release: update macOS signing

Update macOS component of release workflow to use GitHub certificates for signing and notarization.
git-ecosystem · ldennington · Oct 21, 2023 · Oct 6, 2023 · Oct 6, 2023 · Oct 7, 2023
commit 16e628a321048080752c10a7184b4c9d624647a9
@@ -21,12 +21,13 @@ jobs:
         id: version
 
 # ================================
-#              macOS
+#             macOS
 # ================================
-  osx-build:
-    name: Build macOS
+  create-macos-artifacts:
+    name: Create macOS artifacts
     runs-on: macos-latest
     environment: release
+    needs: prereqs
     strategy:
       matrix:
         runtime: [ osx-x64, osx-arm64 ]
@@ -38,9 +39,6 @@ jobs:
       with:
         dotnet-version: 7.0.x
 
-    - name: Install dependencies
-      run: dotnet restore
-
     - name: Build
       run: |
         dotnet build src/osx/Installer.Mac/*.csproj \
@@ -57,203 +55,88 @@ jobs:
          --configuration=MacRelease --output=payload \
          --symbol-output=symbols --runtime=${{ matrix.runtime }}
 
-    - name: Create keychain
+    - name: Set up signing/notarization infrastructure
       env:
-        CERT_BASE64: ${{ secrets.DEVELOPER_CERTIFICATE_BASE64 }}
-        CERT_PASSPHRASE: ${{ secrets.DEVELOPER_CERTIFICATE_PASSWORD }}
-      run: |
+        A1: ${{ secrets.APPLICATION_CERTIFICATE_BASE64 }}
+        A2: ${{ secrets.APPLICATION_CERTIFICATE_PASSWORD }}
+        I1: ${{ secrets.INSTALLER_CERTIFICATE_BASE64 }}
+        I2: ${{ secrets.INSTALLER_CERTIFICATE_PASSWORD }}
+        N1: ${{ secrets.APPLE_TEAM_ID }}
+        N2: ${{ secrets.APPLE_DEVELOPER_ID }}
+        N3: ${{ secrets.APPLE_DEVELOPER_PASSWORD }}
+        N4: ${{ secrets.APPLE_KEYCHAIN_PROFILE }}
+      run: |
+        echo "Setting up signing certificates"
         security create-keychain -p pwd $RUNNER_TEMP/buildagent.keychain
         security default-keychain -s $RUNNER_TEMP/buildagent.keychain
         security unlock-keychain -p pwd $RUNNER_TEMP/buildagent.keychain
-        echo $CERT_BASE64 | base64 -D > $RUNNER_TEMP/cert.p12
-        security import $RUNNER_TEMP/cert.p12 -k $RUNNER_TEMP/buildagent.keychain -P $CERT_PASSPHRASE -T /usr/bin/codesign
-        security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k pwd $RUNNER_TEMP/buildagent.keychain
-
-    - name: Developer sign
-      env:
-        APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
-      run: |
-        .github/run_developer_signing.sh payload $APPLE_TEAM_ID $GITHUB_WORKSPACE/src/osx/Installer.Mac/entitlements.xml
-
-    - name: Upload macOS artifacts
-      uses: actions/upload-artifact@v3
-      with:
-        name: tmp.${{ matrix.runtime }}-build
-        path: |
-          payload
-          symbols
-
-  osx-payload-sign:
-    name: Sign macOS payload
-    # ESRP service requires signing to run on Windows
-    runs-on: windows-latest
-    environment: release
-    strategy:
-      matrix:
-        runtime: [ osx-x64, osx-arm64 ]
-    needs: osx-build
-    steps:
-    - uses: actions/checkout@v4
-
-    - name: Download payload
-      uses: actions/download-artifact@v3
-      with:
-        name: tmp.${{ matrix.runtime }}-build
-
-    - name: Zip unsigned payload
-      shell: pwsh
-      run: |
-        Compress-Archive -Path payload payload/payload.zip
-        cd payload
-        Get-ChildItem -Exclude payload.zip | Remove-Item -Recurse -Force
 
-    - uses: azure/login@v1
-      with:
-        creds: ${{ secrets.AZURE_CREDENTIALS }}
-
-    - name: Set up ESRP client
-      shell: pwsh
-      env:
-        AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
-        AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
-        REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
-      run: |
-        .github\set_up_esrp.ps1
-
-    - name: Run ESRP client
-      shell: pwsh
+        echo $A1 | base64 -D > $RUNNER_TEMP/cert.p12
+        security import $RUNNER_TEMP/cert.p12 \
+          -k $RUNNER_TEMP/buildagent.keychain \
+          -P $A2 \
+          -T /usr/bin/codesign
+        security set-key-partition-list \
+          -S apple-tool:,apple:,codesign: \
+          -s -k pwd \
+          $RUNNER_TEMP/buildagent.keychain
+
+        echo $I1 | base64 -D > $RUNNER_TEMP/cert.p12
+        security import $RUNNER_TEMP/cert.p12 \
+          -k $RUNNER_TEMP/buildagent.keychain \
+          -P $I2 \
+          -T /usr/bin/productbuild
+        security set-key-partition-list \
+          -S apple-tool:,apple:,productbuild: \
+          -s -k pwd \
+          $RUNNER_TEMP/buildagent.keychain
+
+        echo "Setting up notarytool"
+        xcrun notarytool store-credentials \
+          --team-id $N1 \
+          --apple-id $N2 \
+          --password $N3 \
+          "$N4"
+
+    - name: Run codesign against payload
       env:
-        AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }}
-        APPLE_KEY_CODE: ${{ secrets.APPLE_KEY_CODE }}
-        APPLE_SIGNING_OP_CODE: ${{ secrets.APPLE_SIGNING_OPERATION_CODE }}
+        A3: ${{ secrets.APPLE_APPLICATION_SIGNING_IDENTITY }}
       run: |
-        python .github\run_esrp_signing.py payload `
-         $env:APPLE_KEY_CODE $env:APPLE_SIGNING_OP_CODE `
-         --params 'Hardening' '--options=runtime'
-
-    - name: Unzip signed payload
-      shell: pwsh
-      run: |
-        Expand-Archive signed/payload.zip -DestinationPath signed
-        Remove-Item signed/payload.zip
-
-    - name: Upload signed payload
-      uses: actions/upload-artifact@v3
-      with:
-        name: ${{ matrix.runtime }}-payload-sign
-        path: |
-          signed
-
-  osx-pack:
-    name: Package macOS payload
-    runs-on: macos-latest
-    strategy:
-      matrix:
-        runtime: [ osx-x64, osx-arm64 ]
-    needs: osx-payload-sign
-    steps:
-    - uses: actions/checkout@v4
-
-    - name: Set version environment variable
-      run: echo "VERSION=$(cat VERSION | sed -E 's/.[0-9]+$//')" >> $GITHUB_ENV
-
-    - name: Set up .NET
-      uses: actions/[email protected]
-      with:
-        dotnet-version: 7.0.x
-
-    - name: Download signed payload
-      uses: actions/download-artifact@v3
-      with:
-        name: ${{ matrix.runtime }}-payload-sign
+        ./src/osx/Installer.Mac/codesign.sh "payload" "$A3" \
+          "$GITHUB_WORKSPACE/src/osx/Installer.Mac/entitlements.xml"
 
     - name: Create component package
       run: |
-        src/osx/Installer.Mac/pack.sh --payload=payload \
-         --version=$VERSION \
-         --output=components/com.microsoft.gitcredentialmanager.component.pkg
-
-    - name: Create product archive
-      run: |
-        src/osx/Installer.Mac/dist.sh --package-path=components \
-         --version=$VERSION --runtime=${{ matrix.runtime }} \
-         --output=pkg/gcm-${{ matrix.runtime }}-$VERSION.pkg || exit 1
+        src/osx/Installer.Mac/pack.sh --payload="payload" \
+         --version="${{ needs.prereqs.outputs.version }}" \
+         --output="components/com.microsoft.gitcredentialmanager.component.pkg"
 
-    - name: Upload package
-      uses: actions/upload-artifact@v3
-      with:
-        name: tmp.${{ matrix.runtime }}-pack
-        path: |
-          pkg
-
-  osx-sign:
-    name: Sign and notarize macOS package
-    # ESRP service requires signing to run on Windows
-    runs-on: windows-latest
-    environment: release
-    strategy:
-      matrix:
-        runtime: [ osx-x64, osx-arm64 ]
-    needs: osx-pack
-    steps:
-    - uses: actions/checkout@v4
-
-    - name: Download unsigned package
-      uses: actions/download-artifact@v3
-      with:
-        name: tmp.${{ matrix.runtime }}-pack
-        path: pkg
-
-    - name: Zip unsigned package
-      shell: pwsh
-      run: |
-        Compress-Archive -Path pkg/*.pkg pkg/gcm-pkg.zip
-        cd pkg
-        Get-ChildItem -Exclude gcm-pkg.zip | Remove-Item -Recurse -Force
-
-    - uses: azure/login@v1
-      with:
-        creds: ${{ secrets.AZURE_CREDENTIALS }}
-
-    - name: Set up ESRP client
-      shell: pwsh
+    - name: Create and sign product archive
       env:
-        AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
-        AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
-        REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
+        I3: ${{ secrets.APPLE_INSTALLER_SIGNING_IDENTITY }}
       run: |
-        .github\set_up_esrp.ps1
-
-    - name: Sign package
-      shell: pwsh
-      env:
-        AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }}
-        APPLE_KEY_CODE: ${{ secrets.APPLE_KEY_CODE }}
-        APPLE_SIGNING_OP_CODE: ${{ secrets.APPLE_SIGNING_OPERATION_CODE }}
-      run: |
-        python .github\run_esrp_signing.py pkg $env:APPLE_KEY_CODE $env:APPLE_SIGNING_OP_CODE
-
-    - name: Unzip signed package
-      shell: pwsh
-      run: |
-        mkdir unsigned
-        Expand-Archive -LiteralPath signed\gcm-pkg.zip -DestinationPath .\unsigned -Force
-        Remove-Item signed\gcm-pkg.zip -Force
+        src/osx/Installer.Mac/dist.sh --package-path=components \
+         --version="${{ needs.prereqs.outputs.version }}" \
+         --runtime="${{ matrix.runtime }}" \
+         --output="pkg/gcm-${{ matrix.runtime }}-${{ needs.prereqs.outputs.version }}.pkg" \
+         --identity="$I3" || exit 1
 
-    - name: Notarize signed package
-      shell: pwsh
+    - name: Notarize product archive
       env:
-        AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }}
-        APPLE_KEY_CODE: ${{ secrets.APPLE_KEY_CODE }}
-        APPLE_NOTARIZATION_OP_CODE: ${{ secrets.APPLE_NOTARIZATION_OPERATION_CODE }}
+        N4: ${{ secrets.APPLE_KEYCHAIN_PROFILE }}
       run: |
-        python .github\run_esrp_signing.py unsigned $env:APPLE_KEY_CODE $env:APPLE_NOTARIZATION_OP_CODE --params 'BundleId' 'com.microsoft.gitcredentialmanager'
+        src/osx/Installer.Mac/notarize.sh \
+          --package="pkg/gcm-${{ matrix.runtime }}-${{ needs.prereqs.outputs.version }}.pkg" \
+          --keychain-profile="$N4"
 
-    - name: Publish signed package
+    - name: Upload artifacts
       uses: actions/upload-artifact@v3
       with:
-        name: ${{ matrix.runtime }}-sign
-        path: signed/*.pkg
+        name: macos-${{ matrix.runtime }}-artifacts
+        path: |
+          ./pkg/*
+          ./symbols/*
+          ./payload/*
 
 # ================================
 #              Windows
@@ -624,7 +507,7 @@ jobs:
             command: git-credential-manager
             description: linux
           - os: macos-latest
-            artifact: osx-x64-sign
+            artifact: macos-osx-x64-artifacts
             command: git-credential-manager
             description: osx-x64
           - os: windows-latest
@@ -640,7 +523,7 @@ jobs:
             command: git-credential-manager
             description: dotnet-tool
     runs-on: ${{ matrix.component.os }}
-    needs: [ osx-sign, win-sign, create-linux-artifacts, dotnet-tool-sign ]
+    needs: [ create-macos-artifacts, win-sign, create-linux-artifacts, dotnet-tool-sign ]
     steps:
       - uses: actions/checkout@v4
 
@@ -670,15 +553,15 @@ jobs:
         if: contains(matrix.component.description, 'linux')
         run: |
           # Ensure we find only the source tarball, not the symbols
-          tarpath=$(find ./tar -name '*[[:digit:]].tar.gz')
+          tarpath=$(find . -name '*[[:digit:]].tar.gz')
           tar -xvf $tarpath -C /usr/local/bin
           "${{ matrix.component.command }}" configure
 
       - name: Install macOS
         if: contains(matrix.component.description, 'osx-x64')
         run: |
           # Only validate x64, given arm64 agents are not available
-          pkgpath=$(find ./*.pkg)
+          pkgpath=$(find ./pkg/*.pkg)
           sudo installer -pkg $pkgpath -target /
 
       - name: Install .NET tool
@@ -716,13 +599,14 @@ jobs:
 
       - name: Archive macOS payload and symbols
         run: |
+          version="${{ needs.prereqs.outputs.version }}"
           mkdir osx-payload-and-symbols
 
-          tar -C osx-x64-payload-sign -czf osx-payload-and-symbols/gcm-osx-x64-$VERSION.tar.gz .
-          tar -C tmp.osx-x64-build/symbols -czf osx-payload-and-symbols/gcm-osx-x64-$VERSION-symbols.tar.gz .
+          tar -C macos-osx-x64-artifacts/payload -czf osx-payload-and-symbols/gcm-osx-x64-$version.tar.gz .
+          tar -C macos-osx-x64-artifacts/symbols -czf osx-payload-and-symbols/gcm-osx-x64-$version-symbols.tar.gz .
 
-          tar -C osx-arm64-payload-sign -czf osx-payload-and-symbols/gcm-osx-arm64-$VERSION.tar.gz .
-          tar -C tmp.osx-arm64-build/symbols -czf osx-payload-and-symbols/gcm-osx-arm64-$VERSION-symbols.tar.gz .
+          tar -C macos-osx-arm64-artifacts -czf osx-payload-and-symbols/gcm-osx-arm64-$version.tar.gz .
+          tar -C macos-osx-arm64-artifacts/symbols -czf osx-payload-and-symbols/gcm-osx-arm64-$version-symbols.tar.gz .
 
       - name: Archive Windows payload and symbols
         run: |
@@ -780,8 +664,8 @@ jobs:
               uploadDirectoryToRelease('win-x86-payload-and-symbols'),
 
               // Upload macOS artifacts
-              uploadDirectoryToRelease('osx-x64-sign'),
-              uploadDirectoryToRelease('osx-arm64-sign'),
+              uploadDirectoryToRelease('macos-osx-x64-artifacts/pkg'),
+              uploadDirectoryToRelease('macos-osx-arm64-artifacts/pkg'),
               uploadDirectoryToRelease('osx-payload-and-symbols'),
 
               // Upload Linux artifacts

@@ -26,9 +26,9 @@ for f in *
 do
     macho=$(file --mime $f | grep mach)
     # Runtime sign dylibs and Mach-O binaries
-    if [[ $f == *.dylib ]] || [ ! -z "$macho" ]; 
-    then 
-        echo "Runtime Signing $f" 
+    if [[ $f == *.dylib ]] || [ ! -z "$macho" ];
+    then
+        echo "Runtime Signing $f"
         codesign -s "$DEVELOPER_ID" $f --timestamp --force --options=runtime --entitlements $ENTITLEMENTS_FILE
     elif [ -d "$f" ];
     then
@@ -39,8 +39,8 @@ do
             codesign -s "$DEVELOPER_ID" $i --timestamp --force
         done
         cd ..
-    else 
+    else
         echo "Signing $f"
         codesign -s "$DEVELOPER_ID" $f  --timestamp --force
     fi
-done
+done