Add package signing configuration for GitHub Actions #14708
Conversation
TETRA2000
force-pushed
the
macos_signing
branch
from
4b6d321
to
4c71ca3
Compare
|
I'm currently testing a notarize configuration like this. - name: Notarize package
run: |
xcrun notarytool submit Homebrew-${{ steps.print-version.outputs.version }}.pkg \
--apple-id "$APPLE_ID_USERNAME" \
--team-id "$SIGNING_IDENTITY" \
--password "$APPLE_ID_PASSWORD" \
--waitRef: Automatic Code-signing and Notarization for macOS apps using GitHub Actions |
reading the article, that doesn't seem to apply for simple packages like Homebrews |
|
@MikeMcQuaid @SMillerDev
I thought same at first too. But this Apple document says you can notarize flat installer packages. And this line drawn my eyes.
And this error message I previously posted also suggests notarization may be still a problem.
Progress update: I succeeded to make a package which doesn't trigger warnings!Build commands # I removed fixtures (Reasons are described in 'Notarization errors')
rm -rf Library/Homebrew/test/support/fixtures/
# I built with this command. (But I need to tweak `--filter` a bit.)
pkgbuild --root brew \
--scripts brew/package/scripts \
--install-location "/tmp/brew" \
--identifier "dev.tetra2000.brew" \
--sign "788YH48Y3Q" \
--min-os-version "11.0" \
--filter .DS_Store \
--version tmp \
Homebrew-tmp.pkg
# Then I notarized with this command
xcrun notarytool submit Homebrew-tmp.pkg \
--apple-id "***" \
--team-id "788YH48Y3Q" \
--password "***" \
--waitOutputs from `xcrun notarytool submit`.After this, And macOS no longer shows warning dialogs.
Notarization errorsThis repository contains unsigned binaries in Error messages{
"logFormatVersion": 1,
"jobId": "7963d438-abbc-4dd6-a50a-c4a5380b7a31",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "Homebrew-tmp.pkg",
"uploadDate": "2023-02-20T13:35:44.060Z",
"sha256": "47cebcc355ffd5363e8e3396024f959bea82cd03130c39663cff2f8263f484c1",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "Homebrew-tmp.pkg/Homebrew-tmp.pkg Contents/Payload/tmp/brew/Library/Homebrew/test/support/fixtures/bottles/testball_bottle-0.1.yosemite.bottle.tar.gz/testball_bottle-0.1.yosemite.bottle.tar/testball_bottle/0.1/bin/helloworld",
"message": "The binary is not signed.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
"architecture": "i386"
},
{
"severity": "error",
"code": null,
"path": "Homebrew-tmp.pkg/Homebrew-tmp.pkg Contents/Payload/tmp/brew/Library/Homebrew/test/support/fixtures/bottles/testball_bottle-0.1.yosemite.bottle.tar.gz/testball_bottle-0.1.yosemite.bottle.tar/testball_bottle/0.1/bin/helloworld",
"message": "The signature does not include a secure timestamp.",
"docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733",
"architecture": "i386"
},
...
{
"severity": "warning",
"code": null,
"path": "Homebrew-tmp.pkg/Homebrew-tmp.pkg Contents/Payload/tmp/brew/Library/Homebrew/test/support/fixtures/cask/AppWithEmbeddedBinary.zip/App.app",
"message": "Unable to notarize Homebrew-tmp.pkg/Homebrew-tmp.pkg Contents/Payload/tmp/brew/Library/Homebrew/test/support/fixtures/cask/AppWithEmbeddedBinary.zip/App.app",
"docUrl": null,
"architecture": null
}
]
}(You can obtain these logs via So we need to exclude files like I simply removed entire directory for now. Finally, I post the actual package. (Of course you don't have to install for reviewing. 😄) I'll update this PR to include changes above. |
.github/workflows/build-pkg.yml
Outdated
| BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }} | ||
| P12_PASSWORD: ${{ secrets.P12_PASSWORD }} | ||
| KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} |
There was a problem hiding this comment.
Can you prefix these with PKG_BUILD? Just p12 password isn't very specific.
There was a problem hiding this comment.
Thank you for the comment.
I've changed to PKG_BUILD_P12_PASSWORD and PKG_BUILD_CERTIFICATE_BASE64
TETRA2000
changed the title
|
@SMillerDev @MikeMcQuaid I updated the PR description according to changes. I also created a demo PR with my App ID and credentials. |
TETRA2000
requested review from
MikeMcQuaid and
SMillerDev
and removed request for
MikeMcQuaid
|
Just to ensure this doesn't go stale: we're still getting the certificate, Homebrew never signed anything centrally before and not being it's own legal entity is making this a little slow. |
| env: | ||
| PKG_BUILD_CERTIFICATE_BASE64: ${{ secrets.PKG_BUILD_CERTIFICATE_BASE64 }} | ||
| PKG_BUILD_P12_PASSWORD: ${{ secrets.PKG_BUILD_P12_PASSWORD }} | ||
| KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} |
There was a problem hiding this comment.
Maybe we can just do uuidgen in the run block below to generate a UUID as a password for this?
| --min-os-version "$MIN_OS" \ | ||
| --filter .DS_Store \ | ||
| --filter "(.*)/Library/Homebrew/test/support/fixtures/" \ |
There was a problem hiding this comment.
@MikeMcQuaid any suggestions how to deal with these better?
There was a problem hiding this comment.
@SMillerDev This seems fine with me but the package itself will need to do a git checkout master and/or git reset --hard origin/master after installation on disk or brew doctor will complain immediately.
Relatedly, that'd be good CI to add here at some point (doesn't need to block this PR): actually install the package and run brew doctor on the result to ensure it's setup correctly.
There was a problem hiding this comment.
The problem with that is finding a CI for macOS without brew pre-installed.
There was a problem hiding this comment.
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
|
Nope, still waiting for a certificate |
|
@MikeMcQuaid I uploaded the certificate to 1Password and I'll add the app password in a minute. |
MikeMcQuaid
force-pushed
the
macos_signing
branch
from
0e565c3
to
46e1c31
Compare
MikeMcQuaid
force-pushed
the
macos_signing
branch
from
46e1c31
to
7f80792
Compare
|
@TETRA2000 thanks for the PR and great work so far! I'm going to work on getting this finished up and it'll be much easier to do so in a PR that actually runs this workflow (which requires it to be from a non-fork). I've cherry-picked your commit into #15743 and I'll be continuing your work over there. Thanks again for contributing to Homebrew! |
|
I'm glad that I could submit something meaningful to the OSS project that I use everyday. Thank you for your reviews so far! |
brew stylewith your changes locally?brew typecheckwith your changes locally?brew testswith your changes locally?fixes Homebrew/install#739
This PR add a signature for generated the package.
Prerequirement
You need to create a certificate for signing. And need to put it and its password as repository secrets.
You can look detailed instruction on GitHub's doc.
You also need to create an app-specific password for notarization.
1. Create an app identifier
(I'm pretty sure you already registered the identifier for homebrew but I write for others who want to try this PR.)
Register an App ID - Manage identifiers - Account - Help - Apple Developer
It must be identical as
$IDENTIFIERenv variable.I used
dev.tetra2000.brewfor testing on my private repo.2. Create a
Developer ID InstallercertificateYou need to create a Developer ID Installer certificate using an account with Account Holder role.
Create Developer ID certificates - Create certificates - Account - Help - Apple Developer
Apple Developer Program Roles - Support - Apple Developer
3. Generate an app-specific password
You need to generate an "app-specific password" using an account with Account Holder role.
Sign in to apps with your Apple ID using app-specific passwords - Apple Support
4. Add repository secrets
Export the Developer ID Installer certificate as p12 file and convert it to Base64.
$ base64 -i Certificates.p12 | pbcopyThen you need to add it and its password as repository secrets.
You also need to add you email address of an account with Account Holder role, an app-specific password which generated in previous step.
Repository secret list
PKG_BUILD_CERTIFICATE_BASE64: The Base64 representation of the exported Developer ID Installer certificate.PKG_BUILD_P12_PASSWORD: The password of the exported Developer ID Installer certificate.APPLE_ID_USERNAME: The email address of an account with Account Holder roleAPPLE_ID_PASSWORD: The app-specific password which generated in previous stepThe settings page would looks like this.
References
ToDos
*Resolved
Fix verification problem
Even though it seems to have valid signature, macOS won't let me to open the package from Finder.
A package which build on my local machine with same build command has succeeded to be opened from Finder.
I'm still finding the root cause of this problem.
Updated:
It's likely to be related to notarization.
Add notarization (optional)
I think it's not mandatory but it may be good to add a configuration for notarization.
Apple scans malicious components during notarization process.
Notarizing macOS software before distribution | Apple Developer Documentation
It can be done from CLI but it requires you to store app-specific password for Apple ID as a repository secret.
Customizing the notarization workflow | Apple Developer Documentation