diff --git a/.github/workflows/snapshot-build.yml b/.github/workflows/snapshot-build.yml index 73474d2585..713802c4ad 100644 --- a/.github/workflows/snapshot-build.yml +++ b/.github/workflows/snapshot-build.yml @@ -212,35 +212,23 @@ jobs: security unlock-keychain -p "${{ secrets.MACOS_CERTIFICATE_PW }}" build.keychain security import certificate.p12 -k build.keychain -P "${{ secrets.MACOS_CERTIFICATE_PW }}" -T /usr/bin/codesign security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${{ secrets.MACOS_CERTIFICATE_PW }}" build.keychain + echo "Signing farmer" codesign --force --options=runtime --entitlements .github/workflows/Entitlements.plist -s "${{ secrets.MACOS_IDENTITY }}" --timestamp ${{ env.PRODUCTION_TARGET }}/subspace-farmer + echo "Signing node" codesign --force --options=runtime --entitlements .github/workflows/Entitlements.plist -s "${{ secrets.MACOS_IDENTITY }}" --timestamp ${{ env.PRODUCTION_TARGET }}/subspace-node - echo "Creating an archive" - mkdir ${{ env.PRODUCTION_TARGET }}/macos-binaries + + echo "Creating a ZIP archive" + mkdir -p ${{ env.PRODUCTION_TARGET }}/macos-binaries cp ${{ env.PRODUCTION_TARGET }}/subspace-farmer ${{ env.PRODUCTION_TARGET }}/subspace-node ${{ env.PRODUCTION_TARGET }}/macos-binaries ditto -c -k --rsrc ${{ env.PRODUCTION_TARGET }}/macos-binaries subspace-binaries.zip - echo "Notarizing" - brew update - brew install mitchellh/gon/gon - cat << EOF > gon.hcl - source = ["subspace-binaries.zip"] - bundle_id = "${{ secrets.MACOS_BUNDLE_ID }}" - sign { - application_identity = "${{ secrets.MACOS_IDENTITY }}" - } - apple_id { - username = "${{ secrets.MACOS_APPLE_ID }}" - password = "${{ secrets.MACOS_APP_PW }}" - } - EOF - gon -log-level=info -log-json gon.hcl - - # Notarize the ZIP using notarytool + + echo "Notarizing ZIP archive file" xcrun notarytool submit subspace-binaries.zip --apple-id "${{ secrets.MACOS_APPLE_ID }}" --password "${{ secrets.MACOS_APP_PW }}" --team-id "${{ secrets.MACOS_TEAM_ID }}" --wait - # // todo stapling for macOS artifacts - # Staple the zip package + # stapling does not work for .zip archives only .app bundles and .dmg files. Commenting this for now! + # echo "Stapling notarization to ZIP file" # xcrun stapler staple subspace-binaries.zip echo "Done!" @@ -248,6 +236,7 @@ jobs: continue-on-error: ${{ github.repository_owner != 'autonomys' || github.event_name != 'push' || github.ref_type != 'tag' }} if: runner.os == 'macOS' + - name: Sign Application (Windows) run: | AzureSignTool sign --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URI }}" --azure-key-vault-client-id "${{ secrets.AZURE_CLIENT_ID }}" --azure-key-vault-client-secret "${{ secrets.AZURE_CLIENT_SECRET }}" --azure-key-vault-tenant-id "${{ secrets.AZURE_TENANT_ID }}" --azure-key-vault-certificate "${{ secrets.AZURE_CERT_NAME }}" --file-digest sha512 --timestamp-rfc3161 http://timestamp.digicert.com -v "${{ env.PRODUCTION_TARGET }}/subspace-farmer.exe"