Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 0 additions & 3 deletions .github/FUNDING.yml

This file was deleted.

16 changes: 0 additions & 16 deletions .github/ISSUE_TEMPLATE/Blueprint.md

This file was deleted.

39 changes: 0 additions & 39 deletions .github/ISSUE_TEMPLATE/Bug_Report.md

This file was deleted.

29 changes: 0 additions & 29 deletions .github/ISSUE_TEMPLATE/Feature_Request.md

This file was deleted.

17 changes: 0 additions & 17 deletions .github/ISSUE_TEMPLATE/Free_Form.md

This file was deleted.

34 changes: 0 additions & 34 deletions .github/ISSUE_TEMPLATE/New_Release.md

This file was deleted.

27 changes: 0 additions & 27 deletions .github/ISSUE_TEMPLATE/Question.md

This file was deleted.

105 changes: 105 additions & 0 deletions .github/steps/sign-macos-package/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
name: Sign MacOS package
description: Sign built universal MacOS package and Notarize it
inputs:
apple_certificate_p12:
description: 'Base64 encoded Apple Developer certificate (.p12)'
required: true
apple_certificate_password:
description: 'Password for the .p12 certificate'
required: true
apple_developer_id:
description: 'Apple Developer ID string'
required: true
apple_id_username:
description: 'Apple ID username for notarization'
required: true
apple_id_password:
description: 'App-specific password for Apple ID'
required: true
apple_team_id:
description: 'Apple Developer ID'
required: true
binary_name:
description: 'Name of built MacOS binary (e.g. "rmmagent")'
required: true

runs:
using: "composite"
steps:
- name: Setup and export all needed vars
shell: bash
run: |
BINARY_NAME="${{ inputs.binary_name }}"
BINARY_PATH="./artifacts/$BINARY_NAME"
DEVELOPER_ID="${{ inputs.apple_developer_id }}"

echo "BINARY_NAME=$BINARY_NAME" >> $GITHUB_ENV
echo "BINARY_PATH=$BINARY_PATH" >> $GITHUB_ENV
echo "DEVELOPER_ID=$DEVELOPER_ID" >> $GITHUB_ENV

- name: Setup Apple Code Signing
shell: bash
run: |
CERTIFICATE_PATH="$HOME/certificate.p12"
KEYCHAIN_PATH="$HOME/signing.keychain-db"

# Decode certificate and create keychain
echo "${{ inputs.apple_certificate_p12 }}" | base64 --decode > "$CERTIFICATE_PATH"
security create-keychain -p "${{ inputs.apple_certificate_password }}" "$KEYCHAIN_PATH"
security default-keychain -s "$KEYCHAIN_PATH"
security unlock-keychain -p "${{ inputs.apple_certificate_password }}" "$KEYCHAIN_PATH"

# Import certificate and set key partition list
security import "$CERTIFICATE_PATH" -P "${{ inputs.apple_certificate_password }}" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
security set-key-partition-list -S apple-tool:,apple: -s -k "${{ inputs.apple_certificate_password }}" "$KEYCHAIN_PATH"

# Verify setup, cleanup initial cert and export path
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
rm "$CERTIFICATE_PATH"
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> $GITHUB_ENV

- name: Code Sign Standalone binary
shell: bash
run: |
chmod +x "$BINARY_PATH"

# Sign the binary and verify
codesign --sign "$DEVELOPER_ID" --timestamp --options runtime --deep --force "$BINARY_PATH"

# Verify signature
codesign --verify --deep --strict --verbose=2 "$BINARY_PATH"
codesign -dv --verbose=4 "$BINARY_PATH"
echo "Binary signed successfully"

- name: Create archive and submit for Notarization
shell: bash
run: |
zip "${BINARY_NAME}.zip" -j "$BINARY_PATH"

echo "Submitting binary for notarization..."
xcrun notarytool submit "${BINARY_NAME}.zip" \
--apple-id "${{ inputs.apple_id_username }}" \
--password "${{ inputs.apple_id_password }}" \
--team-id "${{ inputs.apple_team_id }}" \
--wait \
--timeout 30m

# Cleanup zip
rm "${BINARY_NAME}.zip"
echo "Notarization completed successfully"

- name: Verify Final Binary
shell: bash
run: |
# Verify code signature and notarization
codesign --verify --deep --strict --verbose=2 "$BINARY_PATH"
spctl --assess --type open --context context:primary-signature --verbose "$BINARY_PATH" || true
echo "Binary is signed, notarized, and ready for distribution"

- name: Cleanup Keychain
if: always()
shell: bash
run: |
if [[ -n "$KEYCHAIN_PATH" ]] && [[ -f "$KEYCHAIN_PATH" ]]; then
security delete-keychain "$KEYCHAIN_PATH"
fi
Loading
Loading