Split signing out from qsrelease #2655
Conversation
|
https://github.com/actions/upload-artifact#zipped-artifact-downloads
A little annoying. |
|
Blocked on actions/upload-artifact#300 |
n8henrie
force-pushed
the
split-signing
branch
2 times, most recently
from
86167af
to
bc87681
Compare
|
OK, I think this is as ready as I can get it for now. I've squashed and rebased.
|
|
Actually, the
|
|
Looks like build / sign is failing:
|
|
Correct -- the 3 secrets listed above are currently empty, and I don't have access to modify repo secrets. This is blocked pending @skurfer's review and feedback, since it's his Apple ID and cert. |
|
I’ve made you an Owner on the Quicksilver org @n8henrie, so you should be able to make whatever changes are necessary now. |
|
I’ve added the secrets and updated the signing cert to match the one I generated recently. |
n8henrie
force-pushed
the
split-signing
branch
4 times, most recently
from
c2b0659
to
32a5a4e
Compare
|
I'm making some progress here. Current errors with notarization: {
"severity": "error",
"code": null,
"path": "Quicksilver 1.6.1.dmg/Quicksilver.app/Contents/Resources/QSDroplet.app/Contents/MacOS/QSDroplet",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "Quicksilver 1.6.1.dmg/Quicksilver.app/Contents/Resources/QSDroplet.app/Contents/MacOS/QSDroplet",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},I'm about to push a PR that might fix the timestamp issue, which I'm hoping might fix the issue with What does Pending tasks:
|
It has a different icon and would be a separate drop target from the main app (or potentially many targets). It’s sort of like a trigger, but you drop something on it. https://qsapp.com/manual/Preferences/#command-objects-and-droplets |
|
Hmmm, same errors after adding "issues": [
{
"severity": "error",
"code": null,
"path": "Quicksilver 1.6.1.dmg/Quicksilver.app/Contents/Resources/QSDroplet.app/Contents/MacOS/QSDroplet",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "Quicksilver 1.6.1.dmg/Quicksilver.app/Contents/Resources/QSDroplet.app/Contents/MacOS/QSDroplet",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "Quicksilver 1.6.1.dmg/Quicksilver.app/Contents/Resources/QSDroplet.app/Contents/MacOS/QSDroplet",
"message": "The binary is not signed with a valid Developer ID certificate.",
"docUrl": null,
"architecture": "arm64"
},
{
"severity": "error",
"code": null,
"path": "Quicksilver 1.6.1.dmg/Quicksilver.app/Contents/Resources/QSDroplet.app/Contents/MacOS/QSDroplet",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "arm64"
}
] |
$ codesign --verify -vvv Quicksilver.app/Contents/Resources/QSDroplet.app/
Quicksilver.app/Contents/Resources/QSDroplet.app/: valid on disk
Quicksilver.app/Contents/Resources/QSDroplet.app/: satisfies its Designated Requirement |
Quicksilver/Tools/qssign
Outdated
| codesign --verify --deep --strict --verbose=1 "${QS_VERSIONED_DMG}" | ||
|
|
||
| ## Easy access to plist and app | ||
| cp -a "${DMG_TEMP}"/Quicksilver.app{,/Contents/Info.plist} "${BUILT_PRODUCTS_DIR}" |
There was a problem hiding this comment.
Why are we copying the app back to $BUILT_PRODUCTS_DIR here? That’s where it originates from, and it still exists, so the script fails for me as a result. We should just need Info.plist from this step.
There was a problem hiding this comment.
Doing a codesigning dance. The unsigned app is copied into BUILT_PRODUCTS_DIR; if QS_BUILD_ONLY is set, this copy is ad-hoc signed so that it can be run locally, and I left a copy in BUILT_PRODUCTS_DIR as a convenience to preserve existing behavior.
It is copied into DMG_TEMP so that this directory can be uploaded as a built artifact that can them be downloaded and manually explored if desired, but more importantly because artifacts within a single workflow can then be downloaded in other actions, avoiding the need to re-build everything.
In qssign, the app is codesigned, and the the "finished" app is subsequently re-copied to BUILT_PRODUCTS_DIR, overwriting the unsigned copy that was there previously
EDIT: so that you have convenient access to a signed copy when running locally. However, I could mv (instead of cp) it into DMG_TEMP and remove the Quicksilver.zip.zip build artifact, and people could just download the DMG_INGREDIENTS artifact (with a copy of the unsigned Quicksilver.app inside) -- it just seems a little less obvious for people wanting to get a copy of Quicksilver.app build from a PR. I could have the build artifact made from the one in DMG_TEMP -- several options. I didn't consider a duplicate copy to be a huge issue, but I can see how it could be confusing down the road.
I'm surprised that the script fails for you (thanks for testing) -- shouldn't cp -a just overwrite it?
Ahh --
$ cd $(mktemp -d)
$ mkdir ./dmg
$ /bin/cp -a /tmp/QS/build/Release/Quicksilver.app .
$ /bin/cp -a ./Quicksilver.app ./dmg/
$ /bin/cp -a ./dmg/Quicksilver.app .
cp: cannot overwrite directory ./
... lots of errors ...
$ which cp
/opt/homebrew/opt/coreutils/libexec/gnubin/cp
$ cp -a ./dmg/Quicksilver.app .
$ echo $?
0The issue didn't come up on GitHub Actions because the environments are cleared between the two actions (BUILT_PRODUCTS_DIR is unpopulated in qssign).
I reran with PATH=$(getconf PATH) to make sure no more GNU / BSD coreutils issues.
n8henrie
force-pushed
the
split-signing
branch
2 times, most recently
from
d238534
to
0d5249b
Compare
n8henrie
force-pushed
the
split-signing
branch
3 times, most recently
from
156a697
to
1023466
Compare
|
A few other conveniences provided by releases: The canonical URL to the asset is
For better or worse the version number in the DMG prevents one from getting an "always working direct download url." |
n8henrie
force-pushed
the
split-signing
branch
2 times, most recently
from
1eb16ce
to
d590b8a
Compare
Fixes #2654 Issues addressed: - Provides separate GitHub Actions for building and signing (#2583 (comment)) - Provides separate script for debugging signing so you don't have to rebuild every time (requires exporting a few variables normally set in `qsrelease` - By default will still build *and* sign (for local builds) unless `QS_BUILD_ONLY` is set -- preserves current behavior - Uses GitHub Actions' artifacts to avoid re-building the entire project twice - Removes the "arbitrary volume size and hope it's big enough" workaround - Adds what I think should be the necessary changes for automatic notarization of the DMG Other changes: - Removes need for `buildDMG.pl` with no new dependencies - Reorders test *after* build, since the tests depend on `/tmp/QS/Configuration/Quicksilver.pch` - Split uploads into separate named actions - Copy the codesigned app to parent directory for easy acess - Create a zip of QS.app as a convenience build artifact - Specify release config for testing - Use `working-directory` instead of `cd` for several actions - Rename `release.yaml` to `ci.yaml` as it now has separate stages for build, sign, and release
Issues addressed:
qsreleaseQS_BUILD_ONLYis set -- preserves current behaviornotarization of the DMG
Other changes:
buildDMG.plwith no new dependencies/tmp/QS/Configuration/Quicksilver.pchTODO:
Fixes #2654 -- hopefully