feat: macos signing and notarization #367
Conversation
lidel
force-pushed
the
feat/signed-ci-build
branch
7 times, most recently
from
d891669
to
a06abf7
Compare
lidel
changed the title
lidel
force-pushed
the
feat/signed-ci-build
branch
2 times, most recently
from
057619f
to
2ba7177
Compare
lidel
force-pushed
the
feat/signed-ci-build
branch
18 times, most recently
from
7183e8a
to
92386a4
Compare
lidel
force-pushed
the
feat/signed-ci-build
branch
from
2852464
to
9544654
Compare
| '{ state: $state, target_url: $target_url, description: $description, context: $context }' ) | ||
| curl --output /dev/null --silent --show-error \ | ||
| -X POST -H "Authorization: Bearer $GITHUB_TOKEN" -H 'Content-Type: application/json' \ | ||
| --data "$API_PARAMS" 'https://api.github.com/repos/ipfs/distributions/statuses/${GIT_REVISION}' |
There was a problem hiding this comment.
ℹ️ we could replace this script with JS call and actions/github-script but I don't want to sink any more time into refactoring this PR ;)
| docker build . -t distributions \ | ||
| --build-arg CACHEBUST=`date --iso-8601=date` \ | ||
| --build-arg USER_UID=$(id -u "$USER") \ | ||
| --build-arg GO_IPFS_VER=${GO_IPFS_VER:-$(curl -s https://dist.ipfs.io/go-ipfs/versions | tail -n 1)} # match http api client version on CI |
There was a problem hiding this comment.
ℹ️ this controls the version of the CLI client inside ./dockerized build, which talks to go-ipfs running outside on the host. Here, we ensure it uses the same version (with fallback to the latest one if GO_IPFS_VER is undefined).
There was a problem hiding this comment.
Should this comment live in the source file?
There was a problem hiding this comment.
I believe the comment on the very right is enough, more context can be found on this PR.
| if [[ $(jq '.peer_map[].status' cluster-pin-status | grep '"pinned"' | wc -l) -ge 2 ]]; then | ||
| echo "Got 2 pin confirmations, finishing the workflow" |
There was a problem hiding this comment.
ℹ️ to make CI faster and avoid hanging forever if parts of cluster are out of sync, cluster pinning is considered "done" after we have 2 copies.
Here, I do it manually in userland, but filled ipfs-cluster/ipfs-cluster#1427 to add this sort of thing to ipfs-cluster-ctl CLI tool.
There was a problem hiding this comment.
Similar to above: when do we decide to put this in the PR vs. the code itself? Do folks tend to do a git blame and look for comments to find more context?
There was a problem hiding this comment.
I often use git blame, but in this specific case those comments are provided mostly to make PR review easier.
There was a problem hiding this comment.
Ok. I'll defer to the team for the standard. I was bringing this up because it was hard for me to imagine a case where a comment is useful during PR where it isn't also useful 6 months in the future when looking at the code with fresh eyes. Anyways, sounds good.
| # fix resolv - DNS provided by Github is unreliable for DNSLik/dnsaddr | ||
| sudo sed -i -e 's/nameserver 127.0.0.*/nameserver 1.1.1.1/g' /etc/resolv.conf |
There was a problem hiding this comment.
ℹ️ This was pretty annoying. Entire build failed because Githubs DNS proxying cache at 127.0.0.* randomly timeouted while resolving _dnslink or _dnsaddr. Switching to Cloudflare here make the problem go away.
| EXECUTABLES=$(jq -nc '$ARGS.positional' --args $(find "./tmp/${DIST_NAME}_${DIST_VERSION}_${arch}-unsigned/" -perm +111 -type f -print)) | ||
| echo "{ | ||
| \"source\" : $EXECUTABLES, | ||
| \"bundle_id\" : \"io.ipfs.dist.${DIST_NAME}\", |
There was a problem hiding this comment.
ℹ️ I registered the wildcard bundle_id=io.ipfs.dist.* at Apple, which enables us to have each package "isolated" from each other. This is important in case Apple decides to block something from running on macOS – we don't have all egs in one basket.
| brew install ipfs coreutils gawk gnu-sed jq mitchellh/gon/gon | ||
| ipfs init --profile test # needed for calculating NEW_CID later | ||
| - name: Import Keychain Certs | ||
| uses: apple-actions/import-codesign-certs@253ddeeac23f2bdad1646faac5c8c2832e800071 # v1@2020-02-03 |
There was a problem hiding this comment.
ℹ️ 👮♂️ I hardcoded specific revision because this is a third-party action and in theory someone could swap-out git tag and steal our signing keys.
| brew tap mitchellh/gon | ||
| brew install ipfs coreutils gawk gnu-sed jq mitchellh/gon/gon |
There was a problem hiding this comment.
ℹ️ gon package is used by Terraform project, so multiple eyes are looking at this
| To produce a signed, **official build** for use in DNSLink at `dist.ipfs.io`: | ||
|
|
||
| 1. Run `./dist.sh add-version` locally. | ||
| 2. Commit created changes to `dists/<dist>` and open a PR against `ipfs/distributions`. | ||
| 3. Wait for Github Action to finish PR build. It runs `./dockerized` build, then signs macOS binaries and spits out updated root CID at the end. | ||
| 4. If everything looks good, write down the CID from the preview link on the PR, and update the DNSlink at `dist.ipfs.io`. |
There was a problem hiding this comment.
ℹ️ I believe this is the TLDR of this entire PR :)
| docker build . -t distributions \ | ||
| --build-arg CACHEBUST=`date --iso-8601=date` \ | ||
| --build-arg USER_UID=$(id -u "$USER") \ | ||
| --build-arg GO_IPFS_VER=${GO_IPFS_VER:-$(curl -s https://dist.ipfs.io/go-ipfs/versions | tail -n 1)} # match http api client version on CI |
There was a problem hiding this comment.
Should this comment live in the source file?
| if [[ $(jq '.peer_map[].status' cluster-pin-status | grep '"pinned"' | wc -l) -ge 2 ]]; then | ||
| echo "Got 2 pin confirmations, finishing the workflow" |
There was a problem hiding this comment.
Similar to above: when do we decide to put this in the PR vs. the code itself? Do folks tend to do a git blame and look for comments to find more context?
+ add ability to run workflow against arbitrary path - until we have signed nightlies
|
As agreed during stewards call, I'm starting the merge dance starting with this PR |
This PR adds
sign-macosjob to CI workflow, adding a transparent signing step.The main reason is to sign repo migrations and avoid issue from ipfs/kubo#8240 globally (outside of Brave). It also provides us with a template if we wish to add signing for other platforms.
How this works?
Technical details
This PR splits
make publishperformed inmain.ymlinto three stages:buildexecutes./dockerized make all_distsand produces any missing binaries in./releasessign-macossigns and notarizes every new binary from./releasesand updates.tar.gzpackages and relevant hashes in-placepublishmake publishand adds any new and signed packages from./releasestoDIST_ROOT(
/ipns/dist.ipfs.ioby default)Flow for adding new dist or version
./dists/{name}/versionsDIST_ROOTto ipfs-clusterpublishstep of CI buildContent routing optimization
IPFS node running on CI manually pre-connects to ipfs-websites cluster peers, which are known to already have all blocks required during dist.ipfs.io build. This way we skip DHT lookup.
Website preview on PRs
Every PR now gets a link to website preview at the
dweb.linkIPFS gateway:TODO
/dnsaddr/ipfs-websites.collab.ipfscluster.iobut it errors right nowDIST_ROOTand ensure CI is no-op when no new binaries are added