diff --git a/.github/workflows/build_packages.yaml b/.github/workflows/build_packages.yaml index 9392735b5..497233cdc 100644 --- a/.github/workflows/build_packages.yaml +++ b/.github/workflows/build_packages.yaml @@ -139,18 +139,27 @@ jobs: id: cache with: path: ~/.kerl/${{ matrix.otp }} - key: otp-install-${{ matrix.otp }}-${{ matrix.macos }} + key: otp-install-${{ matrix.otp }}-${{ matrix.macos }}-static-ssl-disable-hipe-disable-jit - name: build erlang if: steps.cache.outputs.cache-hit != 'true' timeout-minutes: 60 env: KERL_BUILD_BACKEND: git OTP_GITHUB_URL: https://github.com/emqx/otp + KERL_CONFIGURE_OPTIONS: --disable-dynamic-ssl-lib --with-ssl=/usr/local/opt/openssl@1.1 --disable-hipe --disable-jit run: | kerl update releases kerl build ${{ matrix.otp }} kerl install ${{ matrix.otp }} $HOME/.kerl/${{ matrix.otp }} - name: build + env: + APPLE_SIGN_BINARIES: 1 + APPLE_ID: developers@emqx.io + APPLE_TEAM_ID: 26N6HYJLZA + APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} + APPLE_DEVELOPER_IDENTITY: ${{ secrets.APPLE_DEVELOPER_IDENTITY }} + APPLE_DEVELOPER_ID_BUNDLE: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE }} + APPLE_DEVELOPER_ID_BUNDLE_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE_PASSWORD }} working-directory: source run: | . $HOME/.kerl/${{ matrix.otp }}/activate diff --git a/build b/build index 732240194..f5bf13a58 100755 --- a/build +++ b/build @@ -193,23 +193,46 @@ make_zip() { ./scripts/inject-relup.escript "${tard}/emqx/releases/${PKG_VSN}/relup" fi cp_dyn_libs "${tard}/emqx" - pushd "${tard}" >/dev/null - case "$SYSTEM" in - windows*) - 7z a "${pkgname}" emqx - ;; - *) - zip -qr "${pkgname}" emqx - ;; - esac - popd >/dev/null - mv "${tard}/${pkgname}" "${target_zip}" case "$SYSTEM" in macos*) + # if the flag to sign macos binaries is set, but developer certificate + # or certificate password is not configured, reset the flag + # could happen, for example, when people submit PR from a fork, in this + # case they cannot access secrets + if [[ "${APPLE_SIGN_BINARIES:-0}" == 1 && \ + ( "${APPLE_DEVELOPER_ID_BUNDLE:-0}" == 0 || \ + "${APPLE_DEVELOPER_ID_BUNDLE_PASSWORD:-0}" == 0 ) ]]; then + echo "Apple developer certificate is not configured, skip signing" + APPLE_SIGN_BINARIES=0 + fi + if [ "${APPLE_SIGN_BINARIES:-0}" = 1 ]; then + ./scripts/macos-sign-binaries.sh "${tard}/emqx" + fi + (cd "${tard}" && zip -qr - emqx) > "${target_zip}" + if [ "${APPLE_SIGN_BINARIES:-0}" = 1 ]; then + # notarize the package + # if fails, you can check what went wrong with this command: + # xcrun notarytool log --apple-id \ + # --apple-id \ + # --password + # --team-id + xcrun notarytool submit \ + --apple-id "${APPLE_ID}" \ + --password "${APPLE_ID_PASSWORD}" \ + --team-id "${APPLE_TEAM_ID}" "${target_zip}" --wait + fi # sha256sum may not be available on macos openssl dgst -sha256 "${target_zip}" | cut -d ' ' -f 2 > "${target_zip}.sha256" ;; + windows*) + pushd "${tard}" >/dev/null + 7z a "${pkgname}" emqx + popd >/dev/null + mv "${tard}/${pkgname}" "${target_zip}" + sha256sum "${target_zip}" | head -c 64 > "${target_zip}.sha256" + ;; *) + (cd "${tard}" && zip -qr - emqx) > "${target_zip}" sha256sum "${target_zip}" | head -c 64 > "${target_zip}.sha256" ;; esac