synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-21 01:28:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Sign MacOS binaries (#1060)

Browse Source 
This fixes virus warnings when launching Coder on darwin.
This commit is contained in:
Kyle Carberry
2022-04-18 14:57:41 -05:00
committed by GitHub
parent a5f36ad4e2
commit 866205c145
4 changed files with 91 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
.github/workflows/release.yaml vendored
View File

@ -5,7 +5,7 @@ on:
- "v*" - "v*"
jobs: jobs:
goreleaser: goreleaser:
runs-on: ubuntu-latest runs-on: macos-latest
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
with: with:
@ -14,6 +14,17 @@ jobs:
with: with:
go-version: "~1.18" go-version: "~1.18"
- name: Install Gon
run: |
brew tap mitchellh/gon
brew install mitchellh/gon/gon
- name: Import Signing Certificates
uses: Apple-Actions/import-codesign-certs@v1
with:
p12-file-base64: ${{ secrets.AC_CERTIFICATE_P12_BASE64 }}
p12-password: ${{ secrets.AC_CERTIFICATE_PASSWORD }}
- name: Echo Go Cache Paths - name: Echo Go Cache Paths
id: go-cache-paths id: go-cache-paths
run: | run: |
@ -53,3 +64,5 @@ jobs:
args: release --rm-dist args: release --rm-dist
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AC_USERNAME: ${{ secrets.AC_USERNAME }}
AC_PASSWORD: ${{ secrets.AC_PASSWORD }}

69
.goreleaser.yaml
View File

@ -1,13 +1,24 @@
archives: archives:
- id: coder - id: coder-linux
builds: builds: [coder-linux]
- coder format: tar
files:
- src: docs/README.md
dst: README.md
- id: coder-darwin
builds: [coder-darwin]
format: zip
files:
- src: docs/README.md
dst: README.md
- id: coder-windows
builds: [coder-windows]
format: zip
files: files:
- src: docs/README.md - src: docs/README.md
dst: README.md dst: README.md
format_overrides:
- goos: windows
format: zip
before: before:
hooks: hooks:
@ -27,15 +38,44 @@ builds:
post: | post: |
cp {{.Path}} site/out/bin/coder-{{ .Os }}-{{ .Arch }}{{ trimprefix .Name "coder" }} cp {{.Path}} site/out/bin/coder-{{ .Os }}-{{ .Arch }}{{ trimprefix .Name "coder" }}
- id: coder - id: coder-linux
dir: cmd/coder dir: cmd/coder
flags: ["-tags=embed"] flags: [-tags=embed]
ldflags: ldflags:
["-s -w -X github.com/coder/coder/cli/buildinfo.tag={{ .Version }}"] ["-s -w -X github.com/coder/coder/cli/buildinfo.tag={{ .Version }}"]
env: [CGO_ENABLED=0] env: [CGO_ENABLED=0]
goos: [darwin, linux, windows] goos: [linux]
goarch: [amd64, arm64] goarch: [amd64, arm64]
- id: coder-windows
dir: cmd/coder
flags: [-tags=embed]
ldflags:
["-s -w -X github.com/coder/coder/cli/buildinfo.tag={{ .Version }}"]
env: [CGO_ENABLED=0]
goos: [windows]
goarch: [amd64, arm64]
- id: coder-darwin
dir: cmd/coder
flags: [-tags=embed]
ldflags:
["-s -w -X github.com/coder/coder/cli/buildinfo.tag={{ .Version }}"]
env: [CGO_ENABLED=0]
goos: [darwin]
goarch: [amd64, arm64]
hooks:
# This signs the binary that will be located inside the zip.
# MacOS requires the binary to be signed for notarization.
#
# If it doesn't successfully sign, the zip sign step will error.
post: |
sh -c 'codesign -s {{.Env.AC_APPLICATION_IDENTITY}} -f -v --timestamp --options runtime {{.Path}} || true'
env:
# Apple identity for signing!
- AC_APPLICATION_IDENTITY=BDB050EB749EDD6A80C6F119BF1382ECA119CCCC
nfpms: nfpms:
- id: packages - id: packages
vendor: Coder vendor: Coder
@ -50,7 +90,7 @@ nfpms:
suggests: suggests:
- postgresql - postgresql
builds: builds:
- coder - coder-linux
bindir: /usr/bin bindir: /usr/bin
contents: contents:
- src: coder.env - src: coder.env
@ -60,7 +100,14 @@ nfpms:
dst: /usr/lib/systemd/system/coder.service dst: /usr/lib/systemd/system/coder.service
release: release:
ids: [coder, packages] ids: [coder-linux, coder-darwin, coder-windows, packages]
signs:
- ids: [coder-darwin]
artifacts: archive
cmd: ./scripts/sign_macos.sh
args: ["${artifact}"]
output: true
snapshot: snapshot:
name_template: "{{ .Version }}-devel+{{ .ShortCommit }}" name_template: "{{ .Version }}-devel+{{ .ShortCommit }}"

5
Makefile
View File

@ -88,8 +88,8 @@ provisionersdk/proto: provisionersdk/proto/provisioner.proto
./provisionersdk/proto/provisioner.proto ./provisionersdk/proto/provisioner.proto
.PHONY: provisionersdk/proto .PHONY: provisionersdk/proto
release: site/out release:
goreleaser release --snapshot --rm-dist goreleaser release --snapshot --rm-dist --skip-sign
.PHONY: release .PHONY: release
site/out: site/out:
@ -102,4 +102,3 @@ site/out:
test: test:
gotestsum -- -v -short ./... gotestsum -- -v -short ./...

17
scripts/sign_macos.sh Executable file
View File

@ -0,0 +1,17 @@
#!/usr/bin/env bash
set -euo pipefail
cd "$(git rev-parse --show-toplevel)"
codesign -s $AC_APPLICATION_IDENTITY -f -v --timestamp --options runtime $1
config="$(mktemp -d)/gon.json"
jq -r --null-input --arg path "$(pwd)/$1" '{
"notarize": [
{
"path": $path,
"bundle_id": "com.coder.cli"
}
]
}' > $config
gon $config