diff --git a/.github/workflows/build_slim_packages.yaml b/.github/workflows/build_slim_packages.yaml index b5a8623ef..7e281110c 100644 --- a/.github/workflows/build_slim_packages.yaml +++ b/.github/workflows/build_slim_packages.yaml @@ -97,18 +97,27 @@ jobs: id: cache with: path: ~/.kerl/${{ matrix.erl_otp }} - key: otp-install-${{ matrix.erl_otp }}-${{ matrix.macos }} + key: otp-install-${{ matrix.erl_otp }}-${{ matrix.macos }}-static-ssl-disable-hipe-disable-jit - name: build erlang if: steps.cache.outputs.cache-hit != 'true' timeout-minutes: 60 env: KERL_BUILD_BACKEND: git OTP_GITHUB_URL: https://github.com/emqx/otp + KERL_CONFIGURE_OPTIONS: --disable-dynamic-ssl-lib --with-ssl=/usr/local/opt/openssl@1.1 --disable-hipe --disable-jit run: | kerl update releases kerl build ${{ matrix.erl_otp }} kerl install ${{ matrix.erl_otp }} $HOME/.kerl/${{ matrix.erl_otp }} - name: build + env: + APPLE_SIGN_BINARIES: 1 + APPLE_ID: developers@emqx.io + APPLE_TEAM_ID: 26N6HYJLZA + APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} + APPLE_DEVELOPER_IDENTITY: ${{ secrets.APPLE_DEVELOPER_IDENTITY }} + APPLE_DEVELOPER_ID_BUNDLE: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE }} + APPLE_DEVELOPER_ID_BUNDLE_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE_PASSWORD }} run: | . $HOME/.kerl/${{ matrix.erl_otp }}/activate make ensure-rebar3 diff --git a/build b/build index ace072b79..0ffb810eb 100755 --- a/build +++ b/build @@ -165,7 +165,41 @@ make_zip() { ## try to be portable for zip packages. ## for DEB and RPM packages the dependencies are resoved by yum and apt cp_dyn_libs "${tard}/emqx" - (cd "${tard}" && zip -qr - emqx) > "${zipball}" + case "$SYSTEM" in + macos*) + # if the flag to sign macos binaries is set, but developer certificate + # or certificate password is not configured, reset the flag + # could happen, for example, when people submit PR from a fork, in this + # case they cannot access secrets + if [[ "${APPLE_SIGN_BINARIES:-0}" == 1 && \ + ( "${APPLE_DEVELOPER_ID_BUNDLE:-0}" == 0 || \ + "${APPLE_DEVELOPER_ID_BUNDLE_PASSWORD:-0}" == 0 ) ]]; then + echo "Apple developer certificate is not configured, skip signing" + APPLE_SIGN_BINARIES=0 + fi + if [ "${APPLE_SIGN_BINARIES:-0}" = 1 ]; then + ./scripts/macos-sign-binaries.sh "${tard}/emqx" + fi + ## create zip after change dir + ## to avoid creating an extra level of 'emqx' dir in the .zip file + (cd "${tard}" && zip -qr - emqx) > "${zipball}" + if [ "${APPLE_SIGN_BINARIES:-0}" = 1 ]; then + # notarize the package + # if fails, you can check what went wrong with this command: + # xcrun notarytool log --apple-id \ + # --apple-id \ + # --password + # --team-id + xcrun notarytool submit \ + --apple-id "${APPLE_ID}" \ + --password "${APPLE_ID_PASSWORD}" \ + --team-id "${APPLE_TEAM_ID}" "${zipball}" --wait + fi + ;; + *) + (cd "${tard}" && zip -qr - emqx) > "${zipball}" + ;; + esac } ## This function builds the default docker image based on alpine:3.14 (by default) diff --git a/scripts/macos-sign-binaries.sh b/scripts/macos-sign-binaries.sh new file mode 100755 index 000000000..7be40f621 --- /dev/null +++ b/scripts/macos-sign-binaries.sh @@ -0,0 +1,52 @@ +#!/usr/bin/env bash + +# intended to run on MacOS only +# signs all executable files in a given folder (as $1) with developer certificate + +# required variables: +# APPLE_DEVELOPER_IDENTITY: "Developer ID Application: ()" +# APPLE_DEVELOPER_ID_BUNDLE: base64-encoded content of apple developer id certificate bundle in pksc12 format +# APPLE_DEVELOPER_ID_BUNDLE_PASSWORD: password used when exporting the bundle + +# note: 'bundle' in apple terminology is 'identity' + +set -euo pipefail + +if [[ "${APPLE_DEVELOPER_ID_BUNDLE:-0}" == 0 || "${APPLE_DEVELOPER_ID_BUNDLE_PASSWORD:-0}" == 0 ]]; then + echo "Apple developer certificate is not configured, skip signing" + exit 0 +fi + +REL_DIR="${1}" +PKSC12_FILE="$HOME/developer-id-application.p12" +base64 --decode > "${PKSC12_FILE}" <<<"${APPLE_DEVELOPER_ID_BUNDLE}" + +KEYCHAIN='emqx.keychain-db' +KEYCHAIN_PASSWORD="$(openssl rand -base64 32)" + +security create-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN}" +security set-keychain-settings -lut 21600 "${KEYCHAIN}" +security unlock-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN}" +security import "${PKSC12_FILE}" -P "${APPLE_DEVELOPER_ID_BUNDLE_PASSWORD}" -t cert -f pkcs12 -k "${KEYCHAIN}" -T /usr/bin/codesign +security set-key-partition-list -S "apple-tool:,apple:,codesign:" -s -k "${KEYCHAIN_PASSWORD}" "${KEYCHAIN}" +security verify-cert -k "${KEYCHAIN}" -c "${PKSC12_FILE}" +security find-identity -p codesigning "${KEYCHAIN}" + +# add new keychain into the search path for codesign, otherwise the stuff does not work +keychains=$(security list-keychains -d user) +keychain_names=(); +for keychain in ${keychains}; do + basename=$(basename "${keychain}") + keychain_name=${basename::${#basename}-4} + keychain_names+=("${keychain_name}") +done +security -v list-keychains -s "${keychain_names[@]}" "${KEYCHAIN}" + +# sign +codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/erts-*/bin/{beam.smp,dyn_erl,epmd,erl,erl_call,erl_child_setup,erlexec,escript,heart,inet_gethost,run_erl,to_erl} +codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/asn1-*/priv/lib/asn1rt_nif.so +codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/bcrypt-*/priv/bcrypt_nif.so +codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/crypto-*/priv/lib/{crypto.so,otp_test_engine.so} +codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/jiffy-*/priv/jiffy.so +codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/os_mon-*/priv/bin/{cpu_sup,memsup} +codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/runtime_tools-*/priv/lib/{dyntrace.so,trace_ip_drv.so,trace_file_drv.so}