Skip to content

CM-53930: improve notarization output #391

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gotbadger wants to merge 1 commit into
base: main
Choose a base branch
from
Open

CM-53930: improve notarization output #391

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 33 additions & 2 deletions .github/workflows/build_executable.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,22 @@ jobs:
- name: Test executable
run: time $PATH_TO_CYCODE_CLI_EXECUTABLE version

- name: Codesign onedir binaries
if: runner.os == 'macOS' && matrix.mode == 'onedir'
env:
APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }}
run: |
# Sign all Mach-O binaries in the onedir output (excluding the main executable)
# Main executable must be signed last after all its dependencies
find dist/cycode-cli -type f ! -name "cycode-cli" | while read -r file; do
if file -b "$file" | grep -q "Mach-O"; then
codesign --force --sign "$APPLE_CERT_NAME" --timestamp --options runtime "$file"
fi
done

# Re-sign the main executable with entitlements (must be last)
codesign --force --sign "$APPLE_CERT_NAME" --timestamp --options runtime --entitlements entitlements.plist dist/cycode-cli/cycode-cli

- name: Notarize macOS executable
if: runner.os == 'macOS'
env:
Expand All @@ -137,11 +153,26 @@ jobs:
# create keychain profile
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$APPLE_NOTARIZATION_EMAIL" --team-id "$APPLE_NOTARIZATION_TEAM_ID" --password "$APPLE_NOTARIZATION_PWD"

# create zip file (notarization does not support binaries)
# create zip file (notarization does not support bare binaries)
ditto -c -k --keepParent dist/cycode-cli notarization.zip

# notarize app (this will take a while)
xcrun notarytool submit notarization.zip --keychain-profile "notarytool-profile" --wait
NOTARIZE_OUTPUT=$(xcrun notarytool submit notarization.zip --keychain-profile "notarytool-profile" --wait 2>&1) || true
echo "$NOTARIZE_OUTPUT"

# extract submission ID for log retrieval
SUBMISSION_ID=$(echo "$NOTARIZE_OUTPUT" | grep " id:" | head -1 | awk '{print $2}')

# check notarization status explicitly
if echo "$NOTARIZE_OUTPUT" | grep -q "status: Accepted"; then
echo "Notarization succeeded!"
else
echo "Notarization failed! Fetching log for details..."
if [ -n "$SUBMISSION_ID" ]; then
xcrun notarytool log "$SUBMISSION_ID" --keychain-profile "notarytool-profile" || true
fi
exit 1
fi

# we can't staple the app because it's executable

Expand Down