Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Apple codesigning and notarization to nightly builder #88

Merged
merged 12 commits into from
Sep 5, 2022
Merged

Add Apple codesigning and notarization to nightly builder #88

merged 12 commits into from
Sep 5, 2022

Conversation

lopopolo
Copy link
Member

@lopopolo lopopolo commented Sep 4, 2022
edited

Codesign binaries on Apple platforms using macos_sign_and_notarize.py.

A signed and notarized DMG containing signed binaries is attached to the release. The existing .tar.gz archives also contain codesigned binaries.

Fixes #18.

@lopopolo lopopolo added T-aarch64-apple-darwin Target: ARM64 macOS (11.0+, Big Sur+) T-x86_64-apple-darwin Target: 64-bit macOS (10.7+, Lion+) A-codesigning Area: Code signing, GPG signatures. labels Sep 4, 2022
@lopopolo lopopolo force-pushed the lopopolo/codesign-and-notarize-apple-nightly-binaries branch from b61f069 to 635b576 Compare September 4, 2022 20:13
@lopopolo lopopolo force-pushed the lopopolo/codesign-and-notarize-apple-nightly-binaries branch from 7701777 to 879f0fa Compare September 4, 2022 22:01
@lopopolo lopopolo force-pushed the lopopolo/codesign-and-notarize-apple-nightly-binaries branch from 5f69981 to 655e8df Compare September 5, 2022 00:13
@lopopolo
Copy link
Member Author

lopopolo commented Sep 5, 2022

A successful release was published as part of testing at https://github.com/artichoke/nightly/releases/tag/nightly-2022-09-05-apple-codesign-test-v9.

I just did a ruby-build install of artichoke-dev which pulls from the tarball of the latest release. Code signatures are in tact!

$ ruby-build artichoke-dev .
To follow progress, use 'tail -f /var/folders/qh/w7p29fd50d30px6kq781sx8m0000gn/T/ruby-build.20220904175849.56990.log' or pass --verbose
Downloading artichoke-nightly-x86_64-apple-darwin.tar.gz...
-> https://github.com/artichoke/nightly/releases/latest/download/artichoke-nightly-x86_64-apple-darwin.tar.gz
Installing artichoke-nightly...
Installed artichoke-nightly to /Users/lopopolo/Downloads/artichoke-dev-install/.

$ codesign --verify --check-notarization --deep --strict=all -vvvv artichoke
artichoke: valid on disk
artichoke: satisfies its Designated Requirement
$ codesign --verify --check-notarization --deep --strict=all -vvvv airb
airb: valid on disk
airb: satisfies its Designated Requirement
$ codesign --verify --check-notarization --deep --strict=all -vvvv bin/ruby
bin/ruby: valid on disk
bin/ruby: satisfies its Designated Requirement
$ codesign --verify --check-notarization --deep --strict=all -vvvv bin/irb
bin/irb: valid on disk
bin/irb: satisfies its Designated Requirement
Verbose codesign details 
$ codesign --display -vvvv artichoke
Executable=/Users/lopopolo/Downloads/artichoke-dev-install/artichoke
Identifier=artichoke
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=32917 flags=0x10000(runtime) hashes=1023+2 location=embedded
VersionPlatform=1
VersionMin=720896
VersionSDK=786688
Hash type=sha256 size=32
CandidateCDHash sha256=fb6e8eb8f4b45bd18edda91edb12bfd36fc8cc2f
CandidateCDHashFull sha256=fb6e8eb8f4b45bd18edda91edb12bfd36fc8cc2fca7bf14ab2adeee99763816d
Hash choices=sha256
CMSDigest=fb6e8eb8f4b45bd18edda91edb12bfd36fc8cc2fca7bf14ab2adeee99763816d
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=3948544
Executable Segment flags=0x1
Page size=4096
CDHash=fb6e8eb8f4b45bd18edda91edb12bfd36fc8cc2f
Signature size=9046
Authority=Developer ID Application: Ryan Lopopolo (VDKP67932G)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Sep 4, 2022 at 5:45:18 PM
Info.plist=not bound
TeamIdentifier=VDKP67932G
Runtime Version=12.1.0
Sealed Resources=none
Internal requirements count=1 size=172
$ codesign --display -vvvv airb
Executable=/Users/lopopolo/Downloads/artichoke-dev-install/airb
Identifier=airb
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=31504 flags=0x10000(runtime) hashes=979+2 location=embedded
VersionPlatform=1
VersionMin=720896
VersionSDK=786688
Hash type=sha256 size=32
CandidateCDHash sha256=5f46993ecb75b838e32fc73b5feccf2de46c8a52
CandidateCDHashFull sha256=5f46993ecb75b838e32fc73b5feccf2de46c8a52dd55cc18e91f984a83cb2255
Hash choices=sha256
CMSDigest=5f46993ecb75b838e32fc73b5feccf2de46c8a52dd55cc18e91f984a83cb2255
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=3768320
Executable Segment flags=0x1
Page size=4096
CDHash=5f46993ecb75b838e32fc73b5feccf2de46c8a52
Signature size=9046
Authority=Developer ID Application: Ryan Lopopolo (VDKP67932G)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Sep 4, 2022 at 5:45:18 PM
Info.plist=not bound
TeamIdentifier=VDKP67932G
Runtime Version=12.1.0
Sealed Resources=none
Internal requirements count=1 size=164
$ codesign --display -vvvv bin/ruby
Executable=/Users/lopopolo/Downloads/artichoke-dev-install/artichoke
Identifier=artichoke
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=32917 flags=0x10000(runtime) hashes=1023+2 location=embedded
VersionPlatform=1
VersionMin=720896
VersionSDK=786688
Hash type=sha256 size=32
CandidateCDHash sha256=fb6e8eb8f4b45bd18edda91edb12bfd36fc8cc2f
CandidateCDHashFull sha256=fb6e8eb8f4b45bd18edda91edb12bfd36fc8cc2fca7bf14ab2adeee99763816d
Hash choices=sha256
CMSDigest=fb6e8eb8f4b45bd18edda91edb12bfd36fc8cc2fca7bf14ab2adeee99763816d
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=3948544
Executable Segment flags=0x1
Page size=4096
CDHash=fb6e8eb8f4b45bd18edda91edb12bfd36fc8cc2f
Signature size=9046
Authority=Developer ID Application: Ryan Lopopolo (VDKP67932G)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Sep 4, 2022 at 5:45:18 PM
Info.plist=not bound
TeamIdentifier=VDKP67932G
Runtime Version=12.1.0
Sealed Resources=none
Internal requirements count=1 size=172
$ codesign --display -vvvv bin/irb
Executable=/Users/lopopolo/Downloads/artichoke-dev-install/airb
Identifier=airb
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=31504 flags=0x10000(runtime) hashes=979+2 location=embedded
VersionPlatform=1
VersionMin=720896
VersionSDK=786688
Hash type=sha256 size=32
CandidateCDHash sha256=5f46993ecb75b838e32fc73b5feccf2de46c8a52
CandidateCDHashFull sha256=5f46993ecb75b838e32fc73b5feccf2de46c8a52dd55cc18e91f984a83cb2255
Hash choices=sha256
CMSDigest=5f46993ecb75b838e32fc73b5feccf2de46c8a52dd55cc18e91f984a83cb2255
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=3768320
Executable Segment flags=0x1
Page size=4096
CDHash=5f46993ecb75b838e32fc73b5feccf2de46c8a52
Signature size=9046
Authority=Developer ID Application: Ryan Lopopolo (VDKP67932G)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Sep 4, 2022 at 5:45:18 PM
Info.plist=not bound
TeamIdentifier=VDKP67932G
Runtime Version=12.1.0
Sealed Resources=none
Internal requirements count=1 size=164

@lopopolo
Copy link
Member Author

lopopolo commented Sep 5, 2022

Binaries don't get killed by Gatekeeper when downloading artifacts directly from GitHub:

$ mkdir downloaded-binaries
$ tar xvzf artichoke-nightly-x86_64-apple-darwin.tar.gz -C downloaded-binaries --strip-components 1
x THIRDPARTY.txt
x LICENSE
x airb
x README.md
x artichoke
$ cd downloaded-binaries
$ ./artichoke --copyright
artichoke - Copyright (c) 2019-2022 Ryan Lopopolo <rjl@hyperbo.la>
$ ./airb
artichoke 0.1.0-pre.0 (2022-09-05 revision 6275) [x86_64-apple-darwin]
[rustc 1.63.0 (4b91a6ea7 2022-08-08) on x86_64-apple-darwin]
>>> puts "Hello World!"
Hello World!
=> nil
>>>

@lopopolo lopopolo added A-release Area: Nightly releases and version bumps. A-target Area: nightly build support for various target triples. labels Sep 5, 2022
@lopopolo lopopolo merged commit cad0574 into trunk Sep 5, 2022
@lopopolo lopopolo deleted the lopopolo/codesign-and-notarize-apple-nightly-binaries branch September 5, 2022 01:07
This was referenced Sep 5, 2022
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
A-codesigning Area: Code signing, GPG signatures. A-release Area: Nightly releases and version bumps. A-target Area: nightly build support for various target triples. T-aarch64-apple-darwin Target: ARM64 macOS (11.0+, Big Sur+) T-x86_64-apple-darwin Target: 64-bit macOS (10.7+, Lion+)
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Mac artifacts are not code signed
1 participant
@lopopolo