chore: build, sign and notarize darwin binaries on linux

deansheather · deansheather · commit c220990ff788 · 2022-09-06T13:27:02.000Z
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -1,10 +1,4 @@
 # GitHub release workflow.
-#
-# This workflow is a bit complicated because we have to build darwin binaries on
-# a mac runner, but the mac runners are extremely slow. So instead of running
-# the entire release on a mac (which will take an hour to run), we run only the
-# mac build on a mac, and the rest on a linux runner. The final release is then
-# published using a final linux runner.
 name: release
 on:
   push:
@@ -25,7 +19,7 @@ env:
   CODER_RELEASE: ${{ github.event.inputs.snapshot && 'false' || 'true' }}
 
 jobs:
-  linux-windows:
+  release:
     runs-on: ubuntu-latest
     env:
       # Necessary for Docker manifest
@@ -71,15 +65,36 @@ jobs:
       - name: Install zstd
         run: sudo apt-get install -y zstd
 
-      - name: Build Linux and Windows Binaries
+      - name: Setup Apple Developer certificate and API key
+        run: |
+          set -euo pipefail
+          touch /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
+          chmod 600 /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
+          echo "$AC_CERTIFICATE_BASE64" | base64 -d > /tmp/apple_cert.p12
+          echo "$AC_CERTIFICATE_PASSWORD" > /tmp/apple_cert_password.txt
+          echo "$AC_APIKEY_BASE64" | base64 -d > /tmp/apple_apikey.p8
+        env:
+          AC_CERTIFICATE_BASE64: ${{ secrets.AC_CERTIFICATE_P12_BASE64 }}
+          AC_CERTIFICATE_PASSWORD: ${{ secrets.AC_CERTIFICATE_PASSWORD }}
+          AC_APIKEY_BASE64: ${{ secrets.AC_APIKEY_PEM_BASE64 }}
+
+      - name: Build binaries
         run: |
           set -euo pipefail
           go mod download
 
           version="$(./scripts/version.sh)"
           make -j \
             build/coder_"$version"_linux_{amd64,armv7,arm64}.{tar.gz,apk,deb,rpm} \
-            build/coder_"$version"_windows_{amd64,arm64}.zip \
+            build/coder_"$version"_{darwin,windows}_{amd64,arm64}.zip \
+            build/coder_helm_"$version".tgz
+        env:
+          CODER_SIGN_DARWIN: "1"
+          AC_CERTIFICATE_FILE: /tmp/apple_cert.p12
+          AC_CERTIFICATE_PASSWORD_FILE: /tmp/apple_cert_password.txt
+          AC_APIKEY_ISSUER_ID: ${{ secrets.AC_APIKEY_ISSUER_ID }}
+          AC_APIKEY_ID: ${{ secrets.AC_APIKEY_ID }}
+          AC_APIKEY_FILE: /tmp/apple_apikey.p8
 
       - name: Build Linux Docker images
         run: |
@@ -115,154 +130,18 @@ jobs:
               "${images[@]}"
           fi
 
-      - name: Upload binary artifacts
-        uses: actions/upload-artifact@v3
-        with:
-          name: linux
-          path: |
-            ./build/*.zip
-            ./build/*.tar.gz
-            ./build/*.apk
-            ./build/*.deb
-            ./build/*.rpm
-
-  # The mac binaries get built on mac runners because they need to be signed,
-  # and the signing tool only runs on mac. This darwin job only builds the Mac
-  # binaries and uploads them as job artifacts used by the publish step.
-  darwin:
-    runs-on: macos-latest
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      # If the event that triggered the build was an annotated tag (which our
-      # tags are supposed to be), actions/checkout has a bug where the tag in
-      # question is only a lightweight tag and not a full annotated tag. This
-      # command seems to fix it.
-      # https://github.com/actions/checkout/issues/290
-      - name: Fetch git tags
-        run: git fetch --tags --force
-
-      - uses: actions/setup-go@v3
-        with:
-          go-version: "~1.19"
-
-      - name: Import Signing Certificates
-        uses: Apple-Actions/import-codesign-certs@v1
-        with:
-          p12-file-base64: ${{ secrets.AC_CERTIFICATE_P12_BASE64 }}
-          p12-password: ${{ secrets.AC_CERTIFICATE_PASSWORD }}
-
-      - name: Cache Node
-        id: cache-node
-        uses: actions/cache@v3
-        with:
-          path: |
-            **/node_modules
-            .eslintcache
-          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            js-${{ runner.os }}-
+      - name: ls build
+        run: ls build
 
-      - name: Install dependencies
-        run: |
-          set -euo pipefail
-          # The version of bash that macOS ships with is too old
-          brew install bash
-
-          # The version of make that macOS ships with is too old
-          brew install make
-          echo "$(brew --prefix)/opt/make/libexec/gnubin" >> $GITHUB_PATH
-
-          # BSD getopt is incompatible with the build scripts
-          brew install gnu-getopt
-          echo "$(brew --prefix)/opt/gnu-getopt/bin" >> $GITHUB_PATH
-
-          # Used for notarizing the binaries
-          brew tap mitchellh/gon
-          brew install mitchellh/gon/gon
-
-          # Used for compressing embedded slim binaries
-          brew install zstd
-
-      - name: Build Site
-        run: make site/out/index.html
-
-      - name: Build darwin Binaries (with signatures)
-        run: |
-          set -euo pipefail
-          go mod download
-
-          version="$(./scripts/version.sh)"
-          make -j \
-            build/coder_"$version"_darwin_{amd64,arm64}.zip
-        env:
-          CODER_SIGN_DARWIN: "1"
-          AC_USERNAME: ${{ secrets.AC_USERNAME }}
-          AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
-          AC_APPLICATION_IDENTITY: BDB050EB749EDD6A80C6F119BF1382ECA119CCCC
-
-      - name: Upload Binary Artifacts
-        uses: actions/upload-artifact@v3
-        with:
-          name: darwin
-          path: ./build/*.zip
-
-  publish:
-    runs-on: ubuntu-latest
-    needs:
-      - linux-windows
-      - darwin
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      # If the event that triggered the build was an annotated tag (which our
-      # tags are supposed to be), actions/checkout has a bug where the tag in
-      # question is only a lightweight tag and not a full annotated tag. This
-      # command seems to fix it.
-      # https://github.com/actions/checkout/issues/290
-      - name: Fetch git tags
-        run: git fetch --tags --force
-
-      - name: mkdir artifacts
-        run: mkdir artifacts
-
-      - name: Download darwin Artifacts
-        uses: actions/download-artifact@v3
-        with:
-          name: darwin
-          path: artifacts
-
-      - name: Download Linux and Windows Artifacts
-        uses: actions/download-artifact@v3
-        with:
-          name: linux
-          path: artifacts
-
-      - name: ls artifacts
-        run: ls artifacts
-
-      - name: Publish Helm
-        run: |
-          set -euxo pipefail
-
-          version="$(./scripts/version.sh)"
-          make -j \
-            build/coder_helm_"$version".tgz
-          mv ./build/*.tgz ./artifacts/
-
-      - name: Publish Release
+      - name: Publish release
         run: |
           ./scripts/publish_release.sh \
             ${{ (github.event.inputs.dry_run || github.event.inputs.snapshot) && '--dry-run' }} \
-            ./artifacts/*.zip \
-            ./artifacts/*.tar.gz \
-            ./artifacts/*.tgz \
-            ./artifacts/*.apk \
-            ./artifacts/*.deb \
-            ./artifacts/*.rpm
+            ./build/*.zip \
+            ./build/*.tar.gz \
+            ./build/*.tgz \
+            ./build/*.apk \
+            ./build/*.deb \
+            ./build/*.rpm
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/scripts/archive.sh b/scripts/archive.sh
@@ -10,11 +10,9 @@
 # If the --output parameter is not set, the default output path is the binary
 # path (minus any .exe suffix) plus the format extension ".zip" or ".tar.gz".
 #
-# If --sign-darwin is specified, the zip file is signed with the `codesign`
-# utility and then notarized using the `gon` utility, which may take a while.
-# $AC_APPLICATION_IDENTITY must be set and the signing certificate must be
-# imported for this to work. Also, the input binary must already be signed with
-# the `codesign` tool.
+# If --sign-darwin is specified, the zip file will be notarized using
+# ./notarize_darwin.sh, which may take a while. Read that file for more details
+# on the requirements.
 #
 # If the --agpl parameter is specified, only the AGPL license is included in the
 # outputted archive.
@@ -139,7 +137,7 @@ rm -rf "$temp_dir"
 
 if [[ "$sign_darwin" == 1 ]]; then
 	log "Notarizing archive..."
-	execrelative ./sign_darwin.sh "$output_path"
+	execrelative ./notarize_darwin.sh "$output_path"
 fi
 
 echo "$output_path"
diff --git a/scripts/build_go.sh b/scripts/build_go.sh
@@ -16,9 +16,9 @@
 # builds) and the absolute path to the binary will be printed to stdout on
 # completion.
 #
-# If the --sign-darwin parameter is specified and the OS is darwin, binaries
-# will be signed using the `codesign` utility. $AC_APPLICATION_IDENTITY must be
-# set and the signing certificate must be imported for this to work.
+# If the --sign-darwin parameter is specified and the OS is darwin, the output
+# binary will be signed using ./sign_darwin.sh. Read that file for more details
+# on the requirements.
 #
 # If the --agpl parameter is specified, builds only the AGPL-licensed code (no
 # Coder enterprise features).
@@ -65,9 +65,6 @@ while true; do
 		shift
 		;;
 	--sign-darwin)
-		if [[ "${AC_APPLICATION_IDENTITY:-}" == "" ]]; then
-			error "AC_APPLICATION_IDENTITY must be set when --sign-darwin is supplied"
-		fi
 		sign_darwin=1
 		shift
 		;;
@@ -133,13 +130,7 @@ CGO_ENABLED=0 GOOS="$os" GOARCH="$arch" GOARM="$arm_version" go build \
 	"$cmd_path" 1>&2
 
 if [[ "$sign_darwin" == 1 ]] && [[ "$os" == "darwin" ]]; then
-	codesign \
-		-f -v \
-		-s "$AC_APPLICATION_IDENTITY" \
-		--timestamp \
-		--options runtime \
-		"$output_path" \
-		1>&2
+	execrelative ./scripts/sign_darwin.sh "$output_path" 1>&2
 fi
 
 echo "$output_path"
diff --git a/scripts/lib.sh b/scripts/lib.sh
@@ -81,6 +81,21 @@ dependencies() {
 	fi
 }
 
+requiredenvs() {
+	local fail=0
+	for env in "$@"; do
+		if [[ "${!env:-}" == "" ]]; then
+			log "ERROR: The '$env' environment variable is required, but is not set."
+			fail=1
+		fi
+	done
+
+	if [[ "$fail" == 1 ]]; then
+		log
+		error "One or more required environment variables are not set, check above log output for more details."
+	fi
+}
+
 # maybedryrun prints the given program and flags, and then, if the first
 # argument is 0, executes it. The reason the first argument should be 0 is that
 # it is expected that you have a dry_run variable in your script that is set to
diff --git a/scripts/notarize_darwin.sh b/scripts/notarize_darwin.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+
+# This script notarizes the provided zip file using an Apple Developer account.
+#
+# Usage: ./notarize_darwin.sh path/to/zipfile.zip
+#
+# The provided zip file must contain a coder binary that has already been signed
+# using ./sign_darwin.sh.
+#
+# On success, all of the contained binaries inside the input zip file will
+# notarized. This does not make any changes to the zip or contained files
+# itself, but GateKeeper checks will pass for the binaries inside the zip file
+# as long as the device is connected to the internet to download the
+# notarization ticket from Apple.
+#
+# You can check if a binary is notarized by running the following command on a
+# Mac:
+#   spctl --assess -vvv -t install path/to/binary
+#
+# Depends on the rcodesign utility. Requires the following environment variables
+# to be set:
+#  - $AC_APIKEY_ISSUER_ID: The issuer UUID of the Apple App Store Connect API
+#    key.
+#  - $AC_APIKEY_ID: The key ID of the Apple App Store Connect API key.
+#  - $AC_APIKEY_FILE: The path to the private key P8 file of the Apple App Store
+#    Connect API key.
+
+set -euo pipefail
+# shellcheck source=scripts/lib.sh
+source "$(dirname "${BASH_SOURCE[0]}")/lib.sh"
+
+# Check dependencies
+dependencies rcodesign
+requiredenvs AC_APIKEY_ISSUER_ID AC_KEY_ID AC_APIKEY_FILE
+
+# Encode the notarization key components into a JSON file for easily calling
+# `rcodesign notary-submit`.
+key_file="$(mktemp)"
+chmod 600 "$key_file"
+trap 'rm -f "$key_file"' EXIT
+rcodesign encode-app-store-connect-api-key \
+	"$AC_APIKEY_ISSUER_ID" \
+	"$AC_KEY_ID" \
+	"$AC_APIKEY_FILE" \
+	> "$key_file"
+
+# The notarization process is very fragile and heavily dependent on Apple's
+# notarization server not returning server errors, so we retry this step twice
+# with a delay of 30 seconds between attempts.
+rc=0
+for i in $(seq 1 2); do
+	rcodesign notary-submit \
+		-vvv \
+		--key "$key_file" \
+		--wait "$@" \
+		1>&2 \
+		&& rc=0 && break || rc=$?
+
+	log "rcodesign exit code: $rc"
+	if [[ $i -lt 5 ]]; then
+		log
+		log "Retrying notarization in 30 seconds"
+		log
+		sleep 30
+	else
+		log
+		log "Giving up :("
+	fi
+done
+
+exit $rc
diff --git a/scripts/sign_darwin.sh b/scripts/sign_darwin.sh
