From 51dc3750e7cc3fe4ea67262f99a4b723ec1b54ad Mon Sep 17 00:00:00 2001 From: DaMandal0rian Date: Wed, 26 Jul 2023 00:53:50 +0300 Subject: [PATCH 1/8] fix codesign for windows and macos --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 456a5ab3..3e000d32 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -134,7 +134,7 @@ jobs: if: runner.os == 'macOS' - name: Sign Application (Windows) - uses: skymatic/code-sign-action@cfcc1c15b32938bab6dea25192045b6d2989e4d0 # @v1.1.0 + uses: skymatic/code-sign-action@500ce4f8261ca9bd8f85978c1652b34fb511bdf4 # @v2.0.1 with: certificate: "${{ secrets.WINDOWS_CERTIFICATE }}" password: "${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}" From 3e68f6a40f464524bd0a8ec67eafe27da6af5898 Mon Sep 17 00:00:00 2001 From: DaMandal0rian Date: Fri, 4 Aug 2023 03:39:26 +0300 Subject: [PATCH 2/8] Use new method of notarization for macOS - altool is deprecated and will be dropped in 2023 - altool also not available with xcode command-line tools --- .github/workflows/release.yml | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3e000d32..429b85d8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -109,7 +109,7 @@ jobs: command: build args: --locked -Z build-std --target ${{ matrix.build.target }} --profile aarch64linux --bin subspace-cli - - name: Sign Application (macOS) + - name: Sign and Notarize Application (macOS) run: | echo "Importing certificate" echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12 @@ -125,9 +125,17 @@ jobs: cp ${{ matrix.build.production_target }}/subspace-cli ${{ matrix.build.production_target }}/macos-binaries ditto -c -k --rsrc ${{ matrix.build.production_target }}/macos-binaries subspace-binaries.zip echo "Notarizing" - xcrun altool --notarize-app --primary-bundle-id binaries-${{ github.ref_name }} --username "${{ secrets.MACOS_APPLE_ID}}" --password "${{ secrets.MACOS_APP_PASSWORD }}" --file subspace-binaries.zip - # echo "Stapling farmer" - # xcrun stapler staple ${{ matrix.build.production_target }}/subspace-cli + curl -sL https://github.com/mitchellh/gon/releases/download/v0.2.5/gon_macos.zip -o gon.zip + unzip gon.zip -d /usr/local/bin + cat << EOF > gon.hcl + source = ["subspace-binaries.zip"] + bundle_id = "com.your_name.app_name" + apple_id { + username = "${{ secrets.MACOS_APPLE_ID }}" + password = "${{ secrets.MACOS_APP_PASSWORD }}" + } + EOF + gon gon.hcl echo "Done!" # Allow code signing to fail on non-release builds and in non-subspace repos (forks) continue-on-error: ${{ github.github.repository_owner != 'subspace' || github.event_name != 'push' || github.ref_type != 'tag' }} From adcf874cdd88a7c58b546e2169f34bd63d405b60 Mon Sep 17 00:00:00 2001 From: DaMandal0rian Date: Fri, 4 Aug 2023 03:42:33 +0300 Subject: [PATCH 3/8] remove windows protoc workaround - use one protoc package as the bug was fixed with using powershell 7 --- .github/workflows/ci-tests.yml | 8 -------- .github/workflows/release.yml | 8 -------- 2 files changed, 16 deletions(-) diff --git a/.github/workflows/ci-tests.yml b/.github/workflows/ci-tests.yml index a1297f86..d54bb91d 100644 --- a/.github/workflows/ci-tests.yml +++ b/.github/workflows/ci-tests.yml @@ -57,14 +57,6 @@ jobs: uses: arduino/setup-protoc@9b1ee5b22b0a3f1feb8c2ff99b32c89b3c3191e9 # v2.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - if: contains(fromJSON('["Linux", "macOS"]'), runner.os) - - # Workaround to resolve https://github.com/arduino/setup-protoc/issues/86 - - name: Install Protoc - uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - if: runner.os == 'Windows' # Workaround to resolve link error with C:\msys64\mingw64\bin\libclang.dll - name: Remove msys64 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 429b85d8..cbdd201f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -75,14 +75,6 @@ jobs: uses: arduino/setup-protoc@9b1ee5b22b0a3f1feb8c2ff99b32c89b3c3191e9 # v2.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - if: contains(fromJSON('["Linux", "macOS"]'), runner.os) - - # Workaround to resolve https://github.com/arduino/setup-protoc/issues/86 - - name: Install Protoc - uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - if: runner.os == 'Windows' # Workaround to resolve link error with C:\msys64\mingw64\bin\libclang.dll - name: Remove msys64 From b07dd9804aca2f96bdf81aecfb55a5d0fa6a48d5 Mon Sep 17 00:00:00 2001 From: DaMandal0rian Date: Fri, 4 Aug 2023 04:11:54 +0300 Subject: [PATCH 4/8] fix path permission --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cbdd201f..2d1bf25b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -118,7 +118,7 @@ jobs: ditto -c -k --rsrc ${{ matrix.build.production_target }}/macos-binaries subspace-binaries.zip echo "Notarizing" curl -sL https://github.com/mitchellh/gon/releases/download/v0.2.5/gon_macos.zip -o gon.zip - unzip gon.zip -d /usr/local/bin + unzip gon.zip -d . cat << EOF > gon.hcl source = ["subspace-binaries.zip"] bundle_id = "com.your_name.app_name" @@ -127,7 +127,7 @@ jobs: password = "${{ secrets.MACOS_APP_PASSWORD }}" } EOF - gon gon.hcl + ./gon gon.hcl echo "Done!" # Allow code signing to fail on non-release builds and in non-subspace repos (forks) continue-on-error: ${{ github.github.repository_owner != 'subspace' || github.event_name != 'push' || github.ref_type != 'tag' }} From fdb29946336212eafd234515670493136fd401c6 Mon Sep 17 00:00:00 2001 From: DaMandal0rian Date: Sat, 5 Aug 2023 13:05:20 +0300 Subject: [PATCH 5/8] changes to notarization --- .github/workflows/release.yml | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2d1bf25b..b1c7b136 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -121,13 +121,26 @@ jobs: unzip gon.zip -d . cat << EOF > gon.hcl source = ["subspace-binaries.zip"] - bundle_id = "com.your_name.app_name" + bundle_id = "${{ secrets.MACOS_BUNDLE_ID }}" + sign { + application_identity = "${{ secrets.MACOS_IDENTITY }}" + } apple_id { - username = "${{ secrets.MACOS_APPLE_ID }}" - password = "${{ secrets.MACOS_APP_PASSWORD }}" + username = "${{ secrets.MACOS_APPLE_ID }}" + password = "${{ secrets.MACOS_APP_PASSWORD }}" } EOF - ./gon gon.hcl + ./gon -log-level=info -log-json gon.hcl + + # Notarize the ZIP using notarytool + xcrun notarytool submit subspace-binaries.zip --apple-id "${{ secrets.MACOS_APPLE_ID }}" --password "${{ secrets.MACOS_APP_PASSWORD }}" --team-id "${{ secrets.MACOS_TEAM_ID }}" --wait + + # Wait for a few seconds to ensure notarization process has been completed + sleep 60 + + # Staple the zip package + xcrun stapler staple subspace-binaries.zip + echo "Done!" # Allow code signing to fail on non-release builds and in non-subspace repos (forks) continue-on-error: ${{ github.github.repository_owner != 'subspace' || github.event_name != 'push' || github.ref_type != 'tag' }} From e18ca00b840980b1aee6d4f3aab4c9bbbe92e05a Mon Sep 17 00:00:00 2001 From: DaMandal0rian Date: Mon, 7 Aug 2023 21:36:12 +0300 Subject: [PATCH 6/8] remove stapling for macos zip macOS stapling not supported for .zip files --- .github/workflows/release.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b1c7b136..df6ef442 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -135,11 +135,9 @@ jobs: # Notarize the ZIP using notarytool xcrun notarytool submit subspace-binaries.zip --apple-id "${{ secrets.MACOS_APPLE_ID }}" --password "${{ secrets.MACOS_APP_PASSWORD }}" --team-id "${{ secrets.MACOS_TEAM_ID }}" --wait - # Wait for a few seconds to ensure notarization process has been completed - sleep 60 - + # // todo stapling for macOS artifacts # Staple the zip package - xcrun stapler staple subspace-binaries.zip + # xcrun stapler staple subspace-binaries.zip echo "Done!" # Allow code signing to fail on non-release builds and in non-subspace repos (forks) From 0260969ddf91aeda0dea0710441ee4ab7a6d17aa Mon Sep 17 00:00:00 2001 From: DaMandal0rian Date: Tue, 8 Aug 2023 15:53:34 +0300 Subject: [PATCH 7/8] fix typo --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index df6ef442..0d0d4d0c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -141,7 +141,7 @@ jobs: echo "Done!" # Allow code signing to fail on non-release builds and in non-subspace repos (forks) - continue-on-error: ${{ github.github.repository_owner != 'subspace' || github.event_name != 'push' || github.ref_type != 'tag' }} + continue-on-error: ${{ github.repository_owner != 'subspace' || github.event_name != 'push' || github.ref_type != 'tag' }} if: runner.os == 'macOS' - name: Sign Application (Windows) @@ -152,7 +152,7 @@ jobs: certificatesha1: "${{ secrets.WINDOWS_CERTIFICATE_SHA }}" folder: "${{ matrix.build.production_target }}" # Allow code signing to fail on non-release builds and in non-subspace repos (forks) - continue-on-error: ${{ github.github.repository_owner != 'subspace' || github.event_name != 'push' || github.ref_type != 'tag' }} + continue-on-error: ${{ github.repository_owner != 'subspace' || github.event_name != 'push' || github.ref_type != 'tag' }} if: runner.os == 'Windows' - name: Prepare executables for uploading (Ubuntu) From fc4a4a8b873e9f8fac0f52f4d1cbfb9ea70f10b1 Mon Sep 17 00:00:00 2001 From: DaMandal0rian Date: Tue, 8 Aug 2023 17:24:49 +0300 Subject: [PATCH 8/8] switch gon installation to use brew - use brew instead of downloading releases --- .github/workflows/release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0d0d4d0c..f238625c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -117,8 +117,8 @@ jobs: cp ${{ matrix.build.production_target }}/subspace-cli ${{ matrix.build.production_target }}/macos-binaries ditto -c -k --rsrc ${{ matrix.build.production_target }}/macos-binaries subspace-binaries.zip echo "Notarizing" - curl -sL https://github.com/mitchellh/gon/releases/download/v0.2.5/gon_macos.zip -o gon.zip - unzip gon.zip -d . + brew update + brew install mitchellh/gon/gon cat << EOF > gon.hcl source = ["subspace-binaries.zip"] bundle_id = "${{ secrets.MACOS_BUNDLE_ID }}" @@ -130,7 +130,7 @@ jobs: password = "${{ secrets.MACOS_APP_PASSWORD }}" } EOF - ./gon -log-level=info -log-json gon.hcl + gon -log-level=info -log-json gon.hcl # Notarize the ZIP using notarytool xcrun notarytool submit subspace-binaries.zip --apple-id "${{ secrets.MACOS_APPLE_ID }}" --password "${{ secrets.MACOS_APP_PASSWORD }}" --team-id "${{ secrets.MACOS_TEAM_ID }}" --wait