search

mit-plv / fiat-crypto

Cryptographic Primitive Code Generation by Fiat
http://adam.chlipala.net/papers/FiatCryptoSP19/FiatCryptoSP19.pdf
Other
708 stars 147 forks source link

Sign & noatarize MacOS binaries? #1892

Open JasonGross opened 4 months ago

JasonGross commented 4 months ago

Perhaps we should sign & notarize the MacOS binaries for ease of use?

ChatGPT suggests that the steps are:

Without a Mac, you can still handle code signing and notarization using GitHub Actions. Here’s a step-by-step approach:

  1. Apple Developer Account: Ensure that you have an Apple Developer account, as you'll need certificates and credentials for signing and notarization.

  2. Create and Export Signing Certificate:

    • Use a Mac to create a Developer ID Application certificate, or obtain one from your team.
    • Export the certificate as a .p12 file.

  3. Add Secrets to GitHub:

    • Encrypt your .p12 file and add it as a GitHub Actions secret, along with the certificate password and your Apple Developer account credentials.

  4. Install and Configure xcnotary:

    • Use xcnotary, a third-party tool that supports notarizing applications via CI, which works well with GitHub Actions.
    • Install xcnotary in your GitHub Actions workflow by adding:
    • name: Install xcnotary run: brew install keith/formulae/xcnotary

  5. Import Certificate:

    • Import the .p12 file in your CI workflow using:
    • name: Import Signing Certificate env: P12_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }} run: | security create-keychain -p "" build.keychain security import certificate.p12 -k build.keychain -P "$P12_PASSWORD" -T /usr/bin/codesign

  6. Sign the Universal Binary:

    • After combining the architectures using lipo, sign it with:
    • name: Code Sign run: | codesign --sign "Developer ID Application: Your Name (TeamID)" --timestamp --keychain build.keychain universal_binary

  7. Notarize the Binary:

    • Use xcnotary to notarize your signed binary:
    • name: Notarize Binary run: | xcnotary notarize universal_binary --apple-id ${{ secrets.APPLE_ID }} --password ${{ secrets.APPLE_PASSWORD }} --team-id "YourTeamID"

  8. Staple the Notarization:

    • After successful notarization, apply the notarization ticket to the binary:
    • name: Staple Notarization run: xcrun stapler staple universal_binary

Make sure your secrets are stored securely within GitHub Actions. This setup allows you to automate signing and notarization entirely through GitHub Actions without direct access to a Mac.