ci: Notarize MacOS Binaries and Add Flat Package Installers #3571
Conversation
chipbuster
force-pushed
the
apple-notarize
branch
2 times, most recently
from
0bcff4f
to
f7a2afb
Compare
|
I apologize for the somewhat horrific mess of commits involved here. There are interesting implications to only being able to test code by pushing. |
chipbuster
changed the title
|
I'm getting a "starship cannot run because it is from an unidentified developer" prompt when running I think it might be to test the current version of the workflow with a workflow_dispatch trigger. |
No, I don't think that's supposed to happen. In fact, I don't know why the workflow is generating these artifacts at all, since I'm not uploading them from the workflow. However, it would probably be best to modify this action to re-upload the binaries, since I codesign them as part of this workflow, and I don't think Gatekeeper will attempt to verify notarization for unsigned binaries. (I was originally focused on getting signed .pkg files out, but it's probably good to distribute signed binaries as well while we're doing this work).
From my understanding, we can just keep the trigger permanently embedded this into the deploy workflow? |
I think so. |
|
Okay. I'll need to do some thinking on how to best do this, since I think it's dangerous to allow all steps of the deploy workflow to fire on a test (in particular, things like pushing to the docs website and publishing to cargo on a test workflow seem dicey). My current inclination is to do something like this:
|
chipbuster
force-pushed
the
apple-notarize
branch
2 times, most recently
from
baf68fd
to
8936794
Compare
|
Rebased to get rid of some nasty shenanigans where my fork's master branch somehow picked up a bunch of unrelated PRs. (Also to get rid of the 50+ commits which were starting to hurt when I looked at them). |
chipbuster
force-pushed
the
apple-notarize
branch
from
641fd75
to
2f5373d
Compare
| P12_PASSWORD: ${{ secrets.APPLEDEV_SIGNKEY_PASS }} | ||
| KEYCHAIN_PASSWORD: ${{ secrets.APPLEDEV_SIGNKEY_PASS }} | ||
| APPLEID_USERNAME: ${{ secrets.APPLEDEV_ID_NAME }} | ||
| APPLEID_TEAMID: ${{ secrets.APPLEDEV_TEAM_ID }} |
There was a problem hiding this comment.
Out of curiosity, will this be signed as Starship or as you?
(Also, please please don't hesitate to expense this to our OpenCollective)
There was a problem hiding this comment.
This is going to be signed by me. We can get signing certificates for at least one other mission control member as well, in case I get kidnapped by cephalopods or hit by a bus, but Apple has some rather high requirements for enrolling an organization: in particular, the organization needs to have legal entity status (be capable of sued) and a DUNS number.
Also, I believe the signing certificate I exported was due to expire in 2027, so if it happens in the next couple years, you should have quite a bit of time to work out a replacement :)
There was a problem hiding this comment.
I'm not at my computer right now, but we may qualify as part of our Open Collective fiscal sponsorship, which qualifies us as a non-profit in the US, which may give us that legal status.
There was a problem hiding this comment.
Oh interesting. If that's the case, I believe you would have to be the one to do the registration, since another requirement is
As the person enrolling your organization in the Apple Developer Program, you must have the legal authority to bind your organization to legal agreements. You must be the organization’s owner/founder, executive team member, senior project lead, or an employee with legal authority granted to you by a senior employee.
Once that's done though, I believe individuals should be able to acquire signing keys that work on behalf of the organization.
I don't believe that signing keys from an organization would fundamentally be any different than those from an individual (the organization ID + signing key IDs would have to change in the GH secrets, but that's about it) so switching over if we decide to go for an Apple Dev organization shouldn't be too much of an issue.
| arch="$3" | ||
| pkgname="${4:-}" | ||
|
|
||
| if [[ ! -d "$starship_docs_dir/.vuepress/dist" ]]; then |
| mkdir -p "$pkgdir/usr/local/bin" | ||
| cp "$starship_program_file" "$pkgdir/usr/local/bin/starship" | ||
|
|
||
| # Now we get to make documentation! Vuepress was not designed to build locally |
There was a problem hiding this comment.
Yeah, I was a little surprised that npm serve didn't actually yield an HTML hierarchy that could be scraped by wget. It seems to do the thing where you have a single line of JS which can be evaluated to generate the DOM for the real deal, but wget can't evaluate the JS, so it just pulls a single script.
| @@ -0,0 +1,262 @@ | |||
| # MacOS Codesigning Scripts | |||
There was a problem hiding this comment.
Absolutely love this documentation! 😍
Hopefully we won't need to refer to it too often 🤞
| fi | ||
|
|
||
| if [[ -z ${KEYCHAIN_FILENAME+x} ]]; then | ||
| error "Environmental variable KEYCHAIN_ENTRY must be set." |
|
Results from a straight copy-paste of the current subsection of the deploy workflow can be found at https://github.com/starship/starship/actions/runs/1906861805 (with irrelevant artifacts deleted). If someone could confirm that the binaries in the Command to check notarization: |
Both LGTM
|
|
The binaries in the |
|
Also, Finder still doesn't seem to like the binary files from the tar.gz files. |
What does it do? On my system it seems to display a terminal executable and that's about it
|
|
When attempting to run
Which I believe is because of this,
|
|
Oh I see. I'm not sure why, but I'm not getting that even when using the versions downloaded from the GH Action. Possibly because I codesigned something with an identical hash locally, so Gatekeeper is letting it through? Did previous releases of starship have this issue? Not sure if there's much we can do about that at the moment since binaries still can't be stapled. |
I don't think any past release got past gatekeeper. Also, despite the missing stapling, |
|
Alright. I'd like to do one last set of tests on a clean slate Mac (my university has a few public access terminals that should work nicely) and if those all come up clean, I'll go ahead and merged this. |
|
Unfortunately, I am unable to replicate these results on any Macs I tested, including school macs, which should (in principle) be running on the strictest policy possible. I don't know what's causing the difference, but all systems I tried reported that the new binaries and pkgs are notarized and David reports that the binaries run in the Terminal without problems, so I'm going to go ahead and declare that this is working and accept new issues to the contrary. |
|
Thank you @davidkna, @matchai, @williamwebb, and @JaySoyer for ideas, verification, debugging, and review! This was a hell of a PR and I couldn't have gotten any of this done without your help. |
Description
This PR adds notarization, codesigning, and flat packages (.pkg) to our deploy workflow.
It also adds internal documentation for the procedure, since it was so stupidly complicated.
Motivation and Context
Closes #1774
Screenshots (if appropriate):
(Unfortunately, it looks like the logos don't show up in dark mode, for any flat installers)
How Has This Been Tested?
This was tested by using a dummy job (consisting of part of the
github_buildjob from the deploy workflow) to build simulated build artifacts, then placing the new job after that as a dependent workflow.There is no guarantee that this will work in the real deploy workflow, but I think this is the best that I can do.
To see the GitHub workflow that I (believe) verified that this was basically-working, see https://github.com/starship/starship/blob/c3932b327a2bec9e1e919f17cf4934e96cf9f1a8/.github/workflows/apple_deploy.yml.
To see the artifacts generated by that workflow, see https://github.com/starship/starship/actions/runs/1843775397 (will expire approximately at the end of Feb).
Checklist: