Restore mac code-signing via our new code-signing service #1807
Conversation
…784-mac-code-signing-cert
…784-mac-code-signing-cert
| @@ -0,0 +1,28 @@ | |||
| #!/usr/bin/env sh | |||
| # | |||
| # Run this script to enqueue the windows binary for this current version of the | |||
There was a problem hiding this comment.
Update comment to mention mac now too or leave ambiguous?
|
Hey @phargogh, I just thought about our |
Yeah, I was kind of waffling on this a bit. From my perspective, the Having said that, we're not actually using them, and everything related to the codesigning service is contained in the codesigning directory. Anyways, I think I've talked myself into deleting these, so they have been removed/updated in 4de580b |
There was a problem hiding this comment.
Thanks @phargogh for thinking about that and for the changes. This feels like the right direction to me and if we want to have a deliberate way to codesign manually in the future we can reestablish one based on the new structure here.
| few other verbs described in the systemctl docs. | ||
| * `sudo journalctl -u natcap-codesign.service -n 300` will show the 300 most | ||
| recent log messages generated by the service. | ||
| * `sudo journalctl -u natcap-codesign.service -n 300 --follow` will show the |
There was a problem hiding this comment.
Very helpful to have this documented here!
| url_base=$(make -C .. --no-print-directory print-DIST_URL_BASE | awk ' { print $3 } ') | ||
| platform=$(python -c "import platform;p=platform.system().lower();print(p if p != 'windows' else 'win32')") | ||
|
|
||
| if [ "$platform" = "win32" ]; then |
There was a problem hiding this comment.
Would it be worth scripting this in python? Since there's already some python commands in here, and the other codesigning scripts are in python.
This PR restores mac DMG codesigning by way of our new codesigning service, which simplifies our actions YAML (since we now just build the workbench in all cases and then defer OS-specific codesigning logic to the codesigning service), and probably makes this whole process more secure by not copying certificates out of a GCS bucket and keeping the operational code on a better-protected host that we control.
NOTE: one of the puppeteer tests was reliably failing for me, co I temporarily commented out the puppeteer tests to make sure this codesigning functionality works as expected. You can see the passing mac and windows codesigning GHA steps here:
Fixes #1784
Checklist
- [ ] Updated the user's guide (if needed)- [ ] Tested the Workbench UI (if relevant)