Skip to content

Commit 792e996

Browse files
feloyclaude
andauthored
ci: add macOS code signing and notarization to release workflow (#71)
Signed-off-by: Philippe Martin <phmartin@redhat.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent 8702c38 commit 792e996

1 file changed

Lines changed: 51 additions & 0 deletions

File tree

.github/workflows/release.yml

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,57 @@ jobs:
6868
if: matrix.use_cross == true
6969
run: cross build --release --target ${{ matrix.target }}
7070

71+
- name: Import signing certificate
72+
if: runner.os == 'macOS'
73+
env:
74+
APPLE_SIGNING_CERTIFICATE: ${{ secrets.APPLE_SIGNING_CERTIFICATE }}
75+
APPLE_SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_SIGNING_CERTIFICATE_PASSWORD }}
76+
run: |
77+
KEYCHAIN_PATH="$RUNNER_TEMP/signing.keychain-db"
78+
KEYCHAIN_PASSWORD=$(openssl rand -hex 16)
79+
echo "$APPLE_SIGNING_CERTIFICATE" | base64 --decode > "$RUNNER_TEMP/certificate.p12"
80+
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
81+
security set-keychain-settings -lut 900 "$KEYCHAIN_PATH"
82+
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
83+
security import "$RUNNER_TEMP/certificate.p12" \
84+
-k "$KEYCHAIN_PATH" \
85+
-P "$APPLE_SIGNING_CERTIFICATE_PASSWORD" \
86+
-T /usr/bin/codesign
87+
security list-keychain -d user -s "$KEYCHAIN_PATH"
88+
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
89+
90+
- name: Sign binary
91+
if: runner.os == 'macOS'
92+
run: |
93+
IDENTITY=$(security find-identity -v -p codesigning "$RUNNER_TEMP/signing.keychain-db" \
94+
| grep "Developer ID Application" \
95+
| awk '{print $2}')
96+
codesign \
97+
--deep \
98+
--force \
99+
--sign "$IDENTITY" \
100+
--options runtime \
101+
target/${{ matrix.target }}/release/openshell-image-builder
102+
103+
- name: Notarize binary
104+
if: runner.os == 'macOS'
105+
env:
106+
APPLE_ID: ${{ secrets.APPLE_ID }}
107+
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
108+
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
109+
run: |
110+
zip -j "$RUNNER_TEMP/openshell-image-builder.zip" \
111+
target/${{ matrix.target }}/release/openshell-image-builder
112+
xcrun notarytool submit "$RUNNER_TEMP/openshell-image-builder.zip" \
113+
--apple-id "$APPLE_ID" \
114+
--password "$APPLE_ID_PASSWORD" \
115+
--team-id "$APPLE_TEAM_ID" \
116+
--wait
117+
118+
- name: Clean up keychain
119+
if: always() && runner.os == 'macOS'
120+
run: security delete-keychain "$RUNNER_TEMP/signing.keychain-db"
121+
71122
- name: Upload artifact
72123
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
73124
with:

0 commit comments

Comments
 (0)