build: codesign tarball binary on macOS

[evanlucas]

Checklist

• make -j4 test (UNIX), or vcbuild test (Windows) passes
• tests and/or benchmarks are included
• documentation is changed or added
• commit message follows commit guidelines

Affected core subsystem(s)

build,tools

Fixes: #11936

I ran it locally and confirmed that it does codesign the binary when make binary is run. I also confirmed that the change to make pkg works as well.

[gibfahn]

Do you know why it seemed to be intermittently unsigned (see #11936 (comment))?

[refack]

LGTM.
Can't verify it actually works.

[MylesBorins]

LGTM if we can do a test build and make sure tarball is signed that would be great

[evanlucas]

@gibfahn I'm not seeing any of the node binaries from the tarball as being signed. From the looks of the Makefile, I'm not sure how it could be possible that they are either. Unless make binary isn't being used in the release builds?

Here is one that you were showing was signed, but I can't reproduce:

(S) [~]
:] (v8.1.4) ➜ n v6.10.0                                                                                                 

     install : node-v6.10.0
       mkdir : /usr/local/n/versions/node/6.10.0
       fetch : https://nodejs.org/dist/v6.10.0/node-v6.10.0-darwin-x64.tar.gz
######################################################################## 100.0%
   installed : v6.10.0


(S) [~]
:] (v6.10.0) ➜ codesign -d (which node)                                                                                 
/usr/local/bin/node: code object is not signed at all

[evanlucas]

@MylesBorins a test build would be great. Do I just use the same method as when cutting a release?

[MylesBorins]

yup, just select test instead of release in the drop down

You will need to include the date :D

[evanlucas]

Trying out a test build at https://ci-release.nodejs.org/job/iojs+release/1837/

[evanlucas]

Ok, so looks like the job that runs make binary-upload would need the CODESIGN_CERT env var the same way the job that make pkg-upload does.

/cc @nodejs/build could we possibly get that added?

[gibfahn]

@evanlucas seems to work for me

curl -O https://nodejs.org/dist/v6.10.0/node-v6.10.0-darwin-x64.tar.gz
tar -xf node-v6.10.0-darwin-x64.tar.gz
codesign -d node-v6.10.0-darwin-x64/bin/node

I think it's because you're using () and thus executing in a subshell. Does codesign -d $(which node) work?

[evanlucas]

@gibfahn no I use fish, so () is fish's version of $()

Pulling that same file is not working for me still. What version of macOS are you running?

(S) [/private/tmp/node-v6.10.0-darwin-x64]
:] (v8.1.4) ➜ ./bin/node -v                                                                                             
v6.10.0

(S) [/private/tmp/node-v6.10.0-darwin-x64]
:] (v8.1.4) ➜ codesign -d bin/node                                                                                      
bin/node: code object is not signed at all

[gibfahn]

10.12.5

[joaocgreis]

Confirmed that CODESIGN_CERT was not defined for the job that generates the OSX tarball and signing was skipped in @evanlucas test run. Added the variable, here is another test run: https://ci-release.nodejs.org/job/iojs+release/1841/ https://ci-release.nodejs.org/job/iojs+release/1842/ - will overwrite the previous test run at https://nodejs.org/download/test/v9.0.0-test20170712056c85c8df/

EDIT: Looks like it worked. Please confirm the binary is signed.

[evanlucas]

(P) [/Volumes/code/help/services/org-customer-service]
:] (v8.1.4) ➜ cd /Users/evan/Downloads/node-v9.0.0-test20170712056c85c8df-darwin-x64                                                                                                               (fixroutes) 

(P) [~/Downloads/node-v9.0.0-test20170712056c85c8df-darwin-x64]
:] (v8.1.4) ➜ codesign -d bin/node                                                                                                                                                                             
Executable=/Users/evan/Downloads/node-v9.0.0-test20170712056c85c8df-darwin-x64/bin/node

woo hoo!!!! Thanks @joaocgreis!!!!

[evanlucas]

@gibfahn I'm at a loss here. Those same commands are not working for me locally.

[gdams]

here is the output when I run the same commands:

➜  tmp rm -rf node*                                                           
➜  tmp curl -O https://nodejs.org/dist/v6.10.0/node-v6.10.0-darwin-x64.tar.gz 
#  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 11.5M  100 11.5M    0     0  2850k      0  0:00:04  0:00:04 --:--:-- 2850k
➜  tmp tar -xf node-v6.10.0-darwin-x64.tar.gz 
➜  tmp codesign -d node-v6.10.0-darwin-x64/bin/node 
Executable=/Users/george/tmp/node-v6.10.0-darwin-x64/bin/node

[evanlucas]

I'm really confused on how that's possible...both of my macOS machines are showing that it is not signed. What confuses me the most though, is if they are signed, how are they being signed??

[evanlucas]

@gibfahn @gdams any issue with me going ahead and landing this? I really don't have an explanation on how those are showing as signed for yall.

[gdams]

LGTM