Merge pull request #8983 from emqx/build-sign-macos-binaries

Build sign macos binaries
2022-09-16 11:01:26 +02:00 · 2022-09-16 11:01:26 +02:00 · f717cc9d81
parent f2f14573d3 d02f483035
commit f717cc9d81
4 changed files with 98 additions and 3 deletions
--- a/.github/workflows/build_slim_packages.yaml
+++ b/.github/workflows/build_slim_packages.yaml
@ -97,18 +97,27 @@ jobs:
      id: cache
      with:
        path: ~/.kerl/${{ matrix.erl_otp }}
-        key: otp-install-${{ matrix.erl_otp }}-${{ matrix.macos }}
+        key: otp-install-${{ matrix.erl_otp }}-${{ matrix.macos }}-static-ssl-disable-hipe-disable-jit
    - name: build erlang
      if: steps.cache.outputs.cache-hit != 'true'
      timeout-minutes: 60
      env:
        KERL_BUILD_BACKEND: git
        OTP_GITHUB_URL: https://github.com/emqx/otp
+        KERL_CONFIGURE_OPTIONS: --disable-dynamic-ssl-lib --with-ssl=/usr/local/opt/openssl@1.1 --disable-hipe --disable-jit
      run: |
        kerl update releases
        kerl build ${{ matrix.erl_otp }}
        kerl install ${{ matrix.erl_otp }} $HOME/.kerl/${{ matrix.erl_otp }}
    - name: build
+      env:
+        APPLE_SIGN_BINARIES: 1
+        APPLE_ID: developers@emqx.io
+        APPLE_TEAM_ID: 26N6HYJLZA
+        APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+        APPLE_DEVELOPER_IDENTITY: ${{ secrets.APPLE_DEVELOPER_IDENTITY }}
+        APPLE_DEVELOPER_ID_BUNDLE: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE }}
+        APPLE_DEVELOPER_ID_BUNDLE_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_BUNDLE_PASSWORD }}
      run: |
        . $HOME/.kerl/${{ matrix.erl_otp }}/activate
        make ensure-rebar3
--- a/2
+++ b/2
@ -90,7 +90,7 @@ $(REL_PROFILES:%=%): $(REBAR) get-dashboard
 clean: $(PROFILES:%=clean-%)
 $(PROFILES:%=clean-%):
 	@if [ -d _build/$(@:clean-%=%) ]; then \
-		rm rebar.lock \
+		rm -f rebar.lock; \
 		rm -rf _build/$(@:clean-%=%)/rel; \
 		$(FIND) _build/$(@:clean-%=%) -name '*.beam' -o -name '*.so' -o -name '*.app' -o -name '*.appup' -o -name '*.o' -o -name '*.d' -type f | xargs rm -f; \
 		$(FIND) _build/$(@:clean-%=%) -type l -delete; \
--- a/34
+++ b/34
@ -165,7 +165,41 @@ make_zip() {
    ## try to be portable for zip packages.
    ## for DEB and RPM packages the dependencies are resoved by yum and apt
    cp_dyn_libs "${tard}/emqx"
+    case "$SYSTEM" in
+        macos*)
+            # if the flag to sign macos binaries is set, but developer certificate
+            # or certificate password is not configured, reset the flag
+            # could happen, for example, when people submit PR from a fork, in this
+            # case they cannot access secrets
+            if [[ "${APPLE_SIGN_BINARIES:-0}" == 1 && \
+                      ( "${APPLE_DEVELOPER_ID_BUNDLE:-0}" == 0 || \
+                            "${APPLE_DEVELOPER_ID_BUNDLE_PASSWORD:-0}" == 0 ) ]]; then
+                echo "Apple developer certificate is not configured, skip signing"
+                APPLE_SIGN_BINARIES=0
+            fi
+            if [ "${APPLE_SIGN_BINARIES:-0}" = 1 ]; then
+                ./scripts/macos-sign-binaries.sh "${tard}/emqx"
+            fi
+            ## create zip after change dir
+            ## to avoid creating an extra level of 'emqx' dir in the .zip file
            (cd "${tard}" && zip -qr - emqx) > "${zipball}"
+            if [ "${APPLE_SIGN_BINARIES:-0}" = 1 ]; then
+                # notarize the package
+                # if fails, you can check what went wrong with this command:
+                # xcrun notarytool log --apple-id <apple id> \
+                    #   --apple-id <apple id> \
+                    #   --password <apple id password>
+                    #   --team-id <apple team id> <submission-id>
+                xcrun notarytool submit \
+                      --apple-id "${APPLE_ID}" \
+                      --password "${APPLE_ID_PASSWORD}" \
+                      --team-id "${APPLE_TEAM_ID}" "${zipball}" --wait
+            fi
+            ;;
+        *)
+            (cd "${tard}" && zip -qr - emqx) > "${zipball}"
+            ;;
+    esac
 }

 ## This function builds the default docker image based on alpine:3.14 (by default)
--- a/scripts/macos-sign-binaries.sh
+++ b/scripts/macos-sign-binaries.sh
@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+# intended to run on MacOS only
+# signs all executable files in a given folder (as $1) with developer certificate
+
+# required variables:
+# APPLE_DEVELOPER_IDENTITY: "Developer ID Application: <company name> (<hex id>)"
+# APPLE_DEVELOPER_ID_BUNDLE: base64-encoded content of apple developer id certificate bundle in pksc12 format
+# APPLE_DEVELOPER_ID_BUNDLE_PASSWORD: password used when exporting the bundle
+
+# note: 'bundle' in apple terminology is 'identity'
+
+set -euo pipefail
+
+if [[ "${APPLE_DEVELOPER_ID_BUNDLE:-0}" == 0 || "${APPLE_DEVELOPER_ID_BUNDLE_PASSWORD:-0}" == 0 ]]; then
+    echo "Apple developer certificate is not configured, skip signing"
+    exit 0
+fi
+
+REL_DIR="${1}"
+PKSC12_FILE="$HOME/developer-id-application.p12"
+base64 --decode > "${PKSC12_FILE}" <<<"${APPLE_DEVELOPER_ID_BUNDLE}"
+
+KEYCHAIN='emqx.keychain-db'
+KEYCHAIN_PASSWORD="$(openssl rand -base64 32)"
+
+security create-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN}"
+security set-keychain-settings -lut 21600 "${KEYCHAIN}"
+security unlock-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN}"
+security import "${PKSC12_FILE}" -P "${APPLE_DEVELOPER_ID_BUNDLE_PASSWORD}" -t cert -f pkcs12 -k "${KEYCHAIN}" -T /usr/bin/codesign
+security set-key-partition-list -S "apple-tool:,apple:,codesign:" -s -k "${KEYCHAIN_PASSWORD}" "${KEYCHAIN}"
+security verify-cert -k "${KEYCHAIN}" -c "${PKSC12_FILE}"
+security find-identity -p codesigning "${KEYCHAIN}"
+
+# add new keychain into the search path for codesign, otherwise the stuff does not work
+keychains=$(security list-keychains -d user)
+keychain_names=();
+for keychain in ${keychains}; do
+    basename=$(basename "${keychain}")
+    keychain_name=${basename::${#basename}-4}
+    keychain_names+=("${keychain_name}")
+done
+security -v list-keychains -s "${keychain_names[@]}" "${KEYCHAIN}"
+
+# sign
+codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/erts-*/bin/{beam.smp,dyn_erl,epmd,erl,erl_call,erl_child_setup,erlexec,escript,heart,inet_gethost,run_erl,to_erl}
+codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/asn1-*/priv/lib/asn1rt_nif.so
+codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/bcrypt-*/priv/bcrypt_nif.so
+codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/crypto-*/priv/lib/{crypto.so,otp_test_engine.so}
+codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/jiffy-*/priv/jiffy.so
+codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/os_mon-*/priv/bin/{cpu_sup,memsup}
+codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/runtime_tools-*/priv/lib/{dyntrace.so,trace_ip_drv.so,trace_file_drv.so}