Mac: Sign non-release builds with self-signed key

[hoffie]

What is the current behaviour and why should it be changed?

Currently, only release builds are signed via @emlynmac. Now that we provide M1 builds (#2357), it would be interesting to sign non-release builds as well, as M1 Macs refuse to run unsigned binaries by default.

Describe possible approaches

It should be sufficient to use a self-signed key for that.

• Key generation (turned out to be unneeded)
• Build logic changes

Has this feature been discussed and generally agreed?

See #2357

[ann0see]

I can create a cert. However, should we share it internally?

[pljones]

Should it go into jamulussoftware/assets or jamulussoftware/settings/secrets/actions?

[ann0see]

Since it's a cryptographic key, it needs to go to the secrets tab, not a repo.

[hoffie]

However, should we share it internally?

I think it should be ok to store it as a secret only. It will not be easily recoverable there though (but we shouldn't need it).
In addition to the key, we also need to adjust the build logic to avoid trying the online (apple.com) parts of the signing process. I guess it makes sense to do this via another boolean secret to make that decision (or derive it from the cert if possible?).

[emlynmac]

Maybe have a look at the existing signing system and add the relevant gitHub secrets to enable signing.
It may require some further changes to make sure the notarization path is not followed, but should be simpler to do that way.

[ann0see]

I think I followed https://www.simplified.guide/macos/keychain-cert-code-signing-create once.

[ann0see]

I think I've now added everything unrelated to notarization from my side on this repo. So we'd need to skip MACOS_CERTIFICATE_ID and NOTARIZATION_PASSWORD

[ann0see]

Ok. I've now added a fake password and for the MACOS_CERTIFICATE_ID the name of the certificate, but on a workflow_dispatch run nothing changes.

[hoffie]

I think we need several more changes (which could probably be done on a fork first):

• jamulus/.github/autobuild/mac.sh

  Line 44 in e14f3dd

  [[ -n "${NOTARIZATION_PASSWORD:-}" ]] || return 1

  needs dropping, I think
• These ifs need additional checks for the NOTARIZATION_PASSWORD secret:

  jamulus/.github/workflows/autobuild.yml

  Line 387 in e14f3dd

  if: >-

  jamulus/.github/workflows/autobuild.yml

  Line 399 in e14f3dd

  if: >-

Not sure if this is everything, but I guess both of it is mandatory for it to work.

[ann0see]

Yes, that could be done.

However, I think we still need something else: https://github.com/jamulussoftware/jamulus/runs/7982936025?check_suite_focus=true#step:10:7 should have imported the cert, but it didn't.

[hoffie]

I think PRs don't have access to the target repo secrets, not sure if this changes if the PR comes from the same repo as that one did.

[ann0see]

The secret tab says there's only no access for PRs from forks