#2426 Enable darwin arm64 builds in goreleaser

[beret]

Fixes #2426
As available in v1.16+ https://tip.golang.org/doc/go1.16#darwin

I have M1 HW and can test further automated builds.

[mislav]

@beret Thanks for the suggestion! I've published a prerelease with the contents of your PR applied. This generated an arm64 build for macOS. Could you download that binary and see whether it works on your machine? Note that this binary isn't signed or notarized— will that be a problem?

[beret]

tl;dr - It appears to run just as well as the amd64 build, adds an ad-hoc signature to satisfy the platform requirements, notarization still is grumpy but that's not news.

Running from a terminal prior to override will be blocked with a dialog warning that it cannot be opened to check for malicious software. (Presumably due to notarization?) Bypassing can be done as usual, by manually opening the gh binary from Finder and approving it with the prompt to open anyway. CLI usage is normal after manual approval.

Before override:

After explicit right-click "Open" action in Finder:

This behavior is exactly the same on the prerelease AMD64 binary when run on the same M1 machine. (blocked by default, approval via Finder works, subsequent CLI use OK, but this time with Rosetta2 translation applied automatically.)

The arm64 binary does get an ad-hoc signature, it just doesn't appear to have an Apple approved developer cert. (amd64 doesn't have one generated by the same default build process, in line with the existing amd64 darwin norms.)

[areese]

You'll need to codesign, which has to be done on MacOS.
I've had success doing it with gon:

https://github.com/mitchellh/gon

My understanding of goreleaser was that this should work, but I never got it working.

signs:
  - signature: "${artifact}"
    ids: ["macos"]
    cmd: gon
    args: ["gon.hcl"]
    artifacts: all

The other problem I had was that I was hard coding the binary into gon.hcl, which can probably be solved by understanding goreleaser variables better:

gon.hcl is basically this:

source = ["./dist/macos_darwin_amd64/bin/gh", "./dist/macos_darwin_arm64/bin/gh"]

# this assumes that the password for the appleid is in the keychain
apple_id {
  username = <some Apple ID>
  password = "@keychain:appleid"
}

sign {
  application_identity = "Apple Development: Some Team (BLAHBLAHBLAH)"
}

Updated:

• Fix to use gon.hcl after reading the gon manual closer.
• Fix to add the apple_id config which got dropped.
• Cleanup to remove sign.sh after reading the manual further, I managed to get it working without the sign.sh and just the signs block.

[areese]

@mislav ty for closing my PR, I've gone back and looked at what I had to do locally, Hope this helps.

[areese]

I hadn't fully grokked this when I did my signing:
https://goreleaser.com/customization/sign/

[mislav]

@beret We still want to do this, but in the interest of cleaning the backlog, I'm going to close this for now.

We can't merge this as-is since I presume that the built binary won't be much use on M1 computers without having been signed/notarized. Since this last part is actually pretty tricky, we'll do it later when our team has some M1 machines to actually test on. Without that, changing our release pipeline would probably be too much guesswork for now.

Please follow #2426 for updates.

[beret]

Totally makes sense; sorting it out with signing is the better path. Thanks for the update!