From 3f22c0efabe85123c0c56ab0e103cabc45d38bc4 Mon Sep 17 00:00:00 2001 From: joe miller Date: Mon, 22 Jul 2019 19:27:40 -0700 Subject: [PATCH 1/3] publish draft releases from ci due to macos codesigning workaround --- .goreleaser.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.goreleaser.yml b/.goreleaser.yml index 428b7ea..5bd104a 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -51,6 +51,10 @@ changelog: - Merge pull request - Merge branch +# TODO: publish full releases from ci when we can perform apple codesign in azure ci/cd +release: + draft: true + # GPG signing sign: artifacts: checksum From 4ff5229438b286e0243b584b8c82886bb0e54149 Mon Sep 17 00:00:00 2001 From: joe miller Date: Mon, 22 Jul 2019 19:30:30 -0700 Subject: [PATCH 2/3] homebrew needs tarball. re-enable macos tarball --- .goreleaser.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index 5bd104a..04d9239 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -66,8 +66,7 @@ archives: format: binary # archive releases containg: binary, readme, and license. tarballs (macos, linux), zip (windows) - id: archives - # TODO: add macos tar back when we can do codesign'ing during the goreleaser run - builds: ["linux", "windows"] + builds: ["linux", "macos", "windows"] format_overrides: - goos: windows format: zip From a75defc48a4becf8c10928623a7badc83cfdf356 Mon Sep 17 00:00:00 2001 From: joe miller Date: Mon, 22 Jul 2019 19:56:51 -0700 Subject: [PATCH 3/3] handle codesigning macos binaries inside tarballs --- scripts/sign-and-promote-release.sh | 35 +++++++++++++++++++---------- 1 file changed, 23 insertions(+), 12 deletions(-) diff --git a/scripts/sign-and-promote-release.sh b/scripts/sign-and-promote-release.sh index cb2ebeb..1406213 100755 --- a/scripts/sign-and-promote-release.sh +++ b/scripts/sign-and-promote-release.sh @@ -1,8 +1,4 @@ #!/bin/bash - -set -eou pipefail -shopt -s nullglob - # inputs: # - tag, eg: v0.1.1 # @@ -15,6 +11,11 @@ shopt -s nullglob # - upload the shasum file # - upload the shasum signature file # - promote release from draft to published +# +# requires: gothub - https://github.com/itchio/gothub + +set -eou pipefail +shopt -s nullglob TAG="${TAG:-}" ORG="joemiller" @@ -23,8 +24,6 @@ BINARY="vault-token-helper" CODESIGN_CERT="Developer ID Application: JOSEPH MILLER (P3MF48HUD7)" GPG_KEY="6720A9FD78AC13F5" -export PATH="$HOME/bin:$PATH" # TODO - if [[ -z "$TAG" ]]; then echo "Missing env var 'TAG'" exit 1 @@ -39,7 +38,7 @@ description='' tempdir="$(mktemp -d)" echo "==> Created tempdir: $tempdir" -trap 'rm -rf -- "$tempdir"' EXIT +trap 'echo "Cleaning up."; rm -rf -- "$tempdir"' EXIT echo echo "==> Fetching existing release info for $TAG" @@ -64,17 +63,28 @@ ls -l "$tempdir" echo echo "==> Apple codesigning the macOS binaries" -for i in ./*_darwin_amd64; do - echo "==> codesigning $i" - codesign -s "$CODESIGN_CERT" -i "$BINARY" "$i" +for i in ./*_darwin_amd64*; do modified_assets+=("$i") + + if [[ "$i" =~ (.tar|.zip) ]]; then + echo "==> untarring and codesigning archived macOS binary: $i" + tartmp="./tar-tmp" + mkdir "$tartmp" + tar -xzf "$i" -C "$tartmp" + codesign -s "$CODESIGN_CERT" -i "$BINARY" "$tartmp/$BINARY" + tar -cvzf "$i" -C "$tartmp" $(ls "$tartmp") + rm -rf -- "$tartmp" + else + echo "==> codesigning binary: $i" + codesign -s "$CODESIGN_CERT" -i "$BINARY" "$i" + fi done echo echo "==> Generating new checksum file" # delete existing checksum file before gathering new checksums -rm -f -- "*.checksums.txt" checksum_file="${BINARY}_$(sed -e 's/^v//' <<<"$TAG")_checksums.txt" +rm -f -- "$checksum_file" shasum -a 256 -- * >"$checksum_file" cat "$checksum_file" modified_assets+=("$checksum_file") @@ -82,7 +92,8 @@ modified_assets+=("$checksum_file") echo echo "==> GPG-singing checksum file" sig_file="${checksum_file}.sig" -gpg -u "$GPG_KEY" --output "$sig_file" --detach-sign "$checksum_file" +rm -f -- "$sig_file" +gpg --batch -u "$GPG_KEY" --output "$sig_file" --detach-sign "$checksum_file" modified_assets+=("$sig_file") echo