Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Codesign on macOS #727

Merged
merged 23 commits into from
Aug 29, 2024
Merged

Codesign on macOS #727

merged 23 commits into from
Aug 29, 2024

Conversation

jmarrec
Copy link
Collaborator

@jmarrec jmarrec commented Aug 24, 2024

Included works

The absolutely required bit is

The rules are going to be tightened in the fall when macOS Sequoia releases: https://9to5mac.com/2024/08/06/macos-sequoia-makes-it-harder-to-run-apps-that-dont-follow-apples-security-rules/

In addition, I chose to also codesign and harden the inner apps, libraries, and executables. This will help for the tar.gz one probably.

  • Codesign OpenStudio.app itself
  • Codesign all other libraries and executables (eg: Radiance, EnergyPlus, Python sos, etc)

I also added some QA/QC scripts that will, on GHA

  • On the build machine:
    • it will check that the inner _CPack_Pacages binaries and executables are properly codesigned for IFW and TGZ
    • for the TGZ one, it checks whether all libs can be resolved (the script uses otool and some logic to check if everything is fine)
  • On a test machine:
    • It downloads the dmg artifact, ensures that is properly codesigned and notarized
    • Mount the dmg
    • check the installer is properly codesigned
    • performs a silent install
    • unmount dmg
    • Check the signature of all the inner binaries and executables that have been installed
    • otool to ensure all libraries are resolved (and output a JSON file for debugging / manual checking)
    • Performs an E+ simulation with a PythonPlugin to ensure that works fine

Demonstration

Before signing

You get a an eject warning, and you have to right click > Open if you want to install it.

macos_unsigned_installer

With signing

macos_signed_installer

jmarrec added 10 commits August 23, 2024 14:29
@jmarrec
Disable all workflows, but the app build for mac, and make it upload …
76ffef6 
…to release anyways
@jmarrec
Setup codesigning & notarization of the DMG installer itself
f8b8b0b 
The extracted OpenStudioApp.app itself is not codesigned and notarized
@jmarrec
Codesign OpenStudioApp.app only (not the OpenStudio / EnergyPlus stuf…
6ef322f 
…f...)
@jmarrec
Setup GHA codesigning
6353789
@jmarrec
Need the arch variable to get qtifw + self hosted mac does not have a…
366c5bc 
…ria2c installed
@jmarrec
Start codesigning inner libraries and exes
088e796
@jmarrec
Cannot sign RubyAPI files from top level CMakeLists
97e71e2 
The order in which CPack does stuff is weird as hell when subdirectories are involved, but basically

It adds the install(CODE ) commands from the top level CMakeLists, which includes calling the install_codesign_script.cmake

Then it includes the specific subdirectories 's cmake_install.cmake

which means it'll try to sign something that wasn't installed (copied) yet!
@jmarrec
Verify signature: for the CPACK package + on a clean machine too
0fc02c8
@jmarrec
Add Path.is_relative_to for python 3.8...
c16559a 
was added only in 3.9
@jmarrec
Try to get correct artifact for testing
cd0af8a
@jmarrec jmarrec self-assigned this Aug 24, 2024
jmarrec added 2 commits August 27, 2024 10:09
@jmarrec
For the test step, use the GHA macos-14 (arm64)
a32d25c
@jmarrec
For the TGZ package, I was signing and resigning over and over again.…
4ed3f1f 
… Break up install scripts per component, and do cleanup of cmake lists to avoid signing Radiance like 20 times total.
@jmarrec
Copy link
Collaborator Author

jmarrec commented Aug 27, 2024
edited
Loading

There's an intermittent failure in the packaging step, that has been preexisting for a while, but which is annoying the crap out of me during all this testing.

There's a create_symlink failing sometimes, but restarting the run usually makes it work...
https://github.com/openstudiocoalition/OpenStudioApplication/actions/runs/10575968626/job/29300787775#step:18:2721

OpenStudioApplication/src/openstudio_app/CMakeLists.txt

Lines 446 to 484 in bcae7d2

install(CODE [[
execute_process(
COMMAND echo "CMAKE_INSTALL_PREFIX = ${CMAKE_INSTALL_PREFIX}"
COMMAND "${CMAKE_COMMAND}" -E create_symlink
"../../../../../../../Frameworks"
"${CMAKE_INSTALL_PREFIX}/OpenStudioApp.app/Contents/Frameworks/QtWebEngineCore.framework/Versions/A/Helpers/QtWebEngineProcess.app/Contents/Frameworks"
COMMAND "${CMAKE_COMMAND}" -E create_symlink
"../../EnergyPlus"
"${CMAKE_INSTALL_PREFIX}/OpenStudioApp.app/Contents/EnergyPlus"
COMMAND "${CMAKE_COMMAND}" -E create_symlink
"../../Radiance"
"${CMAKE_INSTALL_PREFIX}/OpenStudioApp.app/Contents/Radiance"
COMMAND "${CMAKE_COMMAND}" -E create_symlink
"../../../lib/$<TARGET_FILE_NAME:openstudio::rubyengine>"
"${CMAKE_INSTALL_PREFIX}/OpenStudioApp.app/Contents/Frameworks/$<TARGET_FILE_NAME:openstudio::rubyengine>"
COMMAND "${CMAKE_COMMAND}" -E create_symlink
"../../../lib/$<TARGET_FILE_NAME:openstudio::pythonengine>"
"${CMAKE_INSTALL_PREFIX}/OpenStudioApp.app/Contents/Frameworks/$<TARGET_FILE_NAME:openstudio::pythonengine>"
COMMAND "${CMAKE_COMMAND}" -E create_symlink
"../../../lib/$<TARGET_FILE_NAME:openstudio::openstudiolib>"
"${CMAKE_INSTALL_PREFIX}/OpenStudioApp.app/Contents/Frameworks/$<TARGET_FILE_NAME:openstudio::openstudiolib>"
COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_INSTALL_PREFIX}/bin"
COMMAND "${CMAKE_COMMAND}" -E create_symlink
"../OpenStudioApp.app/Contents/MacOS/$<TARGET_FILE_NAME:openstudio::openstudio>"
"${CMAKE_INSTALL_PREFIX}/bin/$<TARGET_FILE_NAME:openstudio::openstudio>"
COMMAND_ECHO STDOUT
COMMAND_ERROR_IS_FATAL ANY
)
]]
COMPONENT OpenStudioApp
)

@jmarrec
Revert "Disable all workflows, but the app build for mac, and make it…
7510b06 
… upload to release anyways"

This reverts commit 76ffef6.
@jmarrec
Copy link
Collaborator Author

jmarrec commented Aug 27, 2024

Ok, finally all green, aside from that nagging intermittent failure. Renabling all workflows now. Assuming I can pass CI just fine, this can drop.

@jmarrec jmarrec marked this pull request as ready for review August 27, 2024 11:00
@macumber
Copy link
Collaborator

Wow @jmarrec this is a lot of work, very impressive! I left some comments/questions

@jmarrec
Copy link
Collaborator Author

jmarrec commented Aug 29, 2024

annoy

There's an intermittent failure in the packaging step, that has been preexisting for a while, but which is annoying the crap out of me during all this testing.

There's a create_symlink failing sometimes, but restarting the run usually makes it work... https://github.com/openstudiocoalition/OpenStudioApplication/actions/runs/10575968626/job/29300787775#step:18:2721

See it failing on develop here: https://github.com/openstudiocoalition/OpenStudioApplication/actions/runs/10610974805/job/29409504326?pr=730#step:17:1875

@jmarrec jmarrec merged commit a78a443 into develop Aug 29, 2024
10 checks passed
@jmarrec jmarrec deleted the codesigning branch August 29, 2024 22:44
@github-actions github-actions bot locked and limited conversation to collaborators Aug 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@macumber macumber macumber left review comments

Assignees

@jmarrec jmarrec

Labels
component - Installer/Platform 📦 Enhancement Request New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jmarrec @macumber