatory:
Hieronymus Bosch, The Process of fixing Apple Notarization, oil on wood, 1475.