From a58c971bbc3a14a8c2db9279f619c0ffade2ad95 Mon Sep 17 00:00:00 2001
From: Roko Kruze <rkruze@gmail.com>
Date: Fri, 20 Nov 2020 14:53:36 -0800
Subject: [PATCH] Sign rpk for macOS on release

When making a release, for the macOS binary use gon to sign the package
and get it notarized.
---
 .github/workflows/rpk-build.yml | 48 ++++++++++++++++++++++++++++++++-
 src/go/rpk/gon.json             | 10 +++++++
 2 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 src/go/rpk/gon.json

diff --git a/.github/workflows/rpk-build.yml b/.github/workflows/rpk-build.yml
index 61cce2431239..cd28437c514d 100644
--- a/.github/workflows/rpk-build.yml
+++ b/.github/workflows/rpk-build.yml
@@ -65,10 +65,56 @@ jobs:
         name: rpk-archives
         path: |
           src/go/rpk/rpk-*.zip
+  
+  sign-darwin:
+    name: Sign and notarize the darwin release_name
+    needs: build
+    if: startsWith(github.ref, 'refs/tags/release-')
+    runs-on: macos-10.15
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Download zip
+        uses: actions/download-artifact@v2
+        with:
+          name: rpk-archives
+          path: zip/
+
+      - name: Unzip darwin build
+        working-directory: zip/
+        run: |
+          unzip rpk-darwin-amd64.zip
+          rm rpk-darwin-amd64.zip
+
+      - name: Import Code-Signing Certificates
+        uses: Apple-Actions/import-codesign-certs@v1
+        with:
+          p12-file-base64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
+          p12-password: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
+
+      - name: Install gon via HomeBrew for code signing and app notarization
+        run: |
+          brew tap mitchellh/gon
+          brew install mitchellh/gon/gon
+
+      - name: Sign the mac binaries with Gon
+        working-directory: zip/
+        env:
+          AC_USERNAME: ${{ secrets.AC_USERNAME }}
+          AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
+        run: |
+          gon -log-level=info ../src/go/rpk/gon.json
+      
+      - name: Upload signed Package
+        uses: actions/upload-artifact@v2
+        with:
+          name: rpk-archives
+          path: zip/rpk-darwin-amd64.zip
 
   create-release:
     name: Create release
-    needs: build
+    needs: [build, sign-darwin]
     if: startsWith(github.ref, 'refs/tags/release-')
     runs-on: ubuntu-latest
     steps:
diff --git a/src/go/rpk/gon.json b/src/go/rpk/gon.json
new file mode 100644
index 000000000000..ae3a1247bf46
--- /dev/null
+++ b/src/go/rpk/gon.json
@@ -0,0 +1,10 @@
+{
+    "source" : ["./rpk"],
+    "bundle_id" : "io.vectorized.redpanda",
+    "sign" :{
+        "application_identity" : "Developer ID Application: Vectorized, Inc."
+    },
+    "zip" :{
+        "output_path" : "rpk-darwin-amd64.zip"
+    }
+}