Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remove gon and use native xcode tools for notarizing #3079

Merged
merged 3 commits into from
Oct 1, 2024
Merged

remove gon and use native xcode tools for notarizing #3079

merged 3 commits into from
Oct 1, 2024

Conversation

DaMandal0rian
Copy link
Member

@DaMandal0rian DaMandal0rian commented Sep 30, 2024
edited
Loading

This PR updates the macOS codesigning and notarization workflow for .zip binaries, transitioning from using the gon package to Xcode native tools. It ensures that the .zip file generated for distribution is signed and notarized correctly using Apple’s standard processes.

In order to achieve this, the full xcode application was required to be installed since xcode command-line tools does not have some of the required libraries, and with headless macOS it was not possible to install xcode from the app store. Xcode releases are now available for download through apple developer portal.

Code contributor checklist:

@DaMandal0rian DaMandal0rian removed the request for review from rg3l3dr September 30, 2024 18:10
teor2345
teor2345 previously approved these changes Sep 30, 2024
View reviewed changes
Copy link
Member

@teor2345 teor2345 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, but we’re having issues with macOS CI right now, so I’m just going to re-run the tests before it merges.

@teor2345 teor2345 mentioned this pull request Oct 1, 2024
Merged
1 task
@DaMandal0rian
Copy link
Member Author

@teor2345 the issue with macOS ci is fixed already.

@DaMandal0rian DaMandal0rian added this pull request to the merge queue Oct 1, 2024
@nazar-pc nazar-pc removed this pull request from the merge queue due to a manual request Oct 1, 2024
@nazar-pc
Copy link
Member

nazar-pc commented Oct 1, 2024

Somewhat as expected, build in CI failed to apply stapling:

Stapling notarization to ZIP file
Processing: /Users/hetzner/actions-runner/_work/subspace/subspace/subspace-binaries.zip
Stapler is incapable of working with ZIP archive files.
Error: Process completed with exit code 66.

https://github.com/autonomys/subspace/actions/runs/11121858572/job/30901889877#step:16:98

If it was as easy as un-commenting it, we'd do that long time ago.

Stapling is optional, but would be nice to have.

@DaMandal0rian
Copy link
Member Author

DaMandal0rian commented Oct 1, 2024
edited
Loading

t was as easy as un-commenting it, we'd

Somewhat as expected, build in CI failed to apply stapling:

Stapling notarization to ZIP file
Processing: /Users/hetzner/actions-runner/_work/subspace/subspace/subspace-binaries.zip
Stapler is incapable of working with ZIP archive files.
Error: Process completed with exit code 66.

https://github.com/autonomys/subspace/actions/runs/11121858572/job/30901889877#step:16:98

If it was as easy as un-commenting it, we'd do that long time ago.

Stapling is optional, but would be nice to have.

Yes it's optional, but since we are not using .app bundles or .dmg files, it will not work with .zip archives.

https://developer.apple.com/documentation/security/customizing-the-notarization-workflow#Staple-the-ticket-to-your-distribution
While you can notarize a ZIP archive, you can’t staple to it directly. Instead, run stapler against each item that you added to the archive. Then create a new ZIP file containing the stapled items for distribution. Although tickets are created for standalone binaries, it’s not currently possible to staple tickets to them.

@DaMandal0rian DaMandal0rian requested a review from nazar-pc October 1, 2024 10:03
@DaMandal0rian DaMandal0rian added this pull request to the merge queue Oct 1, 2024
Merged via the queue into main with commit 456bcba Oct 1, 2024
9 checks passed
@DaMandal0rian DaMandal0rian deleted the change-macos-ci-workflow branch October 1, 2024 14:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nazar-pc nazar-pc nazar-pc approved these changes

@teor2345 teor2345 teor2345 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@DaMandal0rian @nazar-pc @teor2345