Skip to content

Commit 5920cb2

Browse files
umbynosumbynos
committed
rework a bit notarization step
1 parent f2d30dc commit 5920cb2

File tree

1 file changed

+39
-18
lines changed

1 file changed

+39
-18
lines changed

.github/workflows/release.yml

+39-18
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,8 @@ env:
1515
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
1616
AWS_REGION: "us-east-1" # or https://github.com/aws/aws-cli/issues/5623
1717
KEYCHAIN: "sign.keychain"
18+
KEYCHAIN_PASSWORD: keychainpassword # Arbitrary password for a keychain that exists only for the duration of the job, so not secret
19+
GON_CONFIG_PATH: gon.config.hcl
1820
INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12"
1921
AC_USERNAME: ${{ secrets.AC_USERNAME }} # used by gon
2022
AC_PASSWORD: ${{ secrets.AC_PASSWORD }} # used by gon
@@ -166,12 +168,22 @@ jobs:
166168

167169
- name: Import Code-Signing Certificates
168170
run: |
169-
echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > ${{ env.INSTALLER_CERT_MAC_PATH }}
170-
security create-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
171-
security default-keychain -s ${{ env.KEYCHAIN }}
172-
security unlock-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
173-
security import ${{ env.INSTALLER_CERT_MAC_PATH }} -k ${{ env.KEYCHAIN }} -f pkcs12 -A -T /usr/bin/codesign -P ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
174-
security set-key-partition-list -S apple-tool:,apple: -s -k ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
171+
echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}"
172+
security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
173+
security default-keychain -s "${{ env.KEYCHAIN }}"
174+
security unlock-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
175+
security import \
176+
"${{ env.INSTALLER_CERT_MAC_PATH }}" \
177+
-k "${{ env.KEYCHAIN }}" \
178+
-f pkcs12 \
179+
-A \
180+
-T "/usr/bin/codesign" \
181+
-P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}"
182+
security set-key-partition-list \
183+
-S apple-tool:,apple: \
184+
-s \
185+
-k "${{ env.KEYCHAIN_PASSWORD }}" \
186+
"${{ env.KEYCHAIN }}"
175187
176188
- name: Install gon for code signing and app notarization
177189
run: |
@@ -181,25 +193,24 @@ jobs:
181193
- name: Write gon config to file
182194
# gon does not allow env variables in config file (https://github.com/mitchellh/gon/issues/20)
183195
run: |
184-
cat > gon.config.hcl <<EOF
196+
cat > "${{ env.GON_CONFIG_PATH }}" <<EOF
185197
# See: https://github.com/mitchellh/gon#configuration-file
186198
source = ["${{ env.PROJECT_NAME }}/${{ env.PROJECT_NAME }}"]
187199
bundle_id = "cc.arduino.${{ env.PROJECT_NAME }}"
200+
188201
sign {
189202
application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)"
190203
}
204+
191205
# Ask Gon for zip output to force notarization process to take place.
192206
# The CI will ignore the zip output, using the signed binary only.
193207
zip {
194208
output_path = "arduino-create-agent.zip"
195209
}
196210
EOF
197211
198-
- name: Code sign and notarize app
199-
run: |
200-
echo "gon will notarize executable in arduino-create-agent/arduino-create-agent"
201-
gon -log-level=debug -log-json gon.config.hcl
202-
timeout-minutes: 30
212+
- name: Sign and notarize binary
213+
run: gon -log-level=debug -log-json "${{ env.GON_CONFIG_PATH }}"
203214

204215
# This step will overwrite the non signed mac artifact (arduino-create-agent-${{ env.RUNS_ON }})
205216
- name: Upload artifact
@@ -376,12 +387,22 @@ jobs:
376387

377388
- name: Import Code-Signing Certificates
378389
run: |
379-
echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > ${{ env.INSTALLER_CERT_MAC_PATH }}
380-
security create-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
381-
security default-keychain -s ${{ env.KEYCHAIN }}
382-
security unlock-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
383-
security import ${{ env.INSTALLER_CERT_MAC_PATH }} -k ${{ env.KEYCHAIN }} -f pkcs12 -A -T /usr/bin/codesign -P ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
384-
security set-key-partition-list -S apple-tool:,apple: -s -k ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
390+
echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}"
391+
security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
392+
security default-keychain -s "${{ env.KEYCHAIN }}"
393+
security unlock-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
394+
security import \
395+
"${{ env.INSTALLER_CERT_MAC_PATH }}" \
396+
-k "${{ env.KEYCHAIN }}" \
397+
-f pkcs12 \
398+
-A \
399+
-T "/usr/bin/codesign" \
400+
-P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}"
401+
security set-key-partition-list \
402+
-S apple-tool:,apple: \
403+
-s \
404+
-k "${{ env.KEYCHAIN_PASSWORD }}" \
405+
"${{ env.KEYCHAIN }}"
385406
386407
- name: Install gon for code signing and app notarization
387408
run: |

0 commit comments

Comments
 (0)