docs: add documentation for release images in Orka

orka/templates/README.md

@@ -98,7 +98,7 @@ Orka provides a base image that we need to customize to our needs.
 
 
 
-**Manual Steps**
+### Manual Steps for all the images
 
 1. Update Sudoers file:
 
@@ -123,3 +123,102 @@ sudo xcode-select --install
 
 Do a an update using the UI. Check the available updates and install them (click in "more info"). Note that you don't want to update the OS, just the software.
 
+### Manual Steps for the release images
+
+1. Full Xcode installation
+
+    Xcode Command-line tools are not enough to perform a full notarization cycle, full Xcode must be installed manually.
+
+    As root:
+
+    * Download Xcode: https://developer.apple.com/download/more/ - find non-beta version, open Developer Tools in browser, Networking tab, start download (then cancel), in Networking tab "Copy as cURL" (available in Chrome & FF)
+        * On OSX 13 we currently install 14.13.1.
+    * Go to downloads folder, decompress the xip file (double click) and delete the xip file
+    * Move the Xcode.app to /Applications
+    * Open xcode, accept the license, install the built-in components and close xcode
+    * `sudo xcode-select --switch /Applications/Xcode.app`
+    * `sudo xcodebuild -license` - accept license
+    * `git` - check that git is working (confirming license has been accepted)
+    * Empty the trash
+
+
+2. OSX Keychain Profile
+
+    Unblok the keychain:
+
+    ```bash
+    security unlock-keychain -u /Library/Keychains/System.keychain
+    ```
+
+    Create a keychain profile (`NODE_RELEASE_PROFILE`) for the release machine: 
+
+    ```bash
+    sudo xcrun notarytool store-credentials NODE_RELEASE_PROFILE \
+    --apple-id XXXX \
+    --team-id XXXX \
+    --password XXXX \
+    --keychain /Library/Keychains/System.keychain  
+    ```
+
+    Note: `XXXX` values are found in `secrets/build/release/apple.md`
+
+    The expected output is:
+
+    ```
+    This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name.
+
+    Validating your credentials...
+    Success. Credentials validated.
+    Credentials saved to Keychain.
+    To use them, specify `--keychain-profile "NODE_RELEASE_PROFILE" --keychain /Library/Keychains/System.keychain`
+    ```
+
+3. Signing certificates
+
+    * Go to the `build/release` folder in the secrets repo.
+    * Extract from secrets/build/release: `dotgpg cat Apple\ Developer\ ID\ Node.js\ Foundation.p12.base64 | base64 -D > /tmp/Apple\ Developer\ ID\ Node.js\ Foundation.p12`
+    * Transfer to release machine (scp to /tmp)
+    * `sudo security import /tmp/Apple\ Developer\ ID\ Node.js\ Foundation.p12 -k /Library/Keychains/System.keychain -T /usr/bin/codesign -T /usr/bin/productsign -P 'XXXX'` (where XXXX is found in secrets/build/release/apple.md) (`security unlock-keychain -u /Library/Keychains/System.keychain` _may_ be required prior to running this command).
+
+4. Validating certificates are in date and valid
+
+    1. `security -i unlock-keychain` Enter the password for the machine located in secrets
+    2. `security find-certificate -c "Developer ID Application" -p > /tmp/app.cert` outputs the PEM format of the cert so we can properly inspect it
+    3. `security find-certificate -c "Developer ID Installer" -p > /tmp/installer.cert`
+    4. `openssl x509 -inform PEM -text -in /tmp/app.cert | less`
+    5. `openssl x509 -inform PEM -text -in /tmp/installer.cert | less`
+    6. `security find-identity -p codesigning -v`
+
+    The steps 4 and 5 will show the details of the certificates allowing to see expiry dates.
+
+    Example:
+
+    ```
+    Not Before: Jan 22 03:40:05 2020 GMT
+    Not After : Jan 22 03:40:05 2025 GMT
+    ```
+
+    The step 6 will show the list of certificates available on the machine.
+
+    Example:
+
+    ```
+    1) XXXXXXXXXXX "Developer ID Application: Node.js Foundation (XXXXXXX)"
+    1 valid identities found
+    ```
+
+5. Change the default password
+
+    Use the password found in the secrets repository to change the default password:
+
+    ```shell
+    passwd
+    ```
+
+    Also change the keychain password:
+
+    ```shell
+    security set-keychain-password
+    ```
+
+    **:warning: IMPORTANT** We do this step manually at this point and not while using Packer because we added already sensitive information to the image.