-
Notifications
You must be signed in to change notification settings - Fork 285
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Split signing out from qsrelease #2655
Conversation
https://github.com/actions/upload-artifact#zipped-artifact-downloads
A little annoying. |
Blocked on actions/upload-artifact#300 |
86167af
to
bc87681
Compare
OK, I think this is as ready as I can get it for now. I've squashed and rebased.
|
Actually, the
|
Looks like build / sign is failing:
|
Correct -- the 3 secrets listed above are currently empty, and I don't have access to modify repo secrets. This is blocked pending @skurfer's review and feedback, since it's his Apple ID and cert. |
I’ve made you an Owner on the Quicksilver org @n8henrie, so you should be able to make whatever changes are necessary now. |
I’ve added the secrets and updated the signing cert to match the one I generated recently. |
c2b0659
to
32a5a4e
Compare
I'm making some progress here. Current errors with notarization: {
"severity": "error",
"code": null,
"path": "Quicksilver 1.6.1.dmg/Quicksilver.app/Contents/Resources/QSDroplet.app/Contents/MacOS/QSDroplet",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "Quicksilver 1.6.1.dmg/Quicksilver.app/Contents/Resources/QSDroplet.app/Contents/MacOS/QSDroplet",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
}, I'm about to push a PR that might fix the timestamp issue, which I'm hoping might fix the issue with What does Pending tasks:
|
It has a different icon and would be a separate drop target from the main app (or potentially many targets). It’s sort of like a trigger, but you drop something on it. https://qsapp.com/manual/Preferences/#command-objects-and-droplets |
Hmmm, same errors after adding "issues": [
{
"severity": "error",
"code": null,
"path": "Quicksilver 1.6.1.dmg/Quicksilver.app/Contents/Resources/QSDroplet.app/Contents/MacOS/QSDroplet",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "Quicksilver 1.6.1.dmg/Quicksilver.app/Contents/Resources/QSDroplet.app/Contents/MacOS/QSDroplet",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "Quicksilver 1.6.1.dmg/Quicksilver.app/Contents/Resources/QSDroplet.app/Contents/MacOS/QSDroplet",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": null,
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "Quicksilver 1.6.1.dmg/Quicksilver.app/Contents/Resources/QSDroplet.app/Contents/MacOS/QSDroplet",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "arm64"
}
] |
$ codesign --verify -vvv Quicksilver.app/Contents/Resources/QSDroplet.app/
Quicksilver.app/Contents/Resources/QSDroplet.app/: valid on disk
Quicksilver.app/Contents/Resources/QSDroplet.app/: satisfies its Designated Requirement |
Quicksilver/Tools/qssign
Outdated
codesign --verify --deep --strict --verbose=1 "${QS_VERSIONED_DMG}" | ||
|
||
## Easy access to plist and app | ||
cp -a "${DMG_TEMP}"/Quicksilver.app{,/Contents/Info.plist} "${BUILT_PRODUCTS_DIR}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are we copying the app back to $BUILT_PRODUCTS_DIR here? That’s where it originates from, and it still exists, so the script fails for me as a result. We should just need Info.plist
from this step.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doing a codesigning dance. The unsigned app is copied into BUILT_PRODUCTS_DIR
; if QS_BUILD_ONLY
is set, this copy is ad-hoc signed so that it can be run locally, and I left a copy in BUILT_PRODUCTS_DIR
as a convenience to preserve existing behavior.
It is copied into DMG_TEMP
so that this directory can be uploaded as a built artifact that can them be downloaded and manually explored if desired, but more importantly because artifacts within a single workflow can then be downloaded in other actions, avoiding the need to re-build everything.
In qssign
, the app is codesigned, and the the "finished" app is subsequently re-copied to BUILT_PRODUCTS_DIR
, overwriting the unsigned copy that was there previously
EDIT: so that you have convenient access to a signed copy when running locally. However, I could mv
(instead of cp
) it into DMG_TEMP
and remove the Quicksilver.zip.zip
build artifact, and people could just download the DMG_INGREDIENTS
artifact (with a copy of the unsigned Quicksilver.app
inside) -- it just seems a little less obvious for people wanting to get a copy of Quicksilver.app
build from a PR. I could have the build artifact made from the one in DMG_TEMP
-- several options. I didn't consider a duplicate copy to be a huge issue, but I can see how it could be confusing down the road.
I'm surprised that the script fails for you (thanks for testing) -- shouldn't cp -a
just overwrite it?
Ahh --
$ cd $(mktemp -d)
$ mkdir ./dmg
$ /bin/cp -a /tmp/QS/build/Release/Quicksilver.app .
$ /bin/cp -a ./Quicksilver.app ./dmg/
$ /bin/cp -a ./dmg/Quicksilver.app .
cp: cannot overwrite directory ./
... lots of errors ...
$ which cp
/opt/homebrew/opt/coreutils/libexec/gnubin/cp
$ cp -a ./dmg/Quicksilver.app .
$ echo $?
0
The issue didn't come up on GitHub Actions because the environments are cleared between the two actions (BUILT_PRODUCTS_DIR
is unpopulated in qssign
).
I reran with PATH=$(getconf PATH)
to make sure no more GNU / BSD coreutils issues.
d238534
to
0d5249b
Compare
156a697
to
1023466
Compare
A few other conveniences provided by releases: The canonical URL to the asset is
For better or worse the version number in the DMG prevents one from getting an "always working direct download url." |
1eb16ce
to
d590b8a
Compare
Fixes #2654 Issues addressed: - Provides separate GitHub Actions for building and signing (#2583 (comment)) - Provides separate script for debugging signing so you don't have to rebuild every time (requires exporting a few variables normally set in `qsrelease` - By default will still build *and* sign (for local builds) unless `QS_BUILD_ONLY` is set -- preserves current behavior - Uses GitHub Actions' artifacts to avoid re-building the entire project twice - Removes the "arbitrary volume size and hope it's big enough" workaround - Adds what I think should be the necessary changes for automatic notarization of the DMG Other changes: - Removes need for `buildDMG.pl` with no new dependencies - Reorders test *after* build, since the tests depend on `/tmp/QS/Configuration/Quicksilver.pch` - Split uploads into separate named actions - Copy the codesigned app to parent directory for easy acess - Create a zip of QS.app as a convenience build artifact - Specify release config for testing - Use `working-directory` instead of `cd` for several actions - Rename `release.yaml` to `ci.yaml` as it now has separate stages for build, sign, and release
Issues addressed:
qsrelease
QS_BUILD_ONLY
is set -- preserves current behaviornotarization of the DMG
Other changes:
buildDMG.pl
with no new dependencies/tmp/QS/Configuration/Quicksilver.pch
TODO:
Fixes #2654 -- hopefully