feat: Sign MacOS binaries (#1060)

This fixes virus warnings when launching Coder on darwin.
2025-07-15 22:20:27 +00:00 · 2022-04-18 14:57:41 -05:00
parent a5f36ad4e2
commit 866205c145
4 changed files with 91 additions and 15 deletions
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -5,7 +5,7 @@ on:
      - "v*"
 jobs:
  goreleaser:
-    runs-on: ubuntu-latest
+    runs-on: macos-latest
    steps:
      - uses: actions/checkout@v3
        with:
@ -14,6 +14,17 @@ jobs:
        with:
          go-version: "~1.18"

+      - name: Install Gon
+        run: |
+          brew tap mitchellh/gon
+          brew install mitchellh/gon/gon
+
+      - name: Import Signing Certificates
+        uses: Apple-Actions/import-codesign-certs@v1
+        with:
+          p12-file-base64: ${{ secrets.AC_CERTIFICATE_P12_BASE64 }}
+          p12-password: ${{ secrets.AC_CERTIFICATE_PASSWORD }}
+
      - name: Echo Go Cache Paths
        id: go-cache-paths
        run: |
@ -53,3 +64,5 @@ jobs:
          args: release --rm-dist
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          AC_USERNAME: ${{ secrets.AC_USERNAME }}
+          AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -1,13 +1,24 @@
 archives:
-  - id: coder
-    builds:
-      - coder
+  - id: coder-linux
+    builds: [coder-linux]
+    format: tar
+    files:
+      - src: docs/README.md
+        dst: README.md
+
+  - id: coder-darwin
+    builds: [coder-darwin]
+    format: zip
+    files:
+      - src: docs/README.md
+        dst: README.md
+
+  - id: coder-windows
+    builds: [coder-windows]
+    format: zip
    files:
      - src: docs/README.md
        dst: README.md
-    format_overrides:
-      - goos: windows
-        format: zip

 before:
  hooks:
@ -27,15 +38,44 @@ builds:
      post: |
        cp {{.Path}} site/out/bin/coder-{{ .Os }}-{{ .Arch }}{{ trimprefix .Name "coder" }}

-  - id: coder
+  - id: coder-linux
    dir: cmd/coder
-    flags: ["-tags=embed"]
+    flags: [-tags=embed]
    ldflags:
      ["-s -w -X github.com/coder/coder/cli/buildinfo.tag={{ .Version }}"]
    env: [CGO_ENABLED=0]
-    goos: [darwin, linux, windows]
+    goos: [linux]
    goarch: [amd64, arm64]

+  - id: coder-windows
+    dir: cmd/coder
+    flags: [-tags=embed]
+    ldflags:
+      ["-s -w -X github.com/coder/coder/cli/buildinfo.tag={{ .Version }}"]
+    env: [CGO_ENABLED=0]
+    goos: [windows]
+    goarch: [amd64, arm64]
+
+  - id: coder-darwin
+    dir: cmd/coder
+    flags: [-tags=embed]
+    ldflags:
+      ["-s -w -X github.com/coder/coder/cli/buildinfo.tag={{ .Version }}"]
+    env: [CGO_ENABLED=0]
+    goos: [darwin]
+    goarch: [amd64, arm64]
+    hooks:
+      # This signs the binary that will be located inside the zip.
+      # MacOS requires the binary to be signed for notarization.
+      # 
+      # If it doesn't successfully sign, the zip sign step will error.
+      post: |
+        sh -c 'codesign -s {{.Env.AC_APPLICATION_IDENTITY}} -f -v --timestamp --options runtime {{.Path}} || true'
+
+env:
+  # Apple identity for signing!
+  - AC_APPLICATION_IDENTITY=BDB050EB749EDD6A80C6F119BF1382ECA119CCCC
+
 nfpms:
  - id: packages
    vendor: Coder
@ -50,7 +90,7 @@ nfpms:
    suggests:
      - postgresql
    builds:
-      - coder
+      - coder-linux
    bindir: /usr/bin
    contents:
      - src: coder.env
@ -60,7 +100,14 @@ nfpms:
        dst: /usr/lib/systemd/system/coder.service

 release:
-  ids: [coder, packages]
+  ids: [coder-linux, coder-darwin, coder-windows, packages]
+
+signs:
+  - ids: [coder-darwin]
+    artifacts: archive
+    cmd: ./scripts/sign_macos.sh
+    args: ["${artifact}"]
+    output: true

 snapshot:
  name_template: "{{ .Version }}-devel+{{ .ShortCommit }}"
--- a/5
+++ b/5
@ -88,8 +88,8 @@ provisionersdk/proto: provisionersdk/proto/provisioner.proto
 		./provisionersdk/proto/provisioner.proto
 .PHONY: provisionersdk/proto

-release: site/out
-	goreleaser release --snapshot --rm-dist
+release:
+	goreleaser release --snapshot --rm-dist --skip-sign
 .PHONY: release

 site/out:
@ -102,4 +102,3 @@ site/out:

 test:
 	gotestsum -- -v -short ./...
-
--- a/scripts/sign_macos.sh
+++ b/scripts/sign_macos.sh
@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+cd "$(git rev-parse --show-toplevel)"
+
+codesign -s $AC_APPLICATION_IDENTITY -f -v --timestamp --options runtime $1 
+
+config="$(mktemp -d)/gon.json" 
+jq -r --null-input --arg path "$(pwd)/$1" '{
+    "notarize": [
+        {
+            "path": $path,
+            "bundle_id": "com.coder.cli"
+        }
+    ]
+}' > $config
+gon $config