build: conditionally sign binary files in tgz package for macos

.github/workflows/build_packages.yaml

@@ -178,6 +178,10 @@ jobs:
       working-directory: source
       env:
         AUTO_INSTALL_BUILD_DEPS: 1
+        APPLE_SIGN_BINARIES: 1
+        APPLE_DEVELOPER_IDENTITY: ${{ secrets.APPLE_DEVELOPER_IDENTITY }}
+        APPLE_DEVELOPER_ID_BUNDLE: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE }}
+        APPLE_DEVELOPER_ID_BUNDLE_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE_PASSWORD }}
       run: |
         . $HOME/.kerl/${{ matrix.otp }}/activate
         make ensure-rebar3

.github/workflows/build_slim_packages.yaml

@@ -164,6 +164,10 @@ jobs:
     - name: build ${{ matrix.profile }}
       env:
         AUTO_INSTALL_BUILD_DEPS: 1
+        APPLE_SIGN_BINARIES: 1
+        APPLE_DEVELOPER_IDENTITY: ${{ secrets.APPLE_DEVELOPER_IDENTITY }}
+        APPLE_DEVELOPER_ID_BUNDLE: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE }}
+        APPLE_DEVELOPER_ID_BUNDLE_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE_PASSWORD }}
       run: |
         . $HOME/.kerl/${{ matrix.otp }}/activate
         make ensure-rebar3

build

@@ -242,6 +242,9 @@ make_tgz() {
     ## try to be portable for tar.gz packages.
     ## for DEB and RPM packages the dependencies are resoved by yum and apt
     cp_dyn_libs "${tard}/emqx"
+    if [[ "${APPLE_SIGN_BINARIES:-0}" == 1 && "$SYSTEM" == macos* ]]; then
+        ./scripts/macos-sign-binaries.sh "${tard}/emqx"
+    fi
     ## create tar after change dir
     ## to avoid creating an extra level of 'emqx' dir in the .tar.gz file
     pushd "${tard}/emqx" >/dev/null

scripts/macos-sign-binaries.sh

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# intended to run on MacOS only
+# signs all executable files in a given folder (as $1) with developer certificate
+
+# required variables:
+# APPLE_DEVELOPER_IDENTITY: "Developer ID Application: <company name> (<hex id>)"
+# APPLE_DEVELOPER_ID_BUNDLE: base64-encoded content of apple developer id certificate bundle in pksc12 format
+# APPLE_DEVELOPER_ID_BUNDLE_PASSWORD: password used when exporting the bundle
+
+# note: 'bundle' in apple terminology is 'identity'
+
+set -euo pipefail
+
+PKSC12_FILE="$HOME/developer-id-application.p12"
+base64 --decode > "${PKSC12_FILE}" <<<"${APPLE_DEVELOPER_ID_BUNDLE}"
+
+KEYCHAIN='emqx.keychain-db'
+KEYCHAIN_PASSWORD="$(openssl rand -base64 32)"
+
+security create-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN}"
+security set-keychain-settings -lut 21600 "${KEYCHAIN}"
+security unlock-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN}"
+security import "${PKSC12_FILE}" -P "${APPLE_DEVELOPER_ID_BUNDLE_PASSWORD}" -t cert -f pkcs12 -k "${KEYCHAIN}" -T /usr/bin/codesign
+security set-key-partition-list -S "apple-tool:,apple:,codesign:" -s -k "${KEYCHAIN_PASSWORD}" "${KEYCHAIN}"
+security verify-cert -k "${KEYCHAIN}" -c "${PKSC12_FILE}"
+security find-identity -p codesigning "${KEYCHAIN}"
+
+# add new keychain into the search path for codesign, otherwise the stuff does not work
+keychains=$(security list-keychains -d user)
+keychain_names=();
+for keychain in ${keychains}
+do
+  basename=$(basename "${keychain}")
+  keychain_name=${basename::${#basename}-4}
+  keychain_names+=("${keychain_name}")
+done
+security -v list-keychains -s "${keychain_names[@]}" "${KEYCHAIN}"
+
+set -x
+REL_DIR="${1}"
+codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --options runtime --timestamp=none "${REL_DIR}"/erts-*/bin/{erlexec,beam.smp}
+codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp=none "${REL_DIR}"/erts-*/bin/{erl_child_setup,inet_gethost,heart,dyn_erl,erl_call,to_erl,epmd,erl,run_erl,escript}
+codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp=none "${REL_DIR}"/lib/os_mon-*/priv/bin/{cpu_sup,memsup}
+codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp=none "${REL_DIR}"/lib/observer-*/priv/bin/{cdv,etop}
+codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp=none "${REL_DIR}"/lib/jq-*/priv/erlang_jq_port
+find "${REL_DIR}" -name '*.so' -exec codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp=none {} \;