feat(ci): add macOS code signing and notarization #613
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,163 @@ | ||
| name: macos-code-sign | ||
| description: Sign and notarize macOS PyInstaller binaries | ||
|
|
||
| inputs: | ||
| binary-path: | ||
| description: Path to the binary to sign | ||
| required: true | ||
| apple-certificate-p12: | ||
| description: Base64-encoded Apple signing certificate (P12) | ||
| required: true | ||
| apple-certificate-password: | ||
| description: Password for the signing certificate | ||
| required: true | ||
| apple-notarization-key-p8: | ||
| description: Base64-encoded Apple notarization key (P8) | ||
| required: true | ||
| apple-notarization-key-id: | ||
| description: Apple notarization key ID | ||
| required: true | ||
| apple-notarization-issuer-id: | ||
| description: Apple notarization issuer ID | ||
| required: true | ||
|
|
||
| runs: | ||
| using: composite | ||
| steps: | ||
| - name: Import signing certificate | ||
| shell: bash | ||
| env: | ||
| APPLE_CERTIFICATE_P12: ${{ inputs.apple-certificate-p12 }} | ||
| APPLE_CERTIFICATE_PASSWORD: ${{ inputs.apple-certificate-password }} | ||
| KEYCHAIN_PASSWORD: actions | ||
| run: | | ||
| set -euo pipefail | ||
|
|
||
| # Decode certificate | ||
| cert_path="${RUNNER_TEMP}/certificate.p12" | ||
| echo "$APPLE_CERTIFICATE_P12" | base64 -d > "$cert_path" | ||
|
|
||
| # Create temporary keychain | ||
| keychain_path="${RUNNER_TEMP}/signing.keychain-db" | ||
| security create-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path" | ||
| security set-keychain-settings -lut 21600 "$keychain_path" | ||
| security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path" | ||
|
|
||
| # Add to keychain search list | ||
| security list-keychains -d user -s "$keychain_path" $(security list-keychains -d user | tr -d '"') | ||
| security default-keychain -s "$keychain_path" | ||
|
|
||
| # Import certificate | ||
| security import "$cert_path" -k "$keychain_path" -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security | ||
| security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$keychain_path" > /dev/null | ||
|
|
||
| # Find signing identity | ||
| IDENTITY=$(security find-identity -v -p codesigning "$keychain_path" | grep "Developer ID Application" | head -1 | sed -n 's/.*"\(Developer ID Application[^"]*\)".*/\1/p') | ||
|
|
||
| if [[ -z "$IDENTITY" ]]; then | ||
| echo "❌ No Developer ID Application identity found" | ||
| security find-identity -v -p codesigning "$keychain_path" | ||
| exit 1 | ||
| fi | ||
|
|
||
| echo "✅ Found signing identity: $IDENTITY" | ||
| echo "APPLE_SIGNING_IDENTITY=$IDENTITY" >> "$GITHUB_ENV" | ||
| echo "APPLE_KEYCHAIN_PATH=$keychain_path" >> "$GITHUB_ENV" | ||
|
|
||
| rm -f "$cert_path" | ||
|
|
||
| - name: Sign PyInstaller binary and embedded libraries | ||
| shell: bash | ||
| env: | ||
| BINARY_PATH: ${{ inputs.binary-path }} | ||
| run: | | ||
| set -euo pipefail | ||
|
|
||
| echo "Signing PyInstaller binary: $BINARY_PATH" | ||
|
|
||
| # PyInstaller onefile binaries embed libraries that get extracted at runtime. | ||
| # We need to unpack, sign everything, and repack. | ||
|
|
||
| # First, try signing the binary directly with --deep | ||
| # For single-file PyInstaller executables, this should work | ||
| codesign --deep --force --options runtime --timestamp \ | ||
| --sign "$APPLE_SIGNING_IDENTITY" \ | ||
| --keychain "$APPLE_KEYCHAIN_PATH" \ | ||
| "$BINARY_PATH" | ||
|
|
||
| echo "✅ Binary signed" | ||
| codesign -dv --verbose=2 "$BINARY_PATH" | ||
|
|
||
| - name: Notarize binary | ||
| shell: bash | ||
| env: | ||
| BINARY_PATH: ${{ inputs.binary-path }} | ||
| APPLE_NOTARIZATION_KEY_P8: ${{ inputs.apple-notarization-key-p8 }} | ||
| APPLE_NOTARIZATION_KEY_ID: ${{ inputs.apple-notarization-key-id }} | ||
| APPLE_NOTARIZATION_ISSUER_ID: ${{ inputs.apple-notarization-issuer-id }} | ||
| run: | | ||
| set -euo pipefail | ||
|
|
||
| # Save API key | ||
| key_path="${RUNNER_TEMP}/AuthKey.p8" | ||
| echo "$APPLE_NOTARIZATION_KEY_P8" | base64 -d > "$key_path" | ||
|
|
||
| # Create zip for notarization | ||
| binary_name=$(basename "$BINARY_PATH") | ||
| zip_path="${RUNNER_TEMP}/${binary_name}.zip" | ||
| ditto -c -k --keepParent "$BINARY_PATH" "$zip_path" | ||
|
|
||
| echo "Submitting for notarization..." | ||
|
|
||
| # Submit and wait | ||
| result=$(xcrun notarytool submit "$zip_path" \ | ||
| --key "$key_path" \ | ||
| --key-id "$APPLE_NOTARIZATION_KEY_ID" \ | ||
| --issuer "$APPLE_NOTARIZATION_ISSUER_ID" \ | ||
| --wait \ | ||
| --timeout 10m \ | ||
| --output-format json 2>&1) || true | ||
|
|
||
| echo "$result" | ||
|
|
||
| status=$(echo "$result" | grep -o '"status":"[^"]*"' | cut -d'"' -f4 || echo "unknown") | ||
|
|
||
| if [[ "$status" == "Accepted" ]]; then | ||
| echo "✅ Notarization successful" | ||
| else | ||
| echo "⚠️ Notarization status: $status" | ||
| # Get detailed log | ||
| submission_id=$(echo "$result" | grep -o '"id":"[^"]*"' | cut -d'"' -f4 || echo "") | ||
| if [[ -n "$submission_id" ]]; then | ||
| echo "Fetching notarization log..." | ||
| xcrun notarytool log "$submission_id" \ | ||
| --key "$key_path" \ | ||
| --key-id "$APPLE_NOTARIZATION_KEY_ID" \ | ||
| --issuer "$APPLE_NOTARIZATION_ISSUER_ID" || true | ||
| fi | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Cleanup | ||
| rm -f "$key_path" "$zip_path" | ||
|
|
||
| - name: Verify signature | ||
| shell: bash | ||
| env: | ||
| BINARY_PATH: ${{ inputs.binary-path }} | ||
| run: | | ||
| set -euo pipefail | ||
|
|
||
| echo "Verifying signature and notarization..." | ||
| codesign -dv --verbose=2 "$BINARY_PATH" | ||
| echo "" | ||
| echo "Gatekeeper check:" | ||
| spctl -a -vv "$BINARY_PATH" 2>&1 || true | ||
|
|
||
| - name: Cleanup keychain | ||
| if: always() | ||
| shell: bash | ||
| run: | | ||
| if [[ -n "${APPLE_KEYCHAIN_PATH:-}" && -f "${APPLE_KEYCHAIN_PATH}" ]]; then | ||
| security delete-keychain "$APPLE_KEYCHAIN_PATH" || true | ||
| fi |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems no need to have two different step?