Unified Agent + reusable Go agent core.
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat: enhance macOS packaging with code signing and notarization support (#27)

* feat: enhance macOS packaging with code signing and notarization support

* feat: add Windows binary signing to release workflow

* chore: remove pull_request trigger from build workflow

authored by

yiplee and committed by
GitHub
b2b35a38 bf349474

+82 -1
-1
.github/workflows/build_app.yaml
··· 4 4 push: 5 5 tags-ignore: 6 6 - "v*" 7 - pull_request: 8 7 workflow_dispatch: 9 8 10 9 permissions:
+47
.github/workflows/release.yml
··· 171 171 CGO_ENABLED=0 GOOS="${{ matrix.goos }}" GOARCH="${{ matrix.goarch }}" \ 172 172 go build -trimpath -ldflags "-s -w" -o "${{ matrix.bundled_backend_binary }}" ./cmd/mistermorph 173 173 174 + - name: Import macOS signing certificate 175 + if: matrix.package_kind == 'dmg' && env.APPLE_CERTIFICATE_BASE64 != '' 176 + env: 177 + APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }} 178 + APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} 179 + run: | 180 + CERT_FILE="$(mktemp /tmp/cert.XXXXXX).p12" 181 + echo "${APPLE_CERTIFICATE_BASE64}" | base64 --decode > "${CERT_FILE}" 182 + KEYCHAIN="build.keychain-db" 183 + KEYCHAIN_PW="$(uuidgen)" 184 + security create-keychain -p "${KEYCHAIN_PW}" "${KEYCHAIN}" 185 + security set-keychain-settings -lut 21600 "${KEYCHAIN}" 186 + security unlock-keychain -p "${KEYCHAIN_PW}" "${KEYCHAIN}" 187 + security import "${CERT_FILE}" -P "${APPLE_CERTIFICATE_PASSWORD}" \ 188 + -A -t cert -f pkcs12 -k "${KEYCHAIN}" 189 + security set-key-partition-list -S apple-tool:,apple: \ 190 + -k "${KEYCHAIN_PW}" "${KEYCHAIN}" 191 + security list-keychains -d user -s "${KEYCHAIN}" $(security list-keychains -d user | tr -d '"') 192 + rm -f "${CERT_FILE}" 193 + 174 194 - name: Package macOS DMG 175 195 if: matrix.package_kind == 'dmg' 176 196 shell: bash 177 197 env: 178 198 VERSION: ${{ github.ref_name }} 179 199 ARCH: ${{ matrix.goarch }} 200 + CODESIGN_IDENTITY: ${{ secrets.APPLE_CODESIGN_IDENTITY }} 201 + APPLE_ID: ${{ secrets.APPLE_ID }} 202 + APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} 203 + APPLE_APP_PASSWORD: ${{ secrets.APPLE_APP_PASSWORD }} 180 204 run: | 181 205 VERSION="${VERSION#v}" \ 182 206 ARCH="${ARCH}" \ 183 207 DESKTOP_BIN="${{ matrix.raw_desktop_binary }}" \ 184 208 BACKEND_BIN="${{ matrix.bundled_backend_binary }}" \ 185 209 OUT_DIR="dist" \ 210 + CODESIGN_IDENTITY="${CODESIGN_IDENTITY}" \ 211 + APPLE_ID="${APPLE_ID}" \ 212 + APPLE_TEAM_ID="${APPLE_TEAM_ID}" \ 213 + APPLE_APP_PASSWORD="${APPLE_APP_PASSWORD}" \ 186 214 ./desktop/wails/packaging/package-darwin.sh 187 215 188 216 - name: Package Linux AppImage ··· 199 227 OUT_DIR="dist" \ 200 228 APPIMAGE_NAME="${{ matrix.desktop_asset }}" \ 201 229 ./desktop/wails/packaging/package-linux-appimage.sh 230 + 231 + - name: Sign Windows binaries 232 + if: matrix.package_kind == 'zip' && env.WINDOWS_CERTIFICATE_BASE64 != '' 233 + env: 234 + WINDOWS_CERTIFICATE_BASE64: ${{ secrets.WINDOWS_CERTIFICATE_BASE64 }} 235 + WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }} 236 + shell: pwsh 237 + run: | 238 + $certPath = Join-Path $env:RUNNER_TEMP "codesign.pfx" 239 + [IO.File]::WriteAllBytes($certPath, [Convert]::FromBase64String($env:WINDOWS_CERTIFICATE_BASE64)) 240 + $signtool = Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\bin" -Recurse -Filter "signtool.exe" | 241 + Where-Object { $_.FullName -match "x64" } | 242 + Sort-Object FullName -Descending | 243 + Select-Object -First 1 -ExpandProperty FullName 244 + foreach ($bin in @("${{ matrix.raw_desktop_binary }}", "${{ matrix.bundled_backend_binary }}")) { 245 + & $signtool sign /f $certPath /p $env:WINDOWS_CERTIFICATE_PASSWORD ` 246 + /tr http://timestamp.digicert.com /td sha256 /fd sha256 $bin 247 + } 248 + Remove-Item $certPath -Force 202 249 203 250 - name: Package Windows bundle 204 251 if: matrix.package_kind == 'zip'
+35
desktop/wails/packaging/package-darwin.sh
··· 102 102 </plist> 103 103 EOF 104 104 105 + CODESIGN_IDENTITY="${CODESIGN_IDENTITY:-}" 106 + APPLE_ID="${APPLE_ID:-}" 107 + APPLE_TEAM_ID="${APPLE_TEAM_ID:-}" 108 + APPLE_APP_PASSWORD="${APPLE_APP_PASSWORD:-}" 109 + 110 + if [[ -n "${CODESIGN_IDENTITY}" ]]; then 111 + echo "signing with identity: ${CODESIGN_IDENTITY}" 112 + codesign --deep --force --options runtime \ 113 + --sign "${CODESIGN_IDENTITY}" \ 114 + --timestamp \ 115 + "${APP_DIR}/Contents/MacOS/mistermorph" 116 + codesign --deep --force --options runtime \ 117 + --sign "${CODESIGN_IDENTITY}" \ 118 + --timestamp \ 119 + "${APP_DIR}/Contents/MacOS/${APP_NAME}" 120 + codesign --deep --force --options runtime \ 121 + --sign "${CODESIGN_IDENTITY}" \ 122 + --timestamp \ 123 + "${APP_DIR}" 124 + else 125 + echo "no CODESIGN_IDENTITY set; applying ad-hoc signature" 126 + codesign --deep --force --sign - "${APP_DIR}" 127 + fi 128 + 105 129 hdiutil create \ 106 130 -volname "${APP_NAME}" \ 107 131 -srcfolder "${APP_DIR}" \ 108 132 -ov \ 109 133 -format UDZO \ 110 134 "${DMG_PATH}" >/dev/null 135 + 136 + if [[ -n "${CODESIGN_IDENTITY}" && -n "${APPLE_ID}" && -n "${APPLE_TEAM_ID}" && -n "${APPLE_APP_PASSWORD}" ]]; then 137 + echo "submitting DMG for notarization..." 138 + xcrun notarytool submit "${DMG_PATH}" \ 139 + --apple-id "${APPLE_ID}" \ 140 + --team-id "${APPLE_TEAM_ID}" \ 141 + --password "${APPLE_APP_PASSWORD}" \ 142 + --wait 143 + echo "stapling notarization ticket..." 144 + xcrun stapler staple "${DMG_PATH}" 145 + fi