-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build: codesign tarball binary on macOS #14179
Conversation
Do you know why it seemed to be intermittently unsigned (see #11936 (comment))? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
Can't verify it actually works.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM if we can do a test build and make sure tarball is signed that would be great
@gibfahn I'm not seeing any of the node binaries from the tarball as being signed. From the looks of the Makefile, I'm not sure how it could be possible that they are either. Unless Here is one that you were showing was signed, but I can't reproduce:
|
@MylesBorins a test build would be great. Do I just use the same method as when cutting a release? |
yup, just select test instead of release in the drop down You will need to include the date :D |
Trying out a test build at https://ci-release.nodejs.org/job/iojs+release/1837/ |
Ok, so looks like the job that runs /cc @nodejs/build could we possibly get that added? |
@evanlucas seems to work for me curl -O https://nodejs.org/dist/v6.10.0/node-v6.10.0-darwin-x64.tar.gz
tar -xf node-v6.10.0-darwin-x64.tar.gz
codesign -d node-v6.10.0-darwin-x64/bin/node I think it's because you're using |
@gibfahn no I use Pulling that same file is not working for me still. What version of macOS are you running?
|
Confirmed that EDIT: Looks like it worked. Please confirm the binary is signed. |
woo hoo!!!! Thanks @joaocgreis!!!! |
@gibfahn I'm at a loss here. Those same commands are not working for me locally. |
here is the output when I run the same commands: ➜ tmp rm -rf node*
➜ tmp curl -O https://nodejs.org/dist/v6.10.0/node-v6.10.0-darwin-x64.tar.gz
# % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 11.5M 100 11.5M 0 0 2850k 0 0:00:04 0:00:04 --:--:-- 2850k
➜ tmp tar -xf node-v6.10.0-darwin-x64.tar.gz
➜ tmp codesign -d node-v6.10.0-darwin-x64/bin/node
Executable=/Users/george/tmp/node-v6.10.0-darwin-x64/bin/node |
I'm really confused on how that's possible...both of my macOS machines are showing that it is not signed. What confuses me the most though, is if they are signed, how are they being signed?? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Allow passing the prefix in via the PKGDIR env var. This will allow us to use this same script to codesign the binary tarball. PR-URL: nodejs#14179 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Previously, we were signing the binary that was released in the .pkg, but not the binary released in the tarball. PR-URL: nodejs#14179 Fixes: nodejs#11936 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
056c85c
to
e36166b
Compare
Allow passing the prefix in via the PKGDIR env var. This will allow us to use this same script to codesign the binary tarball. PR-URL: #14179 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Previously, we were signing the binary that was released in the .pkg, but not the binary released in the tarball. PR-URL: #14179 Fixes: #11936 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Allow passing the prefix in via the PKGDIR env var. This will allow us to use this same script to codesign the binary tarball. PR-URL: #14179 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Previously, we were signing the binary that was released in the .pkg, but not the binary released in the tarball. PR-URL: #14179 Fixes: #11936 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Allow passing the prefix in via the PKGDIR env var. This will allow us to use this same script to codesign the binary tarball. PR-URL: #14179 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Previously, we were signing the binary that was released in the .pkg, but not the binary released in the tarball. PR-URL: #14179 Fixes: #11936 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
This LTS release comes with 152 commits. This includes 75 which are test related, 25 which are doc related, 21 which are build / tool related and 3 commits which are updates to dependencies. Notable Changes: * build: - Codesigning is fixed on macOS (Evan Lucas) #14179 * deps: - Snapshots are turned back on!!! (Yang Guo) #14385 * path: - win32 volume-relative paths are working again! (Timothy Gu) #14440 * tools: - v6.x can now build with ICU 59 (Steven R. Loomis) #12078 PR-URL: #14852
This LTS release comes with 152 commits. This includes 75 which are test related, 25 which are doc related, 21 which are build / tool related and 3 commits which are updates to dependencies. Notable Changes: * build: - Codesigning is fixed on macOS (Evan Lucas) #14179 * deps: - Snapshots are turned back on!!! (Yang Guo) #14385 * path: - win32 volume-relative paths are working again! (Timothy Gu) #14440 * tools: - v6.x can now build with ICU 59 (Steven R. Loomis) #12078 PR-URL: #14852
This LTS release comes with 152 commits. This includes 75 which are test related, 25 which are doc related, 21 which are build / tool related and 3 commits which are updates to dependencies. Notable Changes: * build: - Codesigning is fixed on macOS (Evan Lucas) nodejs#14179 * deps: - Snapshots are turned back on!!! (Yang Guo) nodejs#14385 * path: - win32 volume-relative paths are working again! (Timothy Gu) nodejs#14440 * tools: - v6.x can now build with ICU 59 (Steven R. Loomis) nodejs#12078 PR-URL: nodejs#14852
Allow passing the prefix in via the PKGDIR env var. This will allow us to use this same script to codesign the binary tarball. PR-URL: nodejs/node#14179 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Previously, we were signing the binary that was released in the .pkg, but not the binary released in the tarball. PR-URL: nodejs/node#14179 Fixes: nodejs/node#11936 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Allow passing the prefix in via the PKGDIR env var. This will allow us to use this same script to codesign the binary tarball. PR-URL: nodejs/node#14179 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Previously, we were signing the binary that was released in the .pkg, but not the binary released in the tarball. PR-URL: nodejs/node#14179 Fixes: nodejs/node#11936 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Allow passing the prefix in via the PKGDIR env var. This will allow us to use this same script to codesign the binary tarball. PR-URL: #14179 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Previously, we were signing the binary that was released in the .pkg, but not the binary released in the tarball. PR-URL: #14179 Fixes: #11936 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Allow passing the prefix in via the PKGDIR env var. This will allow us to use this same script to codesign the binary tarball. PR-URL: nodejs/node#14179 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Previously, we were signing the binary that was released in the .pkg, but not the binary released in the tarball. PR-URL: nodejs/node#14179 Fixes: nodejs/node#11936 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passesAffected core subsystem(s)
build,tools
Fixes: #11936
I ran it locally and confirmed that it does codesign the binary when
make binary
is run. I also confirmed that the change tomake pkg
works as well.