From 7d715031bd73649a6e4d80b539496dc20e0f124b Mon Sep 17 00:00:00 2001 From: Allen Byrne Date: Mon, 26 Aug 2024 15:12:03 -0500 Subject: [PATCH 1/2] Add verify codesign steps --- .github/workflows/cmake-ctest.yml | 14 +++++++++++++- config/cmake/CPack.Info.plist.in | 11 ++++++++--- config/cmake/distribution.entitlements | 16 ++++++++++++++++ 3 files changed, 37 insertions(+), 4 deletions(-) create mode 100644 config/cmake/distribution.entitlements diff --git a/.github/workflows/cmake-ctest.yml b/.github/workflows/cmake-ctest.yml index da220217c..2ac9e30da 100644 --- a/.github/workflows/cmake-ctest.yml +++ b/.github/workflows/cmake-ctest.yml @@ -406,7 +406,19 @@ jobs: NOTARY_USER: ${{ vars.NOTARY_USER }} NOTARY_KEY: ${{ vars.NOTARY_KEY }} run: | - /usr/bin/codesign --force --timestamp --options runtime --verbose=4 --strict --sign ${{ env.SIGNER }} --deep ${{ runner.workspace }}/hdf4/build/${{ inputs.preset_name }}-macos-Clang/*.dmg + /usr/bin/codesign --force --timestamp --options runtime --entitlements ${{ runner.workspace }}/hdf4/${{ steps.set-file-base.outputs.SOURCE_BASE }}/config/cmake/distribution.entitlements --verbose=4 --strict --sign ${{ env.SIGNER }} --deep ${{ runner.workspace }}/hdf4/build/${{ inputs.preset_name }}-macos-Clang/*.dmg + if: ${{ needs.check-secret.outputs.sign-state == 'exists' }} + shell: bash + + - name: Check dmg timestamp (MacOS_latest) + run: | + /usr/bin/codesign -dvv ${{ runner.workspace }}/hdf4/build/${{ inputs.preset_name }}-macos-Clang/*.dmg + if: ${{ needs.check-secret.outputs.sign-state == 'exists' }} + shell: bash + + - name: Verify dmg (MacOS_latest) + run: | + /usr/bin/hdiutil verify ${{ runner.workspace }}/hdf4/build/${{ inputs.preset_name }}-macos-Clang/*.dmg if: ${{ needs.check-secret.outputs.sign-state == 'exists' }} shell: bash diff --git a/config/cmake/CPack.Info.plist.in b/config/cmake/CPack.Info.plist.in index b936470fc..a518f559c 100644 --- a/config/cmake/CPack.Info.plist.in +++ b/config/cmake/CPack.Info.plist.in @@ -1,5 +1,5 @@ - - + + CFBundleDevelopmentRegion @@ -16,11 +16,16 @@ FMWK CFBundleSignature ???? + + LSApplicationCategoryType + public.app-category.utilities CFBundleVersion @CPACK_PACKAGE_VERSION@ CFBundleShortVersionString @CPACK_SHORT_VERSION_STRING@ + NSHumanReadableCopyright + Copyright 2006 by The HDF Group CSResourcesFileMapped - + true diff --git a/config/cmake/distribution.entitlements b/config/cmake/distribution.entitlements new file mode 100644 index 000000000..0e0df6c76 --- /dev/null +++ b/config/cmake/distribution.entitlements @@ -0,0 +1,16 @@ + + + + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.disable-executable-page-protection + + com.apple.security.cs.disable-library-validation + + com.apple.security.cs.allow-dyld-environment-variables + + + From cfda493576c9b0e3f3989094a85984bad311c9d8 Mon Sep 17 00:00:00 2001 From: Allen Byrne Date: Mon, 26 Aug 2024 16:46:37 -0500 Subject: [PATCH 2/2] Add step to get notary info --- .github/workflows/cmake-ctest.yml | 32 ++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cmake-ctest.yml b/.github/workflows/cmake-ctest.yml index 2ac9e30da..502dffdcd 100644 --- a/.github/workflows/cmake-ctest.yml +++ b/.github/workflows/cmake-ctest.yml @@ -431,12 +431,38 @@ jobs: NOTARY_USER: ${{ vars.NOTARY_USER }} NOTARY_KEY: ${{ vars.NOTARY_KEY }} run: | - JSONOUT=$(/usr/bin/xcrun notarytool submit --wait --output-format json --apple-id ${{ env.NOTARY_USER }} --password ${{ env.NOTARY_KEY }} --team-id ${{ env.SIGNER }} ${{ runner.workspace }}/hdf4/build/${{ inputs.preset_name }}-macos-Clang/*.dmg) - echo "jsonout=$JSONOUT" >> $GITHUB_ENV + jsonout=$(/usr/bin/xcrun notarytool submit --wait --output-format json --apple-id ${{ env.NOTARY_USER }} --password ${{ env.NOTARY_KEY }} --team-id ${{ env.SIGNER }} ${{ runner.workspace }}/hdf4/build/${{ inputs.preset_name }}-macos-Clang/*.dmg) + echo "JSONOUT=$jsonout" >> $GITHUB_ENV if: ${{ needs.check-secret.outputs.sign-state == 'exists' }} shell: bash - - run: echo "notary result is ${{ steps.notarize-dmg.outputs.jsonout }}." + - name: Get ID token (MacOS_latest) + id: get-id-token + run: | + echo "notary result is ${{ steps.notarize-dmg.outputs.JSONOUT }}." + token=$(jq '.id' ${{ steps.notarize-dmg.outputs.JSONOUT }}) + echo "ID_TOKEN=$token" >> "$GITHUB_ENV" + if: ${{ needs.check-secret.outputs.sign-state == 'exists' }} + shell: bash + + - name: post notary check (MacOS_latest) + id: post-notary + env: + KEYCHAIN_PASSWD: ${{ secrets.KEYCHAIN_PASSWD }} + KEYCHAIN_NAME: ${{ vars.KEYCHAIN_NAME }} + SIGNER: ${{ vars.SIGNER }} + NOTARY_USER: ${{ vars.NOTARY_USER }} + NOTARY_KEY: ${{ vars.NOTARY_KEY }} + run: | + notaryout=$(/usr/bin/xcrun notarytool info --apple-id ${{ env.NOTARY_USER }} --password ${{ env.NOTARY_KEY }} --team-id ${{ env.SIGNER }} ${{ steps.get-id-token.ID_TOKEN }}) + echo "NOTARYOUT=$notaryout" >> $GITHUB_ENV + if: ${{ needs.check-secret.outputs.sign-state == 'exists' }} + shell: bash + + - name: Get notary info (MacOS_latest) + id: get-notary-info + run: | + echo "notary info is ${{ steps.post-notary.NOTARYOUT }}." if: ${{ needs.check-secret.outputs.sign-state == 'exists' }} shell: bash