Closed agateau-gg closed 3 months ago
All modified and coverable lines are covered by tests :white_check_mark:
Project coverage is 91.92%. Comparing base (
e9f0c61
) to head (156fb1d
). Report is 11 commits behind head on main.
:exclamation: Your organization needs to install the Codecov GitHub app to enable full functionality.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
This PR extends
scripts/build-standalone-exe
to produce signed macOS binaries..pkg installers
Signing .zip archives is not supported so the PR switches to producing .pkg installers for macOS.
GGShield files are installed in
/opt/gitguardian/ggshield-$version
and aggshield
symlink is created in/usr/local/bin
so that ggshield can be started without having to modify $PATH.How signing works
Signing and notarizing is done using rcodesign, a cross-platform tool to sign and notarize macOS applications.
Signing a .pkg installer requires first signing all executables and libraries we ship, then creating the .pkg, then signing the .pkg itself.
scripts/build-standalone-exe
does not sign binaries unless called with--sign
. It then expect some environment variables to be set. They are documented indoc/dev/standalone-executable.md
. They are defined as secrets in GitHub configuration, and then pulled as environment variables by the CI.Testing
The whole signing process can take a long time, so we don't want to do it for every pull request. For now I added a separate workflow file called
sign.yml
, which can be manually triggered from GitHub UI. The next step will be to integrate signing in the release process.There's a chicken-and-egg problem though: this new workflow cannot be triggered until
sign.yml
exists in the default branch, so to test the full process the workflow is currently triggered on pull requests too, but I will remove this before merging.