From e997d6a77c9594818bbefd11ceda25c7725b0a65 Mon Sep 17 00:00:00 2001 From: Minh141120 Date: Sat, 2 Aug 2025 13:52:30 +0700 Subject: [PATCH] chore: add notarization step for mac --- .github/workflows/menlo-build.yml | 25 +++++++++++++++++++++++++ Makefile | 31 +++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+) diff --git a/.github/workflows/menlo-build.yml b/.github/workflows/menlo-build.yml index 9562c40f82b80..79743d95d1f06 100644 --- a/.github/workflows/menlo-build.yml +++ b/.github/workflows/menlo-build.yml @@ -399,6 +399,31 @@ jobs: run: | make codesign CODE_SIGN=true DEVELOPER_ID="${{ secrets.DEVELOPER_ID }}" + - name: Install Quill for notarization + if: runner.os == 'macOS' + run: | + curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh | sh -s -- -b /usr/local/bin + quill --version + + - name: Prepare notary key + if: runner.os == 'macOS' + run: | + base64 -d <<< "$NOTARIZE_P8_BASE64" > /tmp/notary-key.p8 + chmod 600 /tmp/notary-key.p8 + env: + NOTARIZE_P8_BASE64: ${{ secrets.NOTARIZE_P8_BASE64 }} + + - name: Notarize macOS binaries + if: runner.os == 'macOS' + run: | + make notarize NOTARIZE=true QUILL_NOTARY_KEY_ID="${{ secrets.NOTARY_KEY_ID }}" QUILL_NOTARY_ISSUER="${{ secrets.NOTARY_ISSUER }}" QUILL_NOTARY_KEY="/tmp/notary-key.p8" + + - name: Cleanup notary key + if: runner.os == 'macOS' + run: | + rm -f /tmp/notary-key.p8 + echo "Notary key cleaned up" + - name: Code Signing Windows if: runner.os == 'Windows' shell: cmd diff --git a/Makefile b/Makefile index 137ab8d5d4307..8240a84f776b6 100644 --- a/Makefile +++ b/Makefile @@ -11,6 +11,10 @@ AZURE_TENANT_ID ?= xxxx AZURE_CLIENT_SECRET ?= xxxx AZURE_CERT_NAME ?= xxxx DEVELOPER_ID ?= xxxx +NOTARIZE ?= false +QUILL_NOTARY_KEY_ID ?= "" +QUILL_NOTARY_ISSUER ?= "" +QUILL_NOTARY_KEY ?= "/tmp/notary-key.p8" # Default target, does nothing all: @@ -45,6 +49,33 @@ else find "build/bin" -type f -exec codesign --force -s "$(DEVELOPER_ID)" --options=runtime {} \; endif +notarize: +ifeq ($(NOTARIZE),false) + @echo "Skipping Notarization" + @exit 0 +endif + +ifeq ($(OS),Windows_NT) + @echo "Skipping Notarization for Windows" + @exit 0 +else ifeq ($(shell uname -s),Linux) + @echo "Skipping Notarization for Linux" + @exit 0 +else + @echo "Starting notarization for macOS binaries..." + @find build/bin -type f -exec | while read binary; do \ + echo "Notarizing $$(basename $$binary)..."; \ + quill notarize "$$binary"; \ + if [ $$? -eq 0 ]; then \ + echo "Successfully notarized $$(basename $$binary)"; \ + else \ + echo Failed to notarize $$(basename $$binary)"; \ + exit 1; \ + fi; \ + done + @echo "All macOS binaries notarized successfully" +endif + package: ifeq ($(OS),Windows_NT) @powershell -Command "7z a -ttar temp.tar build\bin\*; 7z a -tgzip llama.tar.gz temp.tar;"