From 71f8393fba48ffbbb2a3943a12ec467c726fee0e Mon Sep 17 00:00:00 2001 From: Opender Singh Date: Fri, 15 Oct 2021 11:16:30 +1300 Subject: [PATCH] Notarize raw binary (#4108) --- .github/workflows/release-core.yml | 21 +++++-- .github/workflows/test.yml | 34 ++++++----- .../insomnia-inso/src/scripts/artifacts.ts | 56 +++++++++++++------ .../insomnia-inso/src/scripts/macos-pkg.sh | 9 ++- 4 files changed, 80 insertions(+), 40 deletions(-) diff --git a/.github/workflows/release-core.yml b/.github/workflows/release-core.yml index d5c83fd28..8ce090c5d 100644 --- a/.github/workflows/release-core.yml +++ b/.github/workflows/release-core.yml @@ -133,12 +133,12 @@ jobs: shell: bash run: | PKG_NAME="inso-${{ matrix.os }}-${{ needs.inso_release_info.outputs.inso-version }}" - BUNDLE_ID="com.insomnia.inso.app" + BUNDLE_ID="com.insomnia.inso" echo ::set-output name=pkg-name::$PKG_NAME echo ::set-output name=bundle-id::$BUNDLE_ID - - name: Package Inso CLI + - name: Package Inso CLI binary run: npm run inso-package env: VERSION: ${{ needs.inso_release_info.outputs.inso-version }} @@ -146,14 +146,14 @@ jobs: - name: Run CLI smoke tests run: npm run test:smoke:cli - - name: Create macOS installer package + - name: Codesign & create macOS installer if: matrix.os == 'macos-latest' run: | chmod +x ./src/scripts/macos-pkg.sh ./src/scripts/macos-pkg.sh shell: bash working-directory: packages/insomnia-inso - continue-on-error: true + continue-on-error: false env: MACOS_CERTIFICATE: ${{ secrets.DESIGNER_MAC_CSC_LINK }} MACOS_CERTIFICATE_PWD: ${{ secrets.DESIGNER_MAC_CSC_KEY_PASSWORD }} @@ -161,7 +161,7 @@ jobs: BUNDLE_ID: ${{ steps.inso-variables.outputs.bundle-id }} VERSION: ${{ needs.inso_release_info.outputs.inso-version }} - - name: Notarize installer package + - name: Notarize installer if: matrix.os == 'macos-latest' uses: devbotsxyz/xcode-notarize@v1 with: @@ -170,12 +170,21 @@ jobs: appstore-connect-username: ${{ secrets.DESIGNER_APPLE_ID }} appstore-connect-password: ${{ secrets.DESIGNER_APPLE_ID_PASSWORD }} - - name: Staple installer package + - name: Staple installer if: matrix.os == 'macos-latest' uses: devbotsxyz/xcode-staple@v1 with: product-path: packages/insomnia-inso/artifacts/${{ steps.inso-variables.outputs.pkg-name }}.pkg + - name: Notarize binary + if: matrix.os == 'macos-latest' + uses: devbotsxyz/xcode-notarize@v1 + with: + product-path: packages/insomnia-inso/binaries/inso + primary-bundle-id: ${{ steps.inso-variables.outputs.bundle-id }}-binary + appstore-connect-username: ${{ secrets.DESIGNER_APPLE_ID }} + appstore-connect-password: ${{ secrets.DESIGNER_APPLE_ID_PASSWORD }} + - name: Create Inso CLI artifacts run: npm run inso-package:artifacts env: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5eac6e8a5..15776350d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -51,30 +51,30 @@ jobs: - name: Lint run: npm run lint - - name: Lint Markdown + - name: Lint markdown run: npm run lint:markdown - name: Run tests run: npm test - - name: Set Inso Variables + - name: Set Inso CLI variables id: inso-variables shell: bash run: | INSO_VERSION="${{ needs.get_version.outputs.inso-version }}-run.${{ github.run_number }}" PKG_NAME="inso-${{ matrix.os }}-$INSO_VERSION" - BUNDLE_ID="com.insomnia.inso.app" + BUNDLE_ID="com.insomnia.inso" echo ::set-output name=pkg-name::$PKG_NAME echo ::set-output name=bundle-id::$BUNDLE_ID echo ::set-output name=inso-version::$INSO_VERSION - - name: Package Inso CLI + - name: Package Inso CLI binary run: npm run inso-package env: VERSION: ${{ steps.inso-variables.outputs.inso-version }} - - name: Create macOS installer package + - name: Codesign & create macOS installer if: matrix.os == 'macos-latest' run: | chmod +x ./src/scripts/macos-pkg.sh @@ -90,7 +90,7 @@ jobs: VERSION: ${{ steps.inso-variables.outputs.inso-version }} # We don't need to notarize and staple on every commit - # - name: Notarize installer package + # - name: Notarize installer # if: matrix.os == 'macos-latest' # uses: devbotsxyz/xcode-notarize@v1 # with: @@ -99,14 +99,25 @@ jobs: # appstore-connect-username: ${{ secrets.DESIGNER_APPLE_ID }} # appstore-connect-password: ${{ secrets.DESIGNER_APPLE_ID_PASSWORD }} - # - name: Staple installer package + # - name: Staple installer # if: matrix.os == 'macos-latest' # uses: devbotsxyz/xcode-staple@v1 # with: # product-path: packages/insomnia-inso/artifacts/${{ steps.inso-variables.outputs.pkg-name }}.pkg + # - name: Notarize binary + # if: matrix.os == 'macos-latest' + # uses: devbotsxyz/xcode-notarize@v1 + # with: + # product-path: packages/insomnia-inso/binaries/inso + # primary-bundle-id: ${{ steps.inso-variables.outputs.bundle-id }}-binary + # appstore-connect-username: ${{ secrets.DESIGNER_APPLE_ID }} + # appstore-connect-password: ${{ secrets.DESIGNER_APPLE_ID_PASSWORD }} + - name: Create Inso CLI artifacts run: npm run inso-package:artifacts + env: + VERSION: ${{ steps.inso-variables.outputs.inso-version }} - name: Upload Inso CLI artifacts uses: actions/upload-artifact@v2 @@ -115,16 +126,13 @@ jobs: name: ${{ steps.inso-variables.outputs.pkg-name }} path: packages/insomnia-inso/artifacts - # - name: Run CLI smoke tests + # - name: Run Inso CLI smoke tests # run: npm run test:smoke:cli - # - name: Run CLI smoke tests - # run: npm run test:smoke:cli - - # - name: Build for smoke tests + # - name: Build app for smoke tests # run: npm run app-build:smoke - # - name: Run smoke tests + # - name: Run app smoke tests # timeout-minutes: 10 # sometimes jest fails to exit - https://github.com/facebook/jest/issues/6423#issuecomment-620407580 # run: npm run test:smoke:build diff --git a/packages/insomnia-inso/src/scripts/artifacts.ts b/packages/insomnia-inso/src/scripts/artifacts.ts index c871416bc..df1488c96 100644 --- a/packages/insomnia-inso/src/scripts/artifacts.ts +++ b/packages/insomnia-inso/src/scripts/artifacts.ts @@ -1,4 +1,4 @@ -import { spawn } from 'child_process'; +import { ProcessEnvOptions, spawn } from 'child_process'; import mkdirp from 'mkdirp'; import path from 'path'; @@ -11,18 +11,52 @@ const isMac = () => platform === 'darwin'; const isLinux = () => platform === 'linux'; const isWindows = () => platform === 'win32'; -const getTarArgs = () => { +const getName = () => { const version = getVersion(); if (isMac()) { - return ['-czf', `inso-macos-${version}.zip`]; + return `inso-macos-${version}.zip`; } if (isLinux()) { - return ['-cJf', `inso-linux-${version}.tar.xz`]; + return `inso-linux-${version}.tar.xz`; } if (isWindows()) { - return ['-czf', `inso-windows-${version}.zip`]; + return `inso-windows-${version}.zip`; + } + + throw new Error(prefixPkgArtifacts(`Unsupported OS: ${platform}`)); +}; + +const startProcess = (cwd: ProcessEnvOptions['cwd']) => { + const name = getName(); + + if (isMac()) { + return spawn('ditto', + [ + '-c', + '-k', + '../binaries/inso', + name, + ], { + cwd, + shell: true, + }); + } + + if (isWindows() || isLinux()) { + + return spawn('tar', + [ + '-C', + '../binaries', + isWindows() ? '-a -cf' : '-cjf', + name, + '.', + ], { + cwd, + shell: true, + }); } throw new Error(prefixPkgArtifacts(`Unsupported OS: ${platform}`)); @@ -33,17 +67,7 @@ const artifacts = async () => { const cwd = path.join(__dirname, '../../artifacts'); mkdirp.sync(cwd); - const tarName = isWindows() ? 'tar.exe' : 'tar'; - const process = spawn(tarName, - [ - '-C', - '../binaries', - ...getTarArgs(), - '.', - ], { - cwd, - shell: true, - }); + const process = startProcess(cwd); process.stdout.on('data', data => { console.log(data.toString()); diff --git a/packages/insomnia-inso/src/scripts/macos-pkg.sh b/packages/insomnia-inso/src/scripts/macos-pkg.sh index df08e08c9..b8b19f4d1 100644 --- a/packages/insomnia-inso/src/scripts/macos-pkg.sh +++ b/packages/insomnia-inso/src/scripts/macos-pkg.sh @@ -43,17 +43,16 @@ security import certificate.p12 -k "$KEYCHAIN" -P "$MACOS_CERTIFICATE_PWD" -T /u # New requirement for MacOS 10.12+ security set-key-partition-list -S apple-tool:,apple:,codesign:,pkgbuild: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN" +# Sign the binary +plutil -lint "$ENTITLEMENTS_PATH" +/usr/bin/codesign --force --options=runtime --entitlements "$ENTITLEMENTS_PATH" --timestamp --sign "$APP_IDENTITY" "$SOURCE_BINARY_DIR/$SOURCE_BINARY_NAME" + # Create a staging area for the installer package. mkdir -p "$STAGING_AREA" # Copy the binary into the staging area. cp "$SOURCE_BINARY_DIR/$SOURCE_BINARY_NAME" "$STAGING_AREA" -# Sign the binary -plutil -lint "$ENTITLEMENTS_PATH" -/usr/bin/codesign --force --options=runtime --entitlements "$ENTITLEMENTS_PATH" --timestamp --sign "$APP_IDENTITY" "$STAGING_AREA/$SOURCE_BINARY_NAME" - # Build and sign the package mkdir $ARTIFACT_LOCATION /usr/bin/pkgbuild --identifier "$BUNDLE_ID" --version "$VERSION" --sign "$INSTALL_IDENTITY" --keychain "$KEYCHAIN" --timestamp --root "$STAGING_AREA" --install-location "$INSTALL_LOCATION" "$ARTIFACT_LOCATION/$PKG_NAME.pkg" -