From 44973549fdfb72c9079dbd3390052cfd50822414 Mon Sep 17 00:00:00 2001 From: Allen Byrne Date: Mon, 19 Aug 2024 08:19:48 -0500 Subject: [PATCH] Add signing of dmgs --- .github/workflows/cmake-ctest.yml | 54 +++++++++++++++++++++++++++++++ .github/workflows/daily-build.yml | 3 ++ 2 files changed, 57 insertions(+) diff --git a/.github/workflows/cmake-ctest.yml b/.github/workflows/cmake-ctest.yml index 7872f703e..d3902c6f7 100644 --- a/.github/workflows/cmake-ctest.yml +++ b/.github/workflows/cmake-ctest.yml @@ -23,6 +23,12 @@ on: required: true default: snapshots secrets: + APPLE_CERTS_BASE64: + required: true + APPLE_CERTS_BASE64_PASSWD: + required: true + KEYCHAIN_PASSWD: + required: true AZURE_TENANT_ID: required: true AZURE_CLIENT_ID: @@ -320,6 +326,28 @@ jobs: with: version: "1.10.0" + - name: Install the Apple certificate and provisioning profile + shell: bash + env: + BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTS_BASE64 }} + P12_PASSWORD: ${{ secrets.APPLE_CERTS_BASE64_PASSWD }} + KEYCHAIN_PASSWD: ${{ secrets.KEYCHAIN_PASSWD }} + run: | + # create variables + CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 + KEYCHAIN_FILE=${{ vars.KEYCHAIN_NAME }}.keychain + # import certificate from secrets + echo $BUILD_CERTIFICATE_BASE64 | base64 --decode > $CERTIFICATE_PATH + security -v create-keychain -p $KEYCHAIN_PASSWD $KEYCHAIN_FILE + security -v list-keychain -d user -s $KEYCHAIN_FILE + security -v list-keychains + security -v set-keychain-settings -lut 21600 $KEYCHAIN_FILE + security -v unlock-keychain -p $KEYCHAIN_PASSWD $KEYCHAIN_FILE + # import certificate to keychain + security -v import $CERTIFICATE_PATH -P $P12_PASSWORD -A -t cert -f pkcs12 -k $KEYCHAIN_FILE + security -v set-key-partition-list -S apple-tool:,codesign:,apple: -k $KEYCHAIN_PASSWD $KEYCHAIN_FILE + if: ${{ needs.check-secret.outputs.sign-state == 'exists' }} + - name: Set up JDK 19 uses: actions/setup-java@v4 with: @@ -369,6 +397,32 @@ jobs: cmake --workflow --preset=${{ inputs.preset_name }}-MACOS-Clang --fresh shell: bash + - name: Sign dmg (MacOS_latest) + id: sign-dmg + env: + KEYCHAIN_PASSWD: ${{ secrets.KEYCHAIN_PASSWD }} + KEYCHAIN_NAME: ${{ vars.KEYCHAIN_NAME }} + SIGNER: ${{ vars.SIGNER }} + NOTARY_USER: ${{ vars.NOTARY_USER }} + NOTARY_KEY: ${{ vars.NOTARY_KEY }} + run: | + /usr/bin/codesign --force --timestamp --options runtime --verbose=4 --strict --sign ${{ env.SIGNER }} --deep ${{ runner.workspace }}/hdf4/build/${{ inputs.preset_name }}-Clang/*.dmg + if: ${{ needs.check-secret.outputs.sign-state == 'exists' }} + shell: bash + + - name: Notarize dmg (MacOS_latest) + id: notarize-dmg + env: + KEYCHAIN_PASSWD: ${{ secrets.KEYCHAIN_PASSWD }} + KEYCHAIN_NAME: ${{ vars.KEYCHAIN_NAME }} + SIGNER: ${{ vars.SIGNER }} + NOTARY_USER: ${{ vars.NOTARY_USER }} + NOTARY_KEY: ${{ vars.NOTARY_KEY }} + run: | + /usr/bin/xcrun notarytool submit --wait --output-format json --apple-id" ${{ env.NOTARY_USER }} --password ${{ env.NOTARY_KEY }} --team-id ${{ env.SIGNER }} ${{ runner.workspace }}/hdf4/build/${{ inputs.preset_name }}-Clang/*.dmg + if: ${{ needs.check-secret.outputs.sign-state == 'exists' }} + shell: bash + - name: Publish binary (MacOS_latest) id: publish-ctest-binary run: | diff --git a/.github/workflows/daily-build.yml b/.github/workflows/daily-build.yml index f4ff1ebfb..462f43cac 100644 --- a/.github/workflows/daily-build.yml +++ b/.github/workflows/daily-build.yml @@ -45,6 +45,9 @@ jobs: # use_tag: snapshot use_environ: snapshots secrets: + APPLE_CERTS_BASE64: ${{ secrets.APPLE_CERTS_BASE64 }} + APPLE_CERTS_BASE64_PASSWD: ${{ secrets.APPLE_CERTS_BASE64_PASSWD }} + KEYCHAIN_PASSWD: ${{ secrets.KEYCHAIN_PASSWD }} AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}