Add codesign and notarization for macOS binary (#567)

arduino · umbynos · Nov 18, 2020 · Oct 13, 2020 · Oct 13, 2020 · Oct 13, 2020
commit 4e6a08cc3f9e13e595fc059b27a6bb64861cee60
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - umbynos/*
+      - zmoog/notarize
 
 jobs:
 
@@ -27,7 +28,6 @@ jobs:
           go-version: "1.15"
 
       - name: Install Dependencies (Linux)
-        # run: sudo apt-get install ninja-build
         run: sudo apt update && sudo apt install -y --no-install-recommends build-essential libgtk-3-dev libwebkit2gtk-4.0-dev libappindicator3-dev
         if: matrix.operating-system == 'ubuntu-latest'
 
@@ -73,18 +73,70 @@ jobs:
             config.ini
           if-no-files-found: error
 
-  package:
+
+  code-sign-mac-executable:
     needs: build
+    runs-on: macOS-latest
+    env:
+      INSTALLER_CERT_MAC_PASSWORD: ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
+      INSTALLER_CERT_MAC_P12: "/tmp/ArduinoCerts2020.p12"
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          repository: 'bcmi-labs/arduino-create-agent-installer'
+          token: ${{ secrets.PAT_TEMP }}  # use token organization instead
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v2
+        with:
+          name: arduino-create-agent-macOS-latest
+          path: arduino-create-agent-macOS-latest
+
+      - name: Import Code-Signing Certificates
+        uses: Apple-Actions/import-codesign-certs@v1
+        with:
+          # The certificates in a PKCS12 file encoded as a base64 string
+          p12-file-base64: ${{ secrets.INSTALLER_CERT_MAC_P12 }}
+          # The password used to import the PKCS12 file.
+          p12-password: ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
+
+      - name: Install gon via HomeBrew for code signing and app notarization
+        run: |
+          brew tap mitchellh/gon
+          brew install mitchellh/gon/gon
+
+      - name: Code sign and notarize app
+        run: |
+          gon -log-level=debug -log-json gon.config.hcl
+          # gon will notarize ezecutable in "arduino-create-agent-macOS-latest/arduino-create-agent
+          # The CI will ignore the zip output, using the signed binary only.
+        env:
+          AC_USERNAME: ${{ secrets.AC_USERNAME }}
+          AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: arduino-create-agent-macOS-latest
+          path: arduino-create-agent-macOS-latest
+          if-no-files-found: error
+
+  package:
+    needs: code-sign-mac-executable
     runs-on: ubuntu-latest
 
     env:
       INSTALLER_VARS: "project.outputDirectory=$PWD project.version=${GITHUB_REF##*/} workspace=$PWD realname=Arduino_Create_Bridge"
       CERT_INSTALL: "ask_certificates_install=CI"  # win(edge),mac(safari)
       NO_CERT_INSTALL: "ask_certificates_install=CS"  # linux
       CHOICE_CERT_INSTALL: "ask_certificates_install=CC"  # win,mac:(ff,chrome)
-      CREATE_OSX_BUNDLED_MG: 1
+      CREATE_OSX_BUNDLED_MG: 0  # do not create the DMG, gon will take care of that
       INSTALLER_CERT_WINDOWS_PASSWORD: ${{ secrets.INSTALLER_CERT_WINDOWS_PASSWORD }}
       INSTALLER_CERT_WINDOWS_PFX: "/tmp/ArduinoCerts2020.pfx"
+      INSTALLER_CERT_MAC_PASSWORD: ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
+      INSTALLER_CERT_MAC_P12: "/tmp/ArduinoCerts2020.p12"
 
     strategy:
       fail-fast: false  # if one os is failing continue nonetheless
@@ -93,23 +145,19 @@ jobs:
 
         include:
           - operating-system: ubuntu-latest
-            bowser: ''
             install-builder-name: linux-x64
             executable-path: artifacts/linux-amd64/
-            extension: ''
-            installer-extension: ''
           - operating-system: windows-latest
             browser: edge
             install-builder-name: windows
             executable-path: artifacts/windows/
             extension: .exe
             installer-extension: .exe
           - operating-system: macOS-latest
-            bowser: safari
+            browser: safari
             install-builder-name: osx
             executable-path: 'skel/ArduinoCreateAgent.app/Contents/MacOS/'
-            extension: ''
-            installer-extension: .dmg
+            installer-extension: .app
 
     container:
       image: floydpink/ubuntu-install-builder:latest
@@ -129,14 +177,14 @@ jobs:
           path: ${{ matrix.executable-path }}
 
       - name: Make executable
-        run: chmod +x ${{ matrix.executable-path }}arduino-create-agent*
+        run: chmod -v +x ${{ matrix.executable-path }}arduino-create-agent*
         if: matrix.operating-system == 'ubuntu-latest' || matrix.operating-system == 'macOS-latest'
 
       - name: Rename executable to Arduino_Create_Bridge
-        run: mv ${{ matrix.executable-path }}arduino-create-agent${{ matrix.extension }} ${{ matrix.executable-path }}Arduino_Create_Bridge${{ matrix.extension }}
+        run: mv -v ${{ matrix.executable-path }}arduino-create-agent${{ matrix.extension }} ${{ matrix.executable-path }}Arduino_Create_Bridge${{ matrix.extension }}
 
       - name: Rename executable to Arduino_Create_Bridge_cli
-        run: mv ${{ matrix.executable-path }}arduino-create-agent_cli${{ matrix.extension }} ${{ matrix.executable-path }}Arduino_Create_Bridge_cli${{ matrix.extension }}
+        run: mv -v ${{ matrix.executable-path }}arduino-create-agent_cli${{ matrix.extension }} ${{ matrix.executable-path }}Arduino_Create_Bridge_cli${{ matrix.extension }}
         if: matrix.operating-system == 'ubuntu-latest'
 
       - name: Save InstallBuilder license to file
@@ -146,25 +194,30 @@ jobs:
         run: echo "${{ secrets.INSTALLER_CERT_WINDOWS_PFX }}" | base64 --decode  > /tmp/ArduinoCerts2020.pfx
         if: matrix.operating-system == 'windows-latest'
 
+      - name: Save macOS signing certificate to file
+        run: echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode  > /tmp/ArduinoCerts2020.p12
+        if: matrix.operating-system == 'macOS-latest'
+
         # win(edge),mac(safari) -> CERT_INSTALL and win,mac:(ff,chrome) -> CHOICE_CERT_INSTALL
+        # installbuilder reads the env vars with certs paths and use it to sign the installer.
       - name: Launch Bitrock installbuilder-20 with CERT_INSTALL && CHOICE_CERT_INSTALL
         run: |
           /opt/installbuilder-20.3.0/bin/builder build installer.xml ${{ matrix.install-builder-name }} --verbose --license /tmp/license.xml  --setvars ${{ env.INSTALLER_VARS }} ${{ env.CERT_INSTALL }}
-          mv ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-CI${{matrix.installer-extension}} ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-${{matrix.browser}}${{matrix.installer-extension}}
+          mv -v ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-CI${{matrix.installer-extension}} ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-${{matrix.browser}}${{matrix.installer-extension}}
           /opt/installbuilder-20.3.0/bin/builder build installer.xml ${{ matrix.install-builder-name }} --verbose --license /tmp/license.xml  --setvars ${{ env.INSTALLER_VARS }} ${{ env.CHOICE_CERT_INSTALL }}
-          cp ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-CC${{matrix.installer-extension}} ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-chrome${{matrix.installer-extension}}
-          mv ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-CC${{matrix.installer-extension}} ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-firefox${{matrix.installer-extension}}
+          cp -vr ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-CC${{matrix.installer-extension}} ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-chrome${{matrix.installer-extension}}
+          mv -v ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-CC${{matrix.installer-extension}} ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-firefox${{matrix.installer-extension}}
           rm -r ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-C*
         if: matrix.operating-system == 'windows-latest' || matrix.operating-system == 'macOS-latest'
 
         # linux
       - name: Launch Bitrock installbuilder-20 with NO_CERT_INSTALL
         run: |
           /opt/installbuilder-20.3.0/bin/builder build installer.xml ${{ matrix.install-builder-name }} --verbose --license /tmp/license.xml  --setvars ${{ env.INSTALLER_VARS }} ${{ env.NO_CERT_INSTALL }}
-          cp ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-CS.run ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-chrome.run
-          mv ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-CS.run ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-firefox.run
-          cp ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-CS.tar.gz ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-chrome.tar.gz
-          mv ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-CS.tar.gz ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-firefox.tar.gz
+          cp -v ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-CS.run ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-chrome.run
+          mv -v ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-CS.run ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-firefox.run
+          cp -v ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-CS.tar.gz ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-chrome.tar.gz
+          mv -v ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-CS.tar.gz ArduinoCreateAgent-${GITHUB_REF##*/}-${{ matrix.install-builder-name }}-installer-firefox.tar.gz
         if: matrix.operating-system == 'ubuntu-latest'
 
       - name: Upload artifacts
@@ -174,67 +227,72 @@ jobs:
           path: ArduinoCreateAgent*
           if-no-files-found: error
 
-      # - name: Send unit tests coverage to Codecov
-      #   if: >
-      #     matrix.operating-system == 'ubuntu-latest' &&
-      #     github.event_name == 'push'
-      #   uses: codecov/codecov-action@v1
-      #   with:
-      #     file: ./coverage_unit.txt
-      #     flags: unit
-
-      # - name: Send legacy tests coverage to Codecov
-      #   if: >
-      #     matrix.operating-system == 'ubuntu-latest' &&
-      #     github.event_name == 'push'
-      #   uses: codecov/codecov-action@v1
-      #   with:
-      #     file: ./coverage_legacy.txt
-      #     flags: unit
-
-      # - name: Send integration tests coverage to Codecov
-      #   if: >
-      #     matrix.operating-system == 'ubuntu-latest' &&
-      #     github.event_name == 'push'
-      #   uses: codecov/codecov-action@v1
-      #   with:
-      #     file: ./coverage_integ.txt
-      #     flags: integ
-
-  # package-macOS:
-  #   needs: build
-  #   strategy:
-  #     matrix:
-  #       # operating-system: [windows-latest, macOS-latest]
-  #       operating-system: [macOS-latest]
-
-  #   runs-on: ${{ matrix.operating-system }}
-
-  #   steps:
-  #     # - name: Disable EOL conversions
-  #     #   run: git config --global core.autocrlf false
-
-  #     - name: Checkout
-  #       uses: actions/checkout@v2
-
-  #     - name: Download artifacts
-  #       uses: actions/download-artifact@v2
-  #       with:
-  #         name: arduino-create-agent-${{ matrix.operating-system }}
-  #         path: arduino-create-agent
-
-  #     - name: Build .app
-  #       run: |
-  #         mkdir build
-  #         cp -r skel/ build
-  #         cp arduino-create-agent/arduino-create-agent build/ArduinoCreateAgent.app/Contents/MacOS/Arduino_Create_Bridge
-  #         cp config.ini build/ArduinoCreateAgent.app/Contents/MacOS/
-
-  #         find build
-  #       shell: bash      
-
-      # - name: Download Gon
-      #   run: |
-      #     wget -q https://github.com/mitchellh/gon/releases/download/v0.2.2/gon_0.2.2_macos.zip
-      #     unzip gon_0.2.2_macos.zip -d /usr/local/bin
-      #     rm -f gon_0.2.2_macos.zip
+  code-sign-mac-installers:
+    needs: package
+    runs-on: macOS-latest
+    env:
+      INSTALLER_CERT_MAC_PASSWORD: ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
+      INSTALLER_CERT_MAC_P12: "/tmp/ArduinoCerts2020.p12"
+
+    strategy:
+      matrix:
+        browser: [safari, firefox, chrome]
+
+    steps:
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v2
+        with:
+          name: ArduinoCreateAgent-osx
+          path: ArduinoCreateAgent-osx
+
+      - name: Make executable
+        run: chmod -v +x ArduinoCreateAgent-osx/ArduinoCreateAgent-${GITHUB_REF##*/}-osx-installer-${{ matrix.browser }}.app/Contents/MacOS/*
+
+      - name: Import Code-Signing Certificates
+        uses: Apple-Actions/import-codesign-certs@v1
+        with:
+          # The certificates in a PKCS12 file encoded as a base64 string
+          p12-file-base64: ${{ secrets.INSTALLER_CERT_MAC_P12 }}
+          # The password used to import the PKCS12 file.
+          p12-password: ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
+
+      - name: Install gon via HomeBrew for code signing and app notarization
+        run: |
+          brew tap mitchellh/gon
+          brew install mitchellh/gon/gon
+
+      - name: Write gon config to file
+        #  gon does not allow env variables in config file (https://github.com/mitchellh/gon/issues/20)
+        run: |
+          cat > gon.config_installer.hcl <<EOF
+          source = ["ArduinoCreateAgent-osx/ArduinoCreateAgent-${GITHUB_REF##*/}-osx-installer-${{ matrix.browser }}.app"]
+          bundle_id = "cc.arduino.arduino-agent-installer"
+
+          sign {
+            application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)"
+          }
+
+          dmg {
+            output_path = "ArduinoCreateAgent-${GITHUB_REF##*/}-osx-installer-${{ matrix.browser }}.dmg"
+            volume_name = "ArduinoCreateAgent"
+          }
+          EOF
+
+      - name: Code sign and notarize app
+        run: |
+          echo "gon will notarize executable in ArduinoCreateAgent-osx/ArduinoCreateAgent-${GITHUB_REF##*/}-osx-installer-${{ matrix.browser }}.app"
+          gon -log-level=debug -log-json gon.config_installer.hcl
+        env:
+          AC_USERNAME: ${{ secrets.AC_USERNAME }}
+          AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
+
+      - name: Tar files to keep permissions
+        run: tar -cvf ArduinoCreateAgent-${GITHUB_REF##*/}-osx-installer-${{ matrix.browser }}.tar ArduinoCreateAgent-${GITHUB_REF##*/}-osx-installer-${{ matrix.browser }}.dmg
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: ArduinoCreateAgent-osx
+          path: ArduinoCreateAgent*.tar
+          if-no-files-found: error