build: sign macos binaries
This commit is contained in:
Ivan Dyachkov
parent
f2f14573d3
commit
ed34108644
|
|
@ -97,18 +97,27 @@ jobs:
|
||||||
id: cache
|
id: cache
|
||||||
with:
|
with:
|
||||||
path: ~/.kerl/${{ matrix.erl_otp }}
|
path: ~/.kerl/${{ matrix.erl_otp }}
|
||||||
key: otp-install-${{ matrix.erl_otp }}-${{ matrix.macos }}
|
key: otp-install-${{ matrix.erl_otp }}-${{ matrix.macos }}-static-ssl-disable-hipe-disable-jit
|
||||||
- name: build erlang
|
- name: build erlang
|
||||||
if: steps.cache.outputs.cache-hit != 'true'
|
if: steps.cache.outputs.cache-hit != 'true'
|
||||||
timeout-minutes: 60
|
timeout-minutes: 60
|
||||||
env:
|
env:
|
||||||
KERL_BUILD_BACKEND: git
|
KERL_BUILD_BACKEND: git
|
||||||
OTP_GITHUB_URL: https://github.com/emqx/otp
|
OTP_GITHUB_URL: https://github.com/emqx/otp
|
||||||
|
KERL_CONFIGURE_OPTIONS: --disable-dynamic-ssl-lib --with-ssl=/usr/local/opt/openssl@1.1 --disable-hipe --disable-jit
|
||||||
run: |
|
run: |
|
||||||
kerl update releases
|
kerl update releases
|
||||||
kerl build ${{ matrix.erl_otp }}
|
kerl build ${{ matrix.erl_otp }}
|
||||||
kerl install ${{ matrix.erl_otp }} $HOME/.kerl/${{ matrix.erl_otp }}
|
kerl install ${{ matrix.erl_otp }} $HOME/.kerl/${{ matrix.erl_otp }}
|
||||||
- name: build
|
- name: build
|
||||||
|
env:
|
||||||
|
APPLE_SIGN_BINARIES: 1
|
||||||
|
APPLE_ID: developers@emqx.io
|
||||||
|
APPLE_TEAM_ID: 26N6HYJLZA
|
||||||
|
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
|
||||||
|
APPLE_DEVELOPER_IDENTITY: ${{ secrets.APPLE_DEVELOPER_IDENTITY }}
|
||||||
|
APPLE_DEVELOPER_ID_BUNDLE: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE }}
|
||||||
|
APPLE_DEVELOPER_ID_BUNDLE_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE_PASSWORD }}
|
||||||
run: |
|
run: |
|
||||||
. $HOME/.kerl/${{ matrix.erl_otp }}/activate
|
. $HOME/.kerl/${{ matrix.erl_otp }}/activate
|
||||||
make ensure-rebar3
|
make ensure-rebar3
|
||||||
|
|
|
||||||
36
build
36
build
|
|
@ -165,7 +165,41 @@ make_zip() {
|
||||||
## try to be portable for zip packages.
|
## try to be portable for zip packages.
|
||||||
## for DEB and RPM packages the dependencies are resoved by yum and apt
|
## for DEB and RPM packages the dependencies are resoved by yum and apt
|
||||||
cp_dyn_libs "${tard}/emqx"
|
cp_dyn_libs "${tard}/emqx"
|
||||||
(cd "${tard}" && zip -qr - emqx) > "${zipball}"
|
case "$SYSTEM" in
|
||||||
|
macos*)
|
||||||
|
# if the flag to sign macos binaries is set, but developer certificate
|
||||||
|
# or certificate password is not configured, reset the flag
|
||||||
|
# could happen, for example, when people submit PR from a fork, in this
|
||||||
|
# case they cannot access secrets
|
||||||
|
if [[ "${APPLE_SIGN_BINARIES:-0}" == 1 && \
|
||||||
|
( "${APPLE_DEVELOPER_ID_BUNDLE:-0}" == 0 || \
|
||||||
|
"${APPLE_DEVELOPER_ID_BUNDLE_PASSWORD:-0}" == 0 ) ]]; then
|
||||||
|
echo "Apple developer certificate is not configured, skip signing"
|
||||||
|
APPLE_SIGN_BINARIES=0
|
||||||
|
fi
|
||||||
|
if [ "${APPLE_SIGN_BINARIES:-0}" = 1 ]; then
|
||||||
|
./scripts/macos-sign-binaries.sh "${tard}/emqx"
|
||||||
|
fi
|
||||||
|
## create zip after change dir
|
||||||
|
## to avoid creating an extra level of 'emqx' dir in the .zip file
|
||||||
|
(cd "${tard}" && zip -qr - emqx) > "${zipball}"
|
||||||
|
if [ "${APPLE_SIGN_BINARIES:-0}" = 1 ]; then
|
||||||
|
# notarize the package
|
||||||
|
# if fails, you can check what went wrong with this command:
|
||||||
|
# xcrun notarytool log --apple-id <apple id> \
|
||||||
|
# --apple-id <apple id> \
|
||||||
|
# --password <apple id password>
|
||||||
|
# --team-id <apple team id> <submission-id>
|
||||||
|
xcrun notarytool submit \
|
||||||
|
--apple-id "${APPLE_ID}" \
|
||||||
|
--password "${APPLE_ID_PASSWORD}" \
|
||||||
|
--team-id "${APPLE_TEAM_ID}" "${zipball}" --wait
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
(cd "${tard}" && zip -qr - emqx) > "${zipball}"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
## This function builds the default docker image based on alpine:3.14 (by default)
|
## This function builds the default docker image based on alpine:3.14 (by default)
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,52 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
# intended to run on MacOS only
|
||||||
|
# signs all executable files in a given folder (as $1) with developer certificate
|
||||||
|
|
||||||
|
# required variables:
|
||||||
|
# APPLE_DEVELOPER_IDENTITY: "Developer ID Application: <company name> (<hex id>)"
|
||||||
|
# APPLE_DEVELOPER_ID_BUNDLE: base64-encoded content of apple developer id certificate bundle in pksc12 format
|
||||||
|
# APPLE_DEVELOPER_ID_BUNDLE_PASSWORD: password used when exporting the bundle
|
||||||
|
|
||||||
|
# note: 'bundle' in apple terminology is 'identity'
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
if [[ "${APPLE_DEVELOPER_ID_BUNDLE:-0}" == 0 || "${APPLE_DEVELOPER_ID_BUNDLE_PASSWORD:-0}" == 0 ]]; then
|
||||||
|
echo "Apple developer certificate is not configured, skip signing"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
REL_DIR="${1}"
|
||||||
|
PKSC12_FILE="$HOME/developer-id-application.p12"
|
||||||
|
base64 --decode > "${PKSC12_FILE}" <<<"${APPLE_DEVELOPER_ID_BUNDLE}"
|
||||||
|
|
||||||
|
KEYCHAIN='emqx.keychain-db'
|
||||||
|
KEYCHAIN_PASSWORD="$(openssl rand -base64 32)"
|
||||||
|
|
||||||
|
security create-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN}"
|
||||||
|
security set-keychain-settings -lut 21600 "${KEYCHAIN}"
|
||||||
|
security unlock-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN}"
|
||||||
|
security import "${PKSC12_FILE}" -P "${APPLE_DEVELOPER_ID_BUNDLE_PASSWORD}" -t cert -f pkcs12 -k "${KEYCHAIN}" -T /usr/bin/codesign
|
||||||
|
security set-key-partition-list -S "apple-tool:,apple:,codesign:" -s -k "${KEYCHAIN_PASSWORD}" "${KEYCHAIN}"
|
||||||
|
security verify-cert -k "${KEYCHAIN}" -c "${PKSC12_FILE}"
|
||||||
|
security find-identity -p codesigning "${KEYCHAIN}"
|
||||||
|
|
||||||
|
# add new keychain into the search path for codesign, otherwise the stuff does not work
|
||||||
|
keychains=$(security list-keychains -d user)
|
||||||
|
keychain_names=();
|
||||||
|
for keychain in ${keychains}; do
|
||||||
|
basename=$(basename "${keychain}")
|
||||||
|
keychain_name=${basename::${#basename}-4}
|
||||||
|
keychain_names+=("${keychain_name}")
|
||||||
|
done
|
||||||
|
security -v list-keychains -s "${keychain_names[@]}" "${KEYCHAIN}"
|
||||||
|
|
||||||
|
# sign
|
||||||
|
codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/erts-*/bin/{beam.smp,dyn_erl,epmd,erl,erl_call,erl_child_setup,erlexec,escript,heart,inet_gethost,run_erl,to_erl}
|
||||||
|
codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/asn1-*/priv/lib/asn1rt_nif.so
|
||||||
|
codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/bcrypt-*/priv/bcrypt_nif.so
|
||||||
|
codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/crypto-*/priv/lib/{crypto.so,otp_test_engine.so}
|
||||||
|
codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/jiffy-*/priv/jiffy.so
|
||||||
|
codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/os_mon-*/priv/bin/{cpu_sup,memsup}
|
||||||
|
codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/runtime_tools-*/priv/lib/{dyntrace.so,trace_ip_drv.so,trace_file_drv.so}
|
||||||
Loading…
Reference in New Issue