chore: sign darwin binaries & dylib with an Info.plist

ethanndickson · ethanndickson · commit d4f83dca970b · 2024-12-18T08:28:29.000Z
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -919,7 +919,7 @@ jobs:
         uses: ./.github/actions/setup-go
 
       - name: Install rcodesign
-        if: ${{ github.repository_owner == 'coder' && github.ref == 'refs/heads/main' }}
+        # if: ${{ github.repository_owner == 'coder' && github.ref == 'refs/heads/main' }}
         run: |
           set -euo pipefail
           wget -O /tmp/rcodesign.tar.gz https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F0.22.0/apple-codesign-0.22.0-macos-universal.tar.gz
@@ -930,7 +930,7 @@ jobs:
           rm /tmp/rcodesign.tar.gz
 
       - name: Setup Apple Developer certificate and API key
-        if: ${{ github.repository_owner == 'coder' && github.ref == 'refs/heads/main' }}
+        # if: ${{ github.repository_owner == 'coder' && github.ref == 'refs/heads/main' }}
         run: |
           set -euo pipefail
           touch /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
@@ -951,12 +951,12 @@ jobs:
           make gen/mark-fresh
           make build/coder-dylib
         env:
-          CODER_SIGN_DARWIN: ${{ github.ref == 'refs/heads/main' && '1' || '0' }}
+          CODER_SIGN_DARWIN: 1
           AC_CERTIFICATE_FILE: /tmp/apple_cert.p12
           AC_CERTIFICATE_PASSWORD_FILE: /tmp/apple_cert_password.txt
 
       - name: Upload build artifacts
-        if: ${{ github.repository_owner == 'coder' && github.ref == 'refs/heads/main' }}
+        # if: ${{ github.repository_owner == 'coder' && github.ref == 'refs/heads/main' }}
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: dylibs
@@ -966,7 +966,7 @@ jobs:
           retention-days: 7
 
       - name: Delete Apple Developer certificate and API key
-        if: ${{ github.repository_owner == 'coder' && github.ref == 'refs/heads/main' }}
+        # if: ${{ github.repository_owner == 'coder' && github.ref == 'refs/heads/main' }}
         run: rm -f /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
 
   build:
diff --git a/scripts/build_go.sh b/scripts/build_go.sh
@@ -142,6 +142,26 @@ if [[ "$agpl" == 1 ]]; then
 	# a flag to control AGPL vs. enterprise behavior.
 	ldflags+=(-X "'github.com/coder/coder/v2/buildinfo.agpl=true'")
 fi
+cgo=0
+if [[ "$dylib" == 1 ]]; then
+	if [[ "$os" != "darwin" ]]; then
+		error "dylib builds are not supported on $os"
+	fi
+	cgo=1
+	cmd_path="./vpn/dylib/lib.go"
+	build_args+=("-buildmode=c-shared")
+	SDKROOT="$(xcrun --sdk macosx --show-sdk-path)"
+	export SDKROOT
+	bin_ident="com.coder.vpn"
+
+	plist_file=$(mktemp)
+	trap 'rm -f "$plist_file"' EXIT
+	# CFBundleShortVersionString must be in the format /[0-9]+.[0-9]+.[0-9]+/
+	# CFBundleVersion can be in any format
+	BUNDLE_NAME="CoderVPN" BUNDLE_IDENTIFIER="$bin_ident" VERSION_STRING="$version" SHORT_VERSION_STRING=$(echo "$version" | grep -oE '^[0-9]+\.[0-9]+\.[0-9]+') \
+		execrelative envsubst <"$(realpath ./scripts/info.plist.tmpl)" >"$plist_file"
+	# ldflags+=("-extldflags '-sectcreate __TEXT __info_plist $plist_file'")
+fi
 build_args+=(-ldflags "${ldflags[*]}")
 
 # Disable optimizations if building a binary for debuggers.
@@ -176,19 +196,6 @@ if [[ "$agpl" == 1 ]]; then
 	cmd_path="./cmd/coder"
 fi
 
-cgo=0
-if [[ "$dylib" == 1 ]]; then
-	if [[ "$os" != "darwin" ]]; then
-		error "dylib builds are not supported on $os"
-	fi
-	cgo=1
-	cmd_path="./vpn/dylib/lib.go"
-	build_args+=("-buildmode=c-shared")
-	SDKROOT="$(xcrun --sdk macosx --show-sdk-path)"
-	export SDKROOT
-	bin_ident="com.coder.vpn"
-fi
-
 goexp=""
 if [[ "$boringcrypto" == 1 ]]; then
 	cgo=1
diff --git a/scripts/info.plist.tmpl b/scripts/info.plist.tmpl
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>CFBundleName</key>
+    <string>${BUNDLE_NAME}</string>
+    <key>CFBundleIdentifier</key>
+    <string>${BUNDLE_IDENTIFIER}</string>
+    <key>CFBundleVersion</key>
+    <string>${VERSION_STRING}</string>
+    <key>CFBundleShortVersionString</key>
+    <string>${SHORT_VERSION_STRING}</string>
+</dict>
+</plist>
