Fix Mac ARM release process (#1428)

* Reapply "Add Mac arm64 executable (#1426)" (#1429)

This reverts commit 36e62bb.

* Zip up the right archive.

* Try adding an entitlement.

* Explicitly install xz.

* try entitlements.

* Move entitlements arg.

* Fix condition

* wip

* Only use entitlements for arm64.

* Use correct equality.

* Restore full conditional.

* Fix conditional

Author: csasarak

.github/entitlements.plist

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+</dict>
+</plist>

.github/workflows/build-all.yml

@@ -19,16 +19,17 @@ jobs:
 
     strategy:
       matrix:
-        os: ['windows-latest', 'ubuntu-latest', 'macos-12']
+        os: ['windows-latest', 'ubuntu-latest', 'macos-12', 'macos-latest']
         include:
         - os: ubuntu-latest
           os-name: Linux
           container: fossa/haskell-static-alpine:ghc-9.4.8
           project-file: cabal.project.ci.linux
           ghc: '9.4.8'
 
+        # macos-latest pointed at macos-12 this before it was changed to ARM.
         - os: macos-12
-          os-name: macOS
+          os-name: macOS-intel
           project-file: cabal.project.ci.macos
           ghc: '9.4.8'
 
@@ -37,6 +38,11 @@ jobs:
           project-file: cabal.project.ci.windows
           ghc: '9.4.8'
 
+        - os: macos-latest
+          os-name: macOS-arm64
+          project-file: cabal.project.ci.macos
+          ghc: '9.4.8'
+
     steps:
 
     - uses: actions/checkout@v4
@@ -134,22 +140,22 @@ jobs:
       name: Cache cabal store
       with:
         path: ${{ steps.setup-haskell.outputs.cabal-store || '~/.local/state/cabal' }}
-        key: ${{ runner.os }}-${{ matrix.ghc }}-cabal-cache-${{ steps.compute-cache-key.outputs.cabal-cache-key }}
+        key: ${{ matrix.os-name }}-${{ matrix.ghc }}-cabal-cache-${{ steps.compute-cache-key.outputs.cabal-cache-key }}
         restore-keys: |
-          ${{ runner.os }}-${{ matrix.ghc }}-cabal-cache-
-          ${{ runner.os }}-${{ matrix.ghc }}-
-          ${{ runner.os }}-
+          ${{ matrix.os-name }}-${{ matrix.ghc }}-cabal-cache-
+          ${{ matrix.os-name }}-${{ matrix.ghc }}-
+          ${{ matrix.os-name }}-
 
     - uses: actions/cache@v4
       name: Cache dist-newstyle
       with:
         path: ${{ github.workspace }}/dist-newstyle
-        key: ${{ runner.os }}-${{ env.GHC_VERSION }}-dist-newstyle-${{ github.sha }}
+        key: ${{ matrix.os-name }}-${{ env.GHC_VERSION }}-dist-newstyle-${{ github.sha }}
         restore-keys: |
-          ${{ runner.os }}-${{ env.GHC_VERSION }}-dist-newstyle-${{ env.parent_commit }}
-          ${{ runner.os }}-${{ env.GHC_VERSION }}-dist-newstyle-
-          ${{ runner.os }}-${{ env.GHC_VERSION }}-
-          ${{ runner.os }}-
+          ${{ matrix.os-name }}-${{ env.GHC_VERSION }}-dist-newstyle-${{ env.parent_commit }}
+          ${{ matrix.os-name }}-${{ env.GHC_VERSION }}-dist-newstyle-
+          ${{ matrix.os-name }}-${{ env.GHC_VERSION }}-
+          ${{ matrix.os-name }}-
 
     - name: Update vendored binaries
       run: |
@@ -224,6 +230,7 @@ jobs:
         APPLE_NOTARIZATION_DEV_PASS: ${{ secrets.APPLE_NOTARIZATION_DEV_PASS }}
         APPLE_NOTARIZATION_DEV_ID: ${{ secrets.APPLE_NOTARIZATION_DEV_ID }}
         APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+        OS_NAME: ${{ matrix.os-name }}
       run: |
         # create variables
         CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
@@ -241,10 +248,18 @@ jobs:
         security import $CERTIFICATE_PATH -P "$MACOS_BUILD_CERT_P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
         security list-keychain -d user -s $KEYCHAIN_PATH
 
+
         chmod +x release/*
         # '--options runtime' enables the hardened runtime: https://developer.apple.com/documentation/security/hardened_runtime
+        # On Apple Silicon there doesn't seem to be a default liblzma, and the one installed via homebrew is rejected.
+        # The entitlement line will relax that check.
         # The hardened runtime is required for notarization.
-        codesign --options runtime -s 'FOSSA, Inc.' release/fossa
+        if [ "$OS_NAME" = "macOS-arm64" ] ; then
+          codesign --entitlements .github/entitlements.plist --options runtime -s 'FOSSA, Inc.' release/fossa
+        else
+          # Intel does not need the entitlement to run liblzma, which is included in the base system.
+          codesign --options runtime -s 'FOSSA, Inc.' release/fossa
+        fi
         codesign --options runtime -s 'FOSSA, Inc.' release/diagnose
         codesign --options runtime -s 'FOSSA, Inc.' release/millhone
 
@@ -260,7 +275,7 @@ jobs:
 
     - uses: actions/upload-artifact@v4
       with:
-        name: ${{ runner.os }}-binaries
+        name: ${{ matrix.os-name }}-binaries
         path: release
 
   create-release:
@@ -367,10 +382,14 @@ jobs:
         gzip "$LINUX_DIAGNOSE_TAR_PATH"
         gzip "$LINUX_MILLHONE_TAR_PATH"
 
-        chmod +x macOS-binaries/*
-        zip -j release/fossa_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip macOS-binaries/fossa
-        zip -j release/diagnose_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip macOS-binaries/diagnose
-        zip -j release/millhone_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip macOS-binaries/millhone
+        chmod +x macOS-intel-binaries/*
+        zip -j release/fossa_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip macOS-intel-binaries/fossa
+        zip -j release/diagnose_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip macOS-intel-binaries/diagnose
+        zip -j release/millhone_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip macOS-intel-binaries/millhone
+        chmod +x macOS-arm64-binaries/*
+        zip -j release/fossa_${{ steps.get-version.outputs.VERSION }}_darwin_arm64.zip macOS-arm64-binaries/fossa
+        zip -j release/diagnose_${{ steps.get-version.outputs.VERSION }}_darwin_arm64.zip macOS-arm64-binaries/diagnose
+        zip -j release/millhone_${{ steps.get-version.outputs.VERSION }}_darwin_arm64.zip macOS-arm64-binaries/millhone
 
         chmod +x Windows-binaries/*
         zip -j release/fossa_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip Windows-binaries/fossa.exe
@@ -384,6 +403,7 @@ jobs:
         sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip" > "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip.sha256"
         sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar.gz" > "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar.gz.sha256"
         sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip" > "fossa_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip.sha256"
+        sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_darwin_arm64.zip" > "fossa_${{ steps.get-version.outputs.VERSION }}_darwin_arm64.zip.sha256"
         sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip" > "fossa_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip.sha256"
 
         echo "Sanity-checking the checksums."

.github/workflows/install-script-test.yml

@@ -55,6 +55,28 @@ jobs:
           fossa --version
           brew uninstall fossa
 
+  # These are run separately from the Matrix above because:
+  # 1. There is no Mac ARM fossa v1.
+  # 2. Earlier versions of cli v3 did not have ARM releases.
+  test-macos-arm:
+    runs-on: "macos-latest"
+    steps:
+      - uses: actions/checkout@v4
+      - name: install latest script can install a specific version
+        shell: bash
+        run: |
+          # 3.9.19 is the first version with native Mac ARM builds.
+          ./install-latest.sh -b . v3.9.19
+          ./fossa --version | grep -q "3.9.19"
+          rm fossa
+
+      - name: install latest script performs installation
+        shell: bash
+        run: |
+          ./install-latest.sh -b .
+          ./fossa --version
+          rm fossa
+
   test-windows:
     runs-on: "windows-latest"
     steps:

Changelog.md

@@ -1,6 +1,7 @@
 # FOSSA CLI Changelog
 
-## Unreleased
+## v3.9.19
+- Release a Mac arm64 binary. ([#1426](https://github.com/fossas/fossa-cli/pull/1426))
 - Updated the license to CPAL, an OSI-approved license similar to MPL ([#1431](https://github.com/fossas/fossa-cli/pull/1431)).
 
 ## v3.9.18

install-latest.sh

@@ -393,9 +393,10 @@ get_binary_name() {
   name=${PROJECT_NAME}_${VERSION}_${OS}_${ARCH}
   case ${PLATFORM} in
     darwin/arm64)
-      log_info "Platform ${PLATFORM} (m1 silicon) detected, using compatible darwin/amd64 binary instead."
-      name=${PROJECT_NAME}_${VERSION}_${OS}_amd64
-      ;;
+      if version_less_than "$VERSION" "3.9.19"; then
+        log_info "Platform ${PLATFORM} (m1 silicon) detected and requested version < 3.9.19, using compatible darwin/amd64 binary instead."
+        name=${PROJECT_NAME}_${VERSION}_${OS}_amd64
+      fi ;;
   esac
   echo "$name"
 }

vendor_download.sh

@@ -35,15 +35,17 @@ THEMIS_ASSET_POSTFIX=""
 LERNIE_ASSET_POSTFIX=""
 case "$(uname -s)" in
   Darwin)
-    ASSET_POSTFIX="darwin"
-    THEMIS_ASSET_POSTFIX="darwin-amd64"
     case "$(uname -m)" in
       arm64)
+        ASSET_POSTFIX="darwin-arm64"
         LERNIE_ASSET_POSTFIX="aarch64-macos"
+        THEMIS_ASSET_POSTFIX="darwin-arm64"
         ;;
 
       *)
+        ASSET_POSTFIX="darwin-amd64"
         LERNIE_ASSET_POSTFIX="x86_64-macos"
+        THEMIS_ASSET_POSTFIX="darwin-amd64"
         ;;
     esac
     ;;