feat: notarize macOS binaries (#161)

- Bump the minimal required macOS version to 10.9 - Enable hardened runtime and configure entitlements - Notarize `zinnia` and `zinniad` Signed-off-by: Miroslav Bajtoš <oss@bajtos.net>
filecoin-station · Mar 30, 2023 · 9236989 · 9236989
1 parent eea4d6b
commit 9236989
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 2 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -9,7 +9,7 @@ env:
   CARGO_INCREMENTAL: 0
   CARGO_NET_RETRY: 10
   RUSTUP_MAX_RETRIES: 10
-  MACOSX_DEPLOYMENT_TARGET: 10.7
+  MACOSX_DEPLOYMENT_TARGET: 10.9
   # Emit backtraces on panics.
   RUST_BACKTRACE: 1
 
@@ -101,7 +101,7 @@ jobs:
           tar czvf ../../../zinnia-${{ matrix.name }} zinnia
           tar czvf ../../../zinniad-${{ matrix.name }} zinniad
 
-      - name: Post Build | Sign the executable [macOS]
+      - name: Post Build | Sign the executables [macOS]
         if: matrix.os == 'macos-latest'
         env:
           LOCAL_KEYCHAIN_PASSWORD: ${{ secrets.LOCAL_KEYCHAIN_PASSWORD }}
@@ -114,12 +114,16 @@ jobs:
 
           # Sign `zinnia`
           codesign --timestamp --force --verbose \
+            --options runtime \
+            --entitlements build/entitlements.mac.plist \
             --sign "$MACOS_SIGNING_IDENTITY" \
             --identifier "$MACOS_APP_ID" \
             target/${{ matrix.target }}/release/zinnia
 
           # Sign `zinniad`
           codesign --timestamp --force --verbose \
+            --options runtime \
+            --entitlements build/entitlements.mac.plist \
             --sign "$MACOS_SIGNING_IDENTITY" \
             --identifier "$MACOS_APP_ID" \
             target/${{ matrix.target }}/release/zinniad
@@ -131,6 +135,19 @@ jobs:
           zip ../../../zinnia-${{ matrix.name }} zinnia
           zip ../../../zinniad-${{ matrix.name }} zinniad
 
+      - name: Post Build | Notarize the executables [macOS]
+        if: matrix.os == 'macos-latest'
+        run: |
+          xcrun notarytool submit zinnia-${{ matrix.name }} --wait \
+            --apple-id ${{ secrets.APPLE_ID }} \
+            --password ${{ secrets. APPLE_ID_PASSWORD }} \
+            --team-id ${{ secrets.APPLE_TEAM_ID }}
+
+          xcrun notarytool submit zinniad-${{ matrix.name }} --wait \
+            --apple-id ${{ secrets.APPLE_ID }} \
+            --password ${{ secrets. APPLE_ID_PASSWORD }} \
+            --team-id ${{ secrets.APPLE_TEAM_ID }}
+
       - name: Release | Upload artifacts
         if: startsWith(github.ref, 'refs/tags/') # Don't create releases when debugging
         uses: softprops/action-gh-release@c9b46fe7aad9f02afd89b12450b780f52dacfb2d

diff --git a/build/entitlements.mac.plist b/build/entitlements.mac.plist
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+  </dict>
+</plist>