Mac: Sign non-release builds with self-signed key #2791
Comments
|
I can create a cert. However, should we share it internally? |
|
Should it go into jamulussoftware/assets or jamulussoftware/settings/secrets/actions? |
|
Since it's a cryptographic key, it needs to go to the secrets tab, not a repo. |
I think it should be ok to store it as a secret only. It will not be easily recoverable there though (but we shouldn't need it). |
|
Maybe have a look at the existing signing system and add the relevant gitHub secrets to enable signing. |
|
I think I followed https://www.simplified.guide/macos/keychain-cert-code-signing-create once. |
|
I think I've now added everything unrelated to notarization from my side on this repo. So we'd need to skip MACOS_CERTIFICATE_ID and NOTARIZATION_PASSWORD |
|
Ok. I've now added a fake password and for the MACOS_CERTIFICATE_ID the name of the certificate, but on a workflow_dispatch run nothing changes. |
|
I think we need several more changes (which could probably be done on a fork first):
Not sure if this is everything, but I guess both of it is mandatory for it to work. |
|
Yes, that could be done. However, I think we still need something else: https://github.com/jamulussoftware/jamulus/runs/7982936025?check_suite_focus=true#step:10:7 should have imported the cert, but it didn't. |
|
I think PRs don't have access to the target repo secrets, not sure if this changes if the PR comes from the same repo as that one did. |
|
The secret tab says there's only no access for PRs from forks |
|
Each fork has its own secrets. For testing and developing, you'll need the values in your fork |
|
@emlynmac I just did that, but they didn't show up as "env" in GitHub actions' log. I also don't see any place where one could enable them from being read. Did you have to enable anything? |
|
Ok. I think I now know what went wrong. |
|
Actually, I think our way is not the way to go: https://wiki.lazarus.freepascal.org/macOS_Big_Sur_changes_for_developers#Code_signing_-_Intel_vs_M1 Probably we need ad hoc signing |
|
So, might |
|
Maybe? I can't test it since I only have access to Intel based Macs |
|
I'm currently running test builds with the |
|
I've linked the resulting test build and asked for testers here, as my branch was mainly about the universal builds and the codesigning would just be a positive side effect: #2790 (comment) |
…able Previously, only (pre-)release builds were signed. This signing and notarization was only possible with a proper developer certificate. As the Jamulus project currently does not have one and has to rely on other developers doing the signing, we only go this route for (pre-)releases due to the manual effort required. With Mac M1 support, having a valid signature becomes more important as unsigned binaries can only be started after turning several knobs. This commit adds very basic ad-hoc signing which does not require any Apple account/certificate, but improves user experience for M1 users. Fixes: jamulussoftware#2791
|
Feedback was positive: #2790 (comment) |
…able Previously, only (pre-)release builds were signed. This signing and notarization was only possible with a proper developer certificate. As the Jamulus project currently does not have one and has to rely on other developers doing the signing, we only go this route for (pre-)releases due to the manual effort required. With Mac M1 support, having a valid signature becomes more important as unsigned binaries can only be started after turning several knobs. This commit adds very basic ad-hoc signing which does not require any Apple account/certificate, but improves user experience for M1 users. Fixes: jamulussoftware#2791
…able Previously, only (pre-)release builds were signed. This signing and notarization was only possible with a proper developer certificate. As the Jamulus project currently does not have one and has to rely on other developers doing the signing, we only go this route for (pre-)releases due to the manual effort required. With Mac M1 support, having a valid signature becomes more important as unsigned binaries can only be started after turning several knobs. This commit adds very basic ad-hoc signing which does not require any Apple account/certificate, but improves user experience for M1 users. Fixes: jamulussoftware#2791
…able Previously, only (pre-)release builds were signed. This signing and notarization was only possible with a proper developer certificate. As the Jamulus project currently does not have one and has to rely on other developers doing the signing, we only go this route for (pre-)releases due to the manual effort required. With Mac M1 support, having a valid signature becomes more important as unsigned binaries can only be started after turning several knobs. This commit adds very basic ad-hoc signing which does not require any Apple account/certificate, but improves user experience for M1 users. Fixes: jamulussoftware#2791
…able Previously, only (pre-)release builds were signed. This signing and notarization was only possible with a proper developer certificate. As the Jamulus project currently does not have one and has to rely on other developers doing the signing, we only go this route for (pre-)releases due to the manual effort required. With Mac M1 support, having a valid signature becomes more important as unsigned binaries can only be started after turning several knobs. This commit adds very basic ad-hoc signing which does not require any Apple account/certificate, but improves user experience for M1 users. Fixes: jamulussoftware#2791
What is the current behaviour and why should it be changed?
Currently, only release builds are signed via @emlynmac. Now that we provide M1 builds (#2357), it would be interesting to sign non-release builds as well, as M1 Macs refuse to run unsigned binaries by default.
Describe possible approaches
It should be sufficient to use a self-signed key for that.
Key generation(turned out to be unneeded)Has this feature been discussed and generally agreed?
See #2357
The text was updated successfully, but these errors were encountered: