Skip to content

fix: notarization key decode + self-healing rebuild + build-target selector#256

Merged
inureyes merged 3 commits into
mainfrom
fix/macos-notarization-p8-base64-decode
May 27, 2026
Merged

fix: notarization key decode + self-healing rebuild + build-target selector#256
inureyes merged 3 commits into
mainfrom
fix/macos-notarization-p8-base64-decode

Conversation

@inureyes

@inureyes inureyes commented May 27, 2026

Copy link
Copy Markdown
Member

Three related improvements to the release workflow: fix the macOS notarization failure, make the workflow able to rebuild old tags, and let a manual run target a subset of platforms.

1. Notarization fix — invalidAsn1

The macOS release build fails at notarization:

Submitting notarization request...
Conducting pre-submission checks for notarize.zip and initiating connection to the Apple notary service...
Error: invalidAsn1
Error: notarytool did not report an Accepted status

First run of the notarization step added in #243 (v0.21.1).

Root cause. invalidAsn1 means xcrun notarytool could not parse the .p8 key as a PKCS#8 (ASN.1) private key while building its App Store Connect JWT — a key-format problem, not a binary/signing problem. Code signing (which runs first) succeeds, so DEV_ID_CERT_* is fine; the issue is isolated to the API key. The AC_API_PRIVATE_KEY_P8 secret is stored base64-encoded (same convention as DEV_ID_CERT_P12, consumed as base64 by apple-actions/import-codesign-certs via p12-file-base64), but the ported step wrote it to AuthKey.p8 verbatim — so notarytool received a base64 blob instead of PEM.

Fix. Decode the secret back to PEM before handing it to notarytool: auto-detect raw-PEM vs base64 input, strip CR from CRLF pastes, fail fast on an empty secret, and validate the materialized key with openssl pkey so a malformed key produces a clear warning instead of the opaque invalidAsn1.

2. Self-healing release checkout

GitHub always executes the release.yml baked into the triggering ref, so a bug in an old tag's workflow can't be fixed by re-publishing/re-running that tag — exactly why the §1 fix wouldn't retroactively apply to the v0.21.1 tag.

actions/checkout now checks out the target tag's source (release tag for the release event, or the release_tag input for workflow_dispatch, falling back to the triggering commit). This decouples which workflow runs from which source is built: dispatch from a branch carrying the fixed workflow and pass release_tag=v0.21.1, and the fixed workflow rebuilds the v0.21.1 source and uploads notarized artifacts onto that release. Asset names/protoc version are static and the binary version comes from the checked-out Cargo.toml, so changing the checkout ref has no naming/version side effects.

3. Build-target selector

New targets workflow_dispatch input (comma-separated windows, linux, macos, or all; empty = all) so a manual run can build a subset of platforms. A new setup job resolves the input into a filtered build matrix that build consumes via fromJSON(needs.setup.outputs.includes) — one source of truth for the platform list. Real release events always build every target (the input only filters manual dispatch). Input is case/space-insensitive and rejects unknown tokens.

Combined with §2, this allows rebuilding just one platform of a past tag — e.g. re-notarize only macOS for v0.21.1 without rebuilding Linux/Windows.

Verification

  • Notarization: simulated both secret formats with a throwaway EC P-256 PKCS#8 key — base64 → decoded → valid; raw PEM → as-is → valid; old behavior (base64 verbatim) → openssl INVALID, reproducing invalidAsn1.
  • Target selector: extracted the embedded setup script from the YAML and ran it for every input — ''/all→6 targets, macos→1, linux,macos→5, Windows, MacOS→2 (case/space ok), dedup ok, bogus→exit 1.
  • Workflow YAML validated with yaml.safe_load; build.needs == setup and matrix.include == fromJSON(...) confirmed.

Recovering v0.21.1 after merge

# Rebuild + re-notarize only macOS for v0.21.1:
gh workflow run release.yml --repo lablup/all-smi \
  --ref main -f release_tag=v0.21.1 -f targets=macos

The notarize step wrote the AC_API_PRIVATE_KEY_P8 secret to AuthKey.p8 verbatim, but the secret is stored base64-encoded (same convention as DEV_ID_CERT_P12, which import-codesign-certs consumes as base64). notarytool then failed parsing the base64 blob as a PKCS#8 key with "Error: invalidAsn1".

Decode the secret back to PEM before passing it to notarytool: auto-detect raw-PEM vs base64 input, strip CR from CRLF pastes, guard against an empty secret, and validate with 'openssl pkey' so a malformed key fails with a clear message instead of the opaque notarytool error.
@inureyes inureyes added the area:ci CI/CD related label May 27, 2026
…tags

GitHub always runs the release.yml baked into the triggering ref, so a broken step in an old tag's workflow (e.g. the notarization fix in this PR) cannot be applied by re-running that tag. Point actions/checkout at the release tag (release event) or the release_tag input (workflow_dispatch), falling back to the triggering commit.

The latest workflow can now rebuild a past tag's source by dispatching from a branch carrying the fix and passing release_tag, instead of being stuck with the workflow file frozen in that tag.
@inureyes inureyes changed the title fix: decode base64 App Store Connect key before macOS notarization fix: decode base64 notarization key and make release checkout self-healing May 27, 2026
Add a 'targets' workflow_dispatch input (comma-separated: windows, linux, macos, all; empty = all) so a manual run can build a subset of platforms. A new 'setup' job resolves the input into a filtered build matrix that the build job consumes via fromJSON, keeping one source of truth for the platform list; real release events always build every target.

Combined with release_tag, this allows rebuilding a single platform of a past tag (e.g. re-notarize only macOS) without rebuilding everything.
@inureyes inureyes changed the title fix: decode base64 notarization key and make release checkout self-healing fix: notarization key decode + self-healing rebuild + build-target selector May 27, 2026
@inureyes inureyes merged commit d3d8b56 into main May 27, 2026
4 checks passed
@inureyes inureyes deleted the fix/macos-notarization-p8-base64-decode branch May 27, 2026 10:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:ci CI/CD related

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant