Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] Uploading on MacOS and downloading on Ubuntu breaks a notarized code signature #508

Closed
soundasleep opened this issue Jan 27, 2024 · 1 comment
Closed

[bug] Uploading on MacOS and downloading on Ubuntu breaks a notarized code signature #508

soundasleep opened this issue Jan 27, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@soundasleep
Copy link

soundasleep commented Jan 27, 2024
edited
Loading

What happened?

I've got a script set up to build an application (Application.app), sign it, notarize it, staple it, and then it needs to be uploaded on a different environment.

However, it seems when uploading and downloading the signed artifact, something goes wrong and the archive is no longer notarized. If I manually check out the downloaded artifact, codesign --verify --deep says that a bunch of files have been modified.

What did you expect to happen?

Uploading and downloading an artifact should not impact MacOS notarization/code signing

How can we reproduce it?

  mac-release:
    runs-on: macos-latest
    steps:
    # ... build ...
    - name: codesign verify
      run: |
        codesign -vvv --deep --strict ${{ github.workspace }}/build/My.app
    - name: Notarize Release Build
      uses: soundasleep/xcode-notarize@main
      with: # ...
    - name: Staple Release Build
      uses: soundasleep/xcode-staple@main
      with: # ... 
    - name: Archive Mac build
      uses: actions/upload-artifact@v4
      with:
        name: mac-build
        path: build/

  deploy:
    runs-on: ubuntu-latest
    needs: mac-release
    steps:
    - name: Restore Mac build
      uses: actions/download-artifact@v4
      with:
        name: mac-build
        path: build/

Anything else we need to know?

No response

What version of the action are you using?

v4

What are your runner environments?

linux, macos

Are you on GitHub Enterprise Server? If so, what version?

No response
@soundasleep soundasleep added the bug Something isn't working label Jan 27, 2024
@soundasleep
Copy link
Author

UPDATE: It seems this may be because actions/upload-artifact@v4 loses permissions – but to be more specific, it's because it's unable to handle symlinks, and the raw files are stored instead.

If I tar the repository and then untar it, the code signature is not broken.

    - name: Compress package
      run: |
        cd ${{ github.workspace }}/build
        mkdir ../tar
        tar -zcvf ../tar/package.tar.gz .
    - name: Archive Mac build
      uses: actions/upload-artifact@v4
      with:
        name: mac-build
        path: tar/

and

    - name: Restore Mac build
      uses: actions/download-artifact@v4
      with:
        name: mac-build
        path: tar/
    - name: Uncompress package
      run: |
        cd ${{ github.workspace }}/tar
        mkdir ../build
        tar -zxvf package.tar.gz -C ../build

I think this may be a duplicate of #93

@soundasleep soundasleep mentioned this issue Jan 27, 2024
Open
6 tasks
This was referenced Aug 15, 2024
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@soundasleep