add MacOs sign binaries

peterjah · peterjah · commit 2c06c0e5083d · 2025-06-27T11:52:44.000+02:00
diff --git a/.github/actions/notarize-macos/action.yml b/.github/actions/notarize-macos/action.yml
@@ -0,0 +1,123 @@
+name: Notarize Archive or App Bundle
+description: Notarize ZIP archives, .app bundles, or other files by creating temporary zip
+author: MassaLabs
+
+inputs:
+  paths:
+    description: Files to notarize (space separated). If not .zip/.pkg/.dmg, creates temporary zip
+    required: true
+  apple-id:
+    description: Apple ID
+    required: true
+  apple-team-id:
+    description: Team ID
+    required: true
+  apple-app-password:
+    description: App password
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Check file formats and create temporary zip if needed
+      run: |
+        echo "🔍 Checking file formats for notarization..."
+        temp_zip_created=false
+        unsupported_files=()
+
+        for path in ${{ inputs.paths }}; do
+          echo "📁 Processing: $path"
+
+          # Get file extension (only if it has one)
+          filename=$(basename "$path")
+          extension=""
+          if [[ "$filename" == *.* ]]; then
+            extension="${filename##*.}"
+          fi
+
+          # Check if file is already in supported format
+          if [[ "$extension" == "zip" || "$extension" == "pkg" || "$extension" == "dmg" ]]; then
+            echo "✅ File $path is already in supported format ($extension)"
+          else
+            echo "⚠️  File $path has unsupported extension ($extension) or no extension, will add to temporary zip..."
+            unsupported_files+=("$path")
+            temp_zip_created=true
+          fi
+        done
+
+        # Create single temporary zip for all unsupported files
+        if [[ "$temp_zip_created" == "true" ]]; then
+          echo "📦 Creating single temporary zip for all unsupported files..."
+          temp_zip="temp_notarization_package.zip"
+          
+          # Add all unsupported files to the zip
+          for file in "${unsupported_files[@]}"; do
+            echo "📁 Adding to zip: $file"
+            zip -r "$temp_zip" "$file"
+          done
+
+          echo "TEMP_ZIP_CREATED=true" >> $GITHUB_ENV
+          echo "TEMP_ZIP_FILE=$temp_zip" >> $GITHUB_ENV
+ 
+          # Store list of unsupported files for later stapling
+          printf "%s\n" "${unsupported_files[@]}" > unsupported_files_list.txt
+        fi
+      shell: bash
+
+    - name: Submit packages for notarization
+      run: |
+        # Process original supported files
+        for path in ${{ inputs.paths }}; do
+          filename=$(basename "$path")
+          extension=""
+          if [[ "$filename" == *.* ]]; then
+            extension="${filename##*.}"
+          fi
+
+          if [[ "$extension" == "zip" || "$extension" == "pkg" || "$extension" == "dmg" ]]; then
+            echo "📦 Submitting for notarization: $path"
+            xcrun notarytool submit "$path" \
+              --apple-id "${{ inputs.apple-id }}" \
+              --password "${{ inputs.apple-app-password }}" \
+              --team-id "${{ inputs.apple-team-id }}" \
+              --wait
+          fi
+        done
+
+        # Process single temporary zip file if created
+        if [[ "${{ env.TEMP_ZIP_CREATED }}" == "true" ]]; then
+          echo "📦 Submitting temporary zip for notarization: ${{ env.TEMP_ZIP_FILE }}"
+          xcrun notarytool submit "${{ env.TEMP_ZIP_FILE }}" \
+            --apple-id "${{ inputs.apple-id }}" \
+            --password "${{ inputs.apple-app-password }}" \
+            --team-id "${{ inputs.apple-team-id }}" \
+            --wait
+        fi
+      shell: bash
+
+    - name: Staple notarization tickets to original files
+      run: |
+        # Staple to original supported files (only .pkg and .dmg, not .zip)
+        for path in ${{ inputs.paths }}; do
+          filename=$(basename "$path")
+          extension=""
+          if [[ "$filename" == *.* ]]; then
+            extension="${filename##*.}"
+          fi
+
+          if [[ "$extension" == "pkg" || "$extension" == "dmg" ]]; then
+            echo "📎 Stapling to: $path"
+            xcrun stapler staple "$path"
+            xcrun stapler validate "$path"
+          elif [[ "$extension" == "zip" ]]; then
+            echo "⚠️  Skipping stapling for zip file: $path (Zip files cannot be stapled)"
+          elif [[ -z "$extension" ]]; then
+            echo "⚠️  Skipping stapling for binary: $path (Standalone binaries cannot be stapled)"
+          fi
+        done
+      shell: bash
+
+    - name: Clean up temporary files
+      run: |
+        rm -f temp_notarization_package.zip unsupported_files_list.txt
+      shell: bash
diff --git a/.github/actions/sign-macos/action.yml b/.github/actions/sign-macos/action.yml
@@ -0,0 +1,40 @@
+name: Sign Multiple Universal macOS Binaries
+description: Sign multiple macOS binaries
+author: MassaLabs
+
+inputs:
+  paths:
+    description: Paths to binaries or app bundles to sign (space-separated)
+    required: true
+  certificate-p12-base64:
+    description: Base64 certificate
+    required: true
+  certificate-password:
+    description: Certificate password
+    required: true
+  signing-identity:
+    description: Signing identity
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+
+    - name: Import Apple signing certificate
+      uses: Apple-Actions/import-codesign-certs@v3
+      with:
+        p12-file-base64: ${{ inputs.certificate-p12-base64 }}
+        p12-password: ${{ inputs.certificate-password }}
+
+    - name: Sign binaries and app bundles
+      run: |
+        echo "🔐 Starting signing process..."
+        for path in ${{ inputs.paths }}; do
+          echo "📝 Signing: $path"
+          codesign --force --options runtime --timestamp \
+            --sign "${{ inputs.signing-identity }}" "$path"
+
+          echo "🔍 Verifying signature for: $path"
+          codesign --verify --deep --strict --verbose=2 "$path"
+        done
+      shell: bash
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -12,6 +12,11 @@ env:
   CARGO_TERM_COLOR: always
   RUST_BACKTRACE: full
 
+# Add permissions to access organization secrets
+permissions:
+  contents: write
+  id-token: write
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -21,7 +26,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-22.04, macOS-latest, windows-latest]
-        platform: [x86_64, arm64]
+        platform: [x86_64]
         include:
           - os: ubuntu-22.04
             platform: x86_64
@@ -71,40 +76,54 @@ jobs:
           command: build
           args: --profile release_prebuilt --target ${{ matrix.target }}
 
+      - name: Set binary paths
+        shell: bash
+        run: |
+          if [[ "${{ matrix.platform }}" == "arm64" ]]
+          then
+            echo "MASSA_NODE_PATH=target/${{ matrix.target }}/release_prebuilt/massa-node" >> $GITHUB_ENV
+            echo "MASSA_CLIENT_PATH=target/${{ matrix.target }}/release_prebuilt/massa-client" >> $GITHUB_ENV
+          else
+            echo "MASSA_NODE_PATH=target/release_prebuilt/massa-node" >> $GITHUB_ENV
+            echo "MASSA_CLIENT_PATH=target/release_prebuilt/massa-client" >> $GITHUB_ENV
+          fi
+
+
+      - name: Wait for file system locks to clear
+        if: ${{ runner.os == 'Windows' }}
+        shell: powershell
+        run: |
+          Write-Host "Waiting for file system locks to clear..."
+          Start-Sleep -Seconds 10
+          Write-Host "File system ready for signing operations"
+
       - name: Sign windows massa-node binary
         if: ${{ runner.os == 'Windows' }}
-        uses: massalabs/station/.github/actions/sign-file-digicert@7481e2a05af97559568772dad473b923b37fbe34
+        uses: massalabs/station/.github/actions/sign-file-digicert@413d4c0bbd042d5e797fbb66bcd2c96be5c3e71a
         with:
-          file: ./target/release_prebuilt/massa-node
+          files: "${{ env.MASSA_NODE_PATH }}.exe ${{ env.MASSA_CLIENT_PATH }}.exe"
           SM_API_KEY: ${{ secrets.SM_API_KEY }}
           SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
           SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
           SM_CERT_FINGERPRINT: ${{ secrets.SM_CERT_FINGERPRINT }}
           SM_HOST: ${{ secrets.SM_HOST }}
 
-      - name: Sign windows massa-client binary
-        if: ${{ runner.os == 'Windows' }}
-        uses: massalabs/station/.github/actions/sign-file-digicert@7481e2a05af97559568772dad473b923b37fbe34
+      - name: Sign Macos binaries
+        uses: ./.github/actions/sign-macos
+        if: ${{ runner.os == 'macOS' }}
         with:
-          file: ./target/release_prebuilt/massa-client
-          SM_API_KEY: ${{ secrets.SM_API_KEY }}
-          SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
-          SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
-          SM_CERT_FINGERPRINT: ${{ secrets.SM_CERT_FINGERPRINT }}
-          SM_HOST: ${{ secrets.SM_HOST }}
+          paths: "$MASSA_CLIENT_PATH $MASSA_NODE_PATH"
+          certificate-p12-base64: ${{ secrets.APPLE_CERTIFICATE_P12_BASE64 }}
+          certificate-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}
+          signing-identity: ${{ vars.APPLE_DEVELOPER_ID_APPLICATION }}
 
       - name: Package
         shell: bash
         run: |
           mkdir massa && cd massa && mkdir massa-node && mkdir massa-client
-          if [[ "${{ matrix.platform }}" == "arm64" ]]
-          then
-            cp -v ../target/${{ matrix.target }}/release_prebuilt/massa-node massa-node/massa-node
-            cp -v ../target/${{ matrix.target }}/release_prebuilt/massa-client massa-client/massa-client
-          else
-            cp -v ../target/release_prebuilt/massa-node massa-node/massa-node
-            cp -v ../target/release_prebuilt/massa-client massa-client/massa-client
-          fi
+
+          cp -v "../$MASSA_NODE_PATH" massa-node/massa-node
+          cp -v "../$MASSA_CLIENT_PATH" massa-client/massa-client
           cp -rv ../massa-node/config massa-node/config
           cp -rv ../massa-node/base_config massa-node/base_config
           cp -rv ../massa-node/storage massa-node/storage
@@ -117,7 +136,7 @@ jobs:
           else
             tar czvf massa_${GITHUB_REF/refs\/tags\//}_${{ matrix.name }} massa
           fi
-          cd -
+
       - name: Upload ${{ matrix.os }}_${{ matrix.platform }} artifacts
         uses: actions/upload-artifact@v4
         with:
