-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sign node exporter darwin binary with rcodesign #3008
Conversation
Prevents SIGKILL issues on macs Signed-off-by: Alper Polat <gitperr@gmail.com>
@SuperQ this is the code signing saga we had started a while back, now that promu is updated, the builds can be code signed properly. Is there anything else that needs doing? |
Do we need a secret key to do the signing? |
I doubt it adds much because it would be a key + self signed certificate we generate. Normally developers pay Apple a subscription fee of $99/year to get "Apple trust" so they can do more than ad-hoc signing (so, no key). But, other projects like Homebrew have been able to get away without doing this. They have been using ad-hoc signing for a long time (see https://github.com/Homebrew/brew/blob/e479f4bc35c3be468172e10b7428f37e322bdeb1/Library/Homebrew/extend/os/mac/keg.rb#L33) and it just works, and they do not seem to maintain a key. One difference is that their build machine is macOS, so they are able to access the real |
Co-authored-by: Ben Kochie <superq@gmail.com> Signed-off-by: Alper Polat <101826653+gitperr@users.noreply.github.com>
Signed-off-by: Alper Polat <gitperr@gmail.com>
Okay, so the amd64 signed binary should be testable by following these steps: The reason I test it like this is because safari direct click downloads won't work - it will give a security warning. And normally we distribute in tarballs directly from github. So, this is one way to get close to that. |
We need this as hell :) Can I help somehow? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's give this a try.
@gitperr I tend to use MacPorts where most of the packages if not all of the ports are compiled and installed on the user's local machine. Thus, codesigning isn't required for software that is downloaded, compiled, and installed. Codesigning is free to all Apple developers' accounts (i.e. paid and non-paid) but one needs to have an Apple ID associated with their Apple Developer account. If you're releasing binaries that need to be submitted to Apple to get notarized, then one must have a $99 paid Apple Developer subscription. Next, I know that GitHub Actions does support runners for macOS 12 - macOS 14 for both Intel and Apple Silicon. Also, it looks like the Homebrew team is currently using it. Finally, Apple probably will refine how apps are signed and notarized at the next WWDC 2024. |
As far as I know, if you compile locally, your code will be linker signed so you indeed do not need additional signing. With this, you can run that compiled software on your mac. But, you will have problems when running in other macs. I did not know code signing was free, that's nice. I'd very much prefer to get rid of My original proposal for code signing was this: I can do step 3, but steps 1 and 2 are to be done by a maintainer with more access, I think. According to my tests, |
@gitperr Yes, when you compile software locally on macOS, the linker can sign the code if one has specified code signing during the compilation process. For example, here's Julia's codesign information when I installed it via MacPorts: ➜ codesign -d -vv /opt/local/bin/julia
Executable=/opt/local/bin/julia
Identifier=julia
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=510 flags=0x20002(adhoc,linker-signed) hashes=13+0 location=embedded
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements=none In Xcode, there's a tab, 'Signing & Capabilities', a checkbox called 'Automatically manage signing' that's checked by default when you create a new application. Finally, I like your proposal and you're closer to the maintainer as a contributor to bring this to their attention. I have my fingers crossed that Apple will announce free notarization for open-source apps at WWDC 2024. I know Apple uses Prometheus and associated tools within its infrastructure. |
The MacPorts, Homebrew and Code Build are good, but sometimes raw binaries are easier to work with. For example, we use Puppet to manage some parts of our nodes, and mixing Homebrew to the "node_exporter" module or depending on the GO compiler is not the easiest and most cleaned solution. |
@vladyslav-androshchuk I totally agree with you here because I mostly use package managers on my local dev machines. |
* Sign node exporter darwin binary with rcodesign Prevents SIGKILL issues on macs Signed-off-by: Alper Polat <gitperr@gmail.com> * Be explicit about checking for the binary Co-authored-by: Ben Kochie <superq@gmail.com> Signed-off-by: Alper Polat <101826653+gitperr@users.noreply.github.com> * Also attempt to sign darwin-amd64 Signed-off-by: Alper Polat <gitperr@gmail.com> --------- Signed-off-by: Alper Polat <gitperr@gmail.com> Signed-off-by: Alper Polat <101826653+gitperr@users.noreply.github.com> Co-authored-by: Ben Kochie <superq@gmail.com>
* Sign node exporter darwin binary with rcodesign Prevents SIGKILL issues on macs Signed-off-by: Alper Polat <gitperr@gmail.com> * Be explicit about checking for the binary Co-authored-by: Ben Kochie <superq@gmail.com> Signed-off-by: Alper Polat <101826653+gitperr@users.noreply.github.com> * Also attempt to sign darwin-amd64 Signed-off-by: Alper Polat <gitperr@gmail.com> --------- Signed-off-by: Alper Polat <gitperr@gmail.com> Signed-off-by: Alper Polat <101826653+gitperr@users.noreply.github.com> Co-authored-by: Ben Kochie <superq@gmail.com>
* Sign node exporter darwin binary with rcodesign Prevents SIGKILL issues on macs Signed-off-by: Alper Polat <gitperr@gmail.com> * Be explicit about checking for the binary Co-authored-by: Ben Kochie <superq@gmail.com> Signed-off-by: Alper Polat <101826653+gitperr@users.noreply.github.com> * Also attempt to sign darwin-amd64 Signed-off-by: Alper Polat <gitperr@gmail.com> --------- Signed-off-by: Alper Polat <gitperr@gmail.com> Signed-off-by: Alper Polat <101826653+gitperr@users.noreply.github.com> Co-authored-by: Ben Kochie <superq@gmail.com>
* [BUGFIX] Fix CPU seconds on Solaris prometheus#2963 * [BUGFIX] Sign Darwin/MacOS binaries prometheus#3008 * [BUGFIX] Fix pressure collector nil reference prometheus#3016 Signed-off-by: Ben Kochie <superq@gmail.com>
* [BUGFIX] Fix CPU seconds on Solaris prometheus#2963 * [BUGFIX] Sign Darwin/MacOS binaries prometheus#3008 * [BUGFIX] Fix pressure collector nil reference prometheus#3016 Signed-off-by: Ben Kochie <superq@gmail.com>
* [BUGFIX] Fix CPU seconds on Solaris prometheus#2963 * [BUGFIX] Sign Darwin/MacOS binaries prometheus#3008 * [BUGFIX] Fix pressure collector nil reference prometheus#3016 Signed-off-by: Ben Kochie <superq@gmail.com>
* [BUGFIX] Fix CPU seconds on Solaris prometheus#2963 * [BUGFIX] Sign Darwin/MacOS binaries prometheus#3008 * [BUGFIX] Fix pressure collector nil reference prometheus#3016 Signed-off-by: Ben Kochie <superq@gmail.com>
* [BUGFIX] Fix CPU seconds on Solaris prometheus#2963 * [BUGFIX] Sign Darwin/MacOS binaries prometheus#3008 * [BUGFIX] Fix pressure collector nil reference prometheus#3016 Signed-off-by: Ben Kochie <superq@gmail.com>
Alright, since I seem to have butchered my previous PR (see #2916) beyond recovery with force pushes, I decided to open a new one that looks more sane.
Prevents SIGKILL issues on macs.
Fixes: #2539, #2217
I previously tested the darwin build that came out, and it ran well on my M1 mac, so this should be good to go.