Conversation
cb671fd to
3c297b7
Compare
Changes include: - Hardened Runtime entitlement has been added to all targets - BuildPR workflow has been updated to include step to keychain prep with certificate and provisioning profile, archive, export, and notarize the resulting binary.
3c297b7 to
726339f
Compare
dc8185c to
ef79590
Compare
hannesa2
left a comment
There was a problem hiding this comment.
Nice, even the verify of the notarization shows me an "accepted"
It looks good to me, any improvement can be done later too
| xcrun stapler staple "$APP_PATH" | ||
| ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH" | ||
| - name: Check Notarization | ||
| run: spctl -a -vv GitX.app |
There was a problem hiding this comment.
I added this verify of the notarization
|
Thanks a lot of your generous help here @insha |
|
Unfortunately we only notarize the pull request pipeline, and forgot the release. I will drop the release and recreate it again |
|
Indeed. I figured once the PR workflow was working the release workflow would follow since the GitHub actions steps would be the same.
Also do we need the notary steps for the PR flow?
… On Sep 18, 2022, at 11:51 AM, Hannes Achleitner ***@***.***> wrote:
Unfortunately we only notarize the pull request pipeline, and forgot the release. I will drop the release and recreate it again
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.
|
I already did it |
|
You are awesome 🙌. Thank you 👍
…
On Sep 18, 2022, at 12:36 PM, Hannes Achleitner ***@***.***> wrote:
Also do we need the notary steps for the PR flow?
I already did it
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.
|
| env: | ||
| EXPORT_OPTIONS: ${{ secrets.NOTARY_EXPORT_OPTIONS }} | ||
| run: | | ||
| mv GitX.xcarchive/Products/Applications/GitX.app . |
| run: cd External/objective-git && script/bootstrap && script/update_libgit2 && cd ../.. | ||
| - name: Build project | ||
| run: xcodebuild -workspace GitX.xcworkspace -scheme GitX -archivePath ./GitX archive ARCHS="${{ matrix.abi }}" | ||
| run: xcodebuild -workspace GitX.xcworkspace -scheme GitX -archivePath ./GitX archive ARCHS="${{ matrix.abi }}" PRODUCT_BUNDLE_IDENTIFIER=${{ secrets.NOTARY_BUNDLE_IDENTIFIER}} |
|
|
||
| echo -n "$EXPORT_OPTIONS" > EXPORT_OPTIONS_PATH | ||
|
|
||
| xcodebuild -exportArchive -archivePath GitX.xcarchive -exportPath . -exportOptionsPlist EXPORT_OPTIONS_PATH |
There was a problem hiding this comment.
Now we create a new archive and using this. Not sure if this is an issue
|
Yes, the issue with #336 and #337 is caused by the bundle identifier that used for the scripting bridge and the one that is assigned for notarizing the app.
I mentioned this in a reply [here](#336 (comment)). The `gitx` client need to use the bundle identifier that is used for notarizing the app. Note that the only place where this change is needed is in the `GitXScriptingConstants.h` file; but haven’t had a chance to test it.
…
On Sep 19, 2022, at 9:15 AM, Hannes Achleitner ***@***.***> wrote:
@hannesa2 commented on this pull request.
In .github/workflows/BuildPR.yml:
> run: |
- mv GitX.xcarchive/Products/Applications/GitX.app .
it's about #337 and #336
@insha Before we move GitX.xcarchive/Products/Applications/GitX.app to root .
In .github/workflows/BuildPR.yml:
> - name: pre build
run: cd External/objective-git && script/bootstrap && script/update_libgit2 && cd ../..
- name: Build project
- run: xcodebuild -workspace GitX.xcworkspace -scheme GitX -archivePath ./GitX archive ARCHS="${{ matrix.abi }}"
+ run: xcodebuild -workspace GitX.xcworkspace -scheme GitX -archivePath ./GitX archive ARCHS="${{ matrix.abi }}" PRODUCT_BUNDLE_IDENTIFIER=${{ secrets.NOTARY_BUNDLE_IDENTIFIER}}
@insha can it be this secrets.NOTARY_BUNDLE_IDENTIFIER can have a relation to this meaning identifier net.phere.GitX ?
In .github/workflows/BuildPR.yml:
> run: |
- mv GitX.xcarchive/Products/Applications/GitX.app .
+ EXPORT_OPTIONS_PATH=$RUNNER_TEMP/ExportOptions.plist
+
+ echo -n "$EXPORT_OPTIONS" > EXPORT_OPTIONS_PATH
+
+ xcodebuild -exportArchive -archivePath GitX.xcarchive -exportPath . -exportOptionsPlist EXPORT_OPTIONS_PATH
Now we create a new archive and using this. Not sure if this is an issue
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.
|
|
This sounds promising. To clarify this |
|
The bundle identifier that is used for the notarization is `com.themacronaut.net.phere.GitX`. This should be the value of the `kGitXBundleIdentifier` in the `GitXScriptingConstants.h` file when the build is created using the `Release`.
Meaning, you may get better mileage by wrapping it in the `#ifndef DEBUG …`; but you can just set it to the above identifier and make a build and see if it works and then refactor to allow for conditional use.
… On Sep 19, 2022, at 11:35 PM, Hannes Achleitner ***@***.***> wrote:
This sounds promising.
To clarify this secrets.NOTARY_BUNDLE_IDENTIFIER :
Which one do you used for notarizing to be clear what I should use in kGitXBundleIdentifier in the GitXScriptingConstants.h ?
—
Reply to this email directly, view it on GitHub <#334 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAJP653L7AZH2MC5MOA5FGDV7E5KVANCNFSM6AAAAAAQOUUZ3A>.
You are receiving this because you were mentioned.
|
|
@insha can you please check why PR builds are failing?
|
|
@hannesa2 It looks like the environment variables from the GitHub Actions secrets are coming up as empty.
These secrets would be shown masked with asterisks, not removed completely, as you can see from this old build log. Can you please check the settings? |
|
Quick update: The secrets and variables for actions are not passed to workflows that are triggered by a pull request from a fork (using From GitHub documentation (suggested by this comment), I'm gathering three ideas on how to resolve this:
|
Pull requests opened from forks will not have access to secrets and variables. We don't need to notarize builds on the master branch or on pull requests. Only the builds from BuildRelease workflow file need to be notarized before making a release.
|
The variables are all there and all is fine concerning this |
|
That's good to know. But they can't be accessed in a forked PR for security reasons. It's a GitHub limitation to safeguard against leaks. That's why the PRs must build without needing any secret. Anyway we don't need to notarize builds in PR. We just need to know that the builds are successful. |
|
Please see my recommendation #365 (review) |
| run: xcodebuild -workspace GitX.xcworkspace -scheme GitX -archivePath ./GitX archive ARCHS="${{ matrix.abi }}" PRODUCT_BUNDLE_IDENTIFIER=${{ secrets.NOTARY_BUNDLE_IDENTIFIER}} | ||
| - name: Prepare artifact | ||
| env: | ||
| EXPORT_OPTIONS: ${{ secrets.NOTARY_EXPORT_OPTIONS }} |
There was a problem hiding this comment.
@insha
I try to do the same on an other project, but I've no clue what's the content of NOTARY_EXPORT_OPTIONS is.
I guess it's not a secret, am I right ?
If yes, please can you write me the content of it ?
There was a problem hiding this comment.
@hannesa2 Apologies for the delayed response. The value of this secret variable is the contents of the export options plist file. It is in secrets because it contains my Apple Team ID. The contents are as follows with my team ID redacted:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>destination</key>
<string>export</string>
<key>method</key>
<string>developer-id</string>
<key>provisioningProfiles</key>
<dict>
<key>com.themacronaut.net.phere.GitX</key>
<string>GitX Notarized Distribution</string>
</dict>
<key>signingCertificate</key>
<string>Developer ID Application</string>
<key>signingStyle</key>
<string>manual</string>
<key>teamID</key>
<string>---REDACTED---</string>
</dict>
</plist>
There was a problem hiding this comment.
You mean to say the entire XML content is put inside an environment variable? 🤔
There was a problem hiding this comment.
Yes, from what I recall, that is correct. The reason being that the plist files has sensitive information in it.
Changes include: