search

GitGuardian / ggshield

Find and fix 400+ types of hardcoded secrets and 70+ types of infrastructure-as-code misconfigurations.
https://gitguardian.com
MIT License
1.59k stars 139 forks source link

Sign macOS binaries #862

Closed agateau-gg closed 3 months ago

agateau-gg commented 4 months ago

This PR extends scripts/build-standalone-exe to produce signed macOS binaries.

.pkg installers

Signing .zip archives is not supported so the PR switches to producing .pkg installers for macOS.

GGShield files are installed in /opt/gitguardian/ggshield-$version and a ggshield symlink is created in /usr/local/bin so that ggshield can be started without having to modify $PATH.

How signing works

Signing and notarizing is done using rcodesign, a cross-platform tool to sign and notarize macOS applications.

Signing a .pkg installer requires first signing all executables and libraries we ship, then creating the .pkg, then signing the .pkg itself.

scripts/build-standalone-exe does not sign binaries unless called with --sign. It then expect some environment variables to be set. They are documented in doc/dev/standalone-executable.md. They are defined as secrets in GitHub configuration, and then pulled as environment variables by the CI.

Testing

The whole signing process can take a long time, so we don't want to do it for every pull request. For now I added a separate workflow file called sign.yml, which can be manually triggered from GitHub UI. The next step will be to integrate signing in the release process.

There's a chicken-and-egg problem though: this new workflow cannot be triggered until sign.yml exists in the default branch, so to test the full process the workflow is currently triggered on pull requests too, but I will remove this before merging.

codecov-commenter commented 4 months ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 91.92%. Comparing base (e9f0c61) to head (156fb1d). Report is 11 commits behind head on main.

:exclamation: Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #862 +/- ## ========================================== + Coverage 91.81% 91.92% +0.10% ========================================== Files 170 170 Lines 7066 7058 -8 ========================================== Hits 6488 6488 + Misses 578 570 -8 ``` | [Flag](https://app.codecov.io/gh/GitGuardian/ggshield/pull/862/flags?src=pr&el=flags&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=GitGuardian) | Coverage Δ | | |---|---|---| | [unittests](https://app.codecov.io/gh/GitGuardian/ggshield/pull/862/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=GitGuardian) | `91.92% <ø> (+0.10%)` | :arrow_up: | Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=GitGuardian#carryforward-flags-in-the-pull-request-comment) to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.