Sign and notarize MacOS binary

tomodian · Dec 8, 2024 · eb64435 · eb64435
1 parent 62dee75
commit eb64435
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 2 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,15 +1,19 @@
 name: Release
 
 on:
+  pull_request:
+    branches:
+      # Remove after debug.
+      - feature/notarization
   push:
     tags:
       - "*.*.*"
 
 jobs:
   build:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v4
 
       # Tips on Go binary:
       # https://github.com/actions/setup-go/issues/27#issuecomment-549102955
@@ -18,6 +22,9 @@ jobs:
           export PATH=${PATH}:`go env GOPATH`/bin
           make install
           make build
+        env:
+          QUILL_SIGN_P12:      ${{ secrets.APPLE_P12_BASE64_ENCODED }}
+          QUILL_SIGN_PASSWORD: ${{ secrets.APPLE_P12_PASSWORD }}
 
       - name: Create a release and upload assets
         env:

diff --git a/.gitignore b/.gitignore
@@ -18,6 +18,7 @@
 .vscode
 build
 coverage.txt
+quill
 
 # Only applies to top-level directories.
 /coverage

diff --git a/Makefile b/Makefile
@@ -4,6 +4,7 @@ BUILD := ./build
 
 install:
 	go install github.com/mitchellh/gox@latest
+	curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh | sh -s -- -b . v0.4.2
 
 clean:
 	mkdir -p $(BUILD)
@@ -32,6 +33,11 @@ build-darwin: clean
 	gox -output="$(BUILD)/{{.Dir}}_{{.OS}}_{{.Arch}}" \
 		-osarch="darwin/amd64" \
 		-osarch="darwin/arm64"
+
+	@echo "Notarizing.."
+	./quill sign-and-notarize ./build/release_darwin_amd64 || true
+	./quill sign-and-notarize ./build/release_darwin_arm64 || true
+
 	@echo "Bundling.."
 	$(MAKE) bundle-nix
-Original file line number
+Diff line change
@@ Expand Up / @@ -18,6 +18,7 @@ @@
     .vscode
     build
     coverage.txt
+    quill
     # Only applies to top-level directories.
     /coverage
@@ Expand Down @@