diff --git a/.github/workflows/build_packages.yaml b/.github/workflows/build_packages.yaml index a7fb86aa9..b6e9f2e8c 100644 --- a/.github/workflows/build_packages.yaml +++ b/.github/workflows/build_packages.yaml @@ -178,6 +178,10 @@ jobs: working-directory: source env: AUTO_INSTALL_BUILD_DEPS: 1 + APPLE_SIGN_BINARIES: 1 + APPLE_DEVELOPER_IDENTITY: ${{ secrets.APPLE_DEVELOPER_IDENTITY }} + APPLE_DEVELOPER_ID_BUNDLE: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE }} + APPLE_DEVELOPER_ID_BUNDLE_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE_PASSWORD }} run: | . $HOME/.kerl/${{ matrix.otp }}/activate make ensure-rebar3 diff --git a/.github/workflows/build_slim_packages.yaml b/.github/workflows/build_slim_packages.yaml index 56d2a6394..84ae13d01 100644 --- a/.github/workflows/build_slim_packages.yaml +++ b/.github/workflows/build_slim_packages.yaml @@ -164,6 +164,10 @@ jobs: - name: build ${{ matrix.profile }} env: AUTO_INSTALL_BUILD_DEPS: 1 + APPLE_SIGN_BINARIES: 1 + APPLE_DEVELOPER_IDENTITY: ${{ secrets.APPLE_DEVELOPER_IDENTITY }} + APPLE_DEVELOPER_ID_BUNDLE: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE }} + APPLE_DEVELOPER_ID_BUNDLE_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE_PASSWORD }} run: | . $HOME/.kerl/${{ matrix.otp }}/activate make ensure-rebar3 diff --git a/build b/build index 879251ede..facc5e4f6 100755 --- a/build +++ b/build @@ -242,6 +242,9 @@ make_tgz() { ## try to be portable for tar.gz packages. ## for DEB and RPM packages the dependencies are resoved by yum and apt cp_dyn_libs "${tard}/emqx" + if [[ "${APPLE_SIGN_BINARIES:-0}" == 1 && "$SYSTEM" == macos* ]]; then + ./scripts/macos-sign-binaries.sh "${tard}/emqx" + fi ## create tar after change dir ## to avoid creating an extra level of 'emqx' dir in the .tar.gz file pushd "${tard}/emqx" >/dev/null diff --git a/scripts/macos-sign-binaries.sh b/scripts/macos-sign-binaries.sh new file mode 100755 index 000000000..33066fe83 --- /dev/null +++ b/scripts/macos-sign-binaries.sh @@ -0,0 +1,47 @@ +#!/usr/bin/env bash + +# intended to run on MacOS only +# signs all executable files in a given folder (as $1) with developer certificate + +# required variables: +# APPLE_DEVELOPER_IDENTITY: "Developer ID Application: ()" +# APPLE_DEVELOPER_ID_BUNDLE: base64-encoded content of apple developer id certificate bundle in pksc12 format +# APPLE_DEVELOPER_ID_BUNDLE_PASSWORD: password used when exporting the bundle + +# note: 'bundle' in apple terminology is 'identity' + +set -euo pipefail + +PKSC12_FILE="$HOME/developer-id-application.p12" +base64 --decode > "${PKSC12_FILE}" <<<"${APPLE_DEVELOPER_ID_BUNDLE}" + +KEYCHAIN='emqx.keychain-db' +KEYCHAIN_PASSWORD="$(openssl rand -base64 32)" + +security create-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN}" +security set-keychain-settings -lut 21600 "${KEYCHAIN}" +security unlock-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN}" +security import "${PKSC12_FILE}" -P "${APPLE_DEVELOPER_ID_BUNDLE_PASSWORD}" -t cert -f pkcs12 -k "${KEYCHAIN}" -T /usr/bin/codesign +security set-key-partition-list -S "apple-tool:,apple:,codesign:" -s -k "${KEYCHAIN_PASSWORD}" "${KEYCHAIN}" +security verify-cert -k "${KEYCHAIN}" -c "${PKSC12_FILE}" +security find-identity -p codesigning "${KEYCHAIN}" + +# add new keychain into the search path for codesign, otherwise the stuff does not work +keychains=$(security list-keychains -d user) +keychain_names=(); +for keychain in ${keychains} +do + basename=$(basename "${keychain}") + keychain_name=${basename::${#basename}-4} + keychain_names+=("${keychain_name}") +done +security -v list-keychains -s "${keychain_names[@]}" "${KEYCHAIN}" + +set -x +REL_DIR="${1}" +codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --options runtime --timestamp=none "${REL_DIR}"/erts-*/bin/{erlexec,beam.smp} +codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp=none "${REL_DIR}"/erts-*/bin/{erl_child_setup,inet_gethost,heart,dyn_erl,erl_call,to_erl,epmd,erl,run_erl,escript} +codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp=none "${REL_DIR}"/lib/os_mon-*/priv/bin/{cpu_sup,memsup} +codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp=none "${REL_DIR}"/lib/observer-*/priv/bin/{cdv,etop} +codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp=none "${REL_DIR}"/lib/jq-*/priv/erlang_jq_port +find "${REL_DIR}" -name '*.so' -exec codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp=none {} \;