build(ci): wire macOS code signing + notarization into release workflow
Add a guarded "Sign & notarize macOS app" step to build.yml that signs dist/DataTools.app with the Developer ID (hardened runtime + entitlements + secure timestamp), notarizes via notarytool, and staples the ticket — running before DMG packaging. The step exits 0 with a warning when the MACOS_* secrets are absent, so dry-run dispatches still produce an (unsigned) build. Add build/macos/entitlements.plist with the hardened-runtime entitlements a frozen PyInstaller/CPython app needs (JIT memory, library-validation disabled for bundled .so/.dylib + Tesseract). Update build/README.md to reflect that macOS signing is now wired and only needs the secrets. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
69
.github/workflows/build.yml
vendored
69
.github/workflows/build.yml
vendored
@@ -126,6 +126,75 @@ jobs:
|
|||||||
DATATOOLS_TESS_STAGING: build/_tesseract/${{ matrix.platform }}
|
DATATOOLS_TESS_STAGING: build/_tesseract/${{ matrix.platform }}
|
||||||
run: pyinstaller build/datatools.spec --clean --noconfirm
|
run: pyinstaller build/datatools.spec --clean --noconfirm
|
||||||
|
|
||||||
|
# ---- macOS code signing + notarization (before DMG packaging) -
|
||||||
|
# Signs dist/DataTools.app with the Developer ID, notarizes it,
|
||||||
|
# and staples the ticket so Gatekeeper passes offline. Wrapped in
|
||||||
|
# a guard: if the cert secret is absent the step prints a warning
|
||||||
|
# and exits 0, so dry-run dispatches still produce an (unsigned)
|
||||||
|
# build. Secret names match build/README.md "Signing".
|
||||||
|
- name: Sign & notarize macOS app
|
||||||
|
if: matrix.os == 'macos-latest'
|
||||||
|
env:
|
||||||
|
CERT_P12_BASE64: ${{ secrets.MACOS_DEVELOPER_ID_CERT_P12_BASE64 }}
|
||||||
|
CERT_PASSWORD: ${{ secrets.MACOS_DEVELOPER_ID_CERT_PASSWORD }}
|
||||||
|
NOTARY_APPLE_ID: ${{ secrets.MACOS_NOTARY_APPLE_ID }}
|
||||||
|
NOTARY_TEAM_ID: ${{ secrets.MACOS_NOTARY_TEAM_ID }}
|
||||||
|
NOTARY_PASSWORD: ${{ secrets.MACOS_NOTARY_PASSWORD }}
|
||||||
|
run: |
|
||||||
|
set -euo pipefail
|
||||||
|
if [ -z "${CERT_P12_BASE64:-}" ]; then
|
||||||
|
echo "::warning::MACOS_DEVELOPER_ID_CERT_P12_BASE64 not set — shipping an UNSIGNED build (Gatekeeper will warn buyers)."
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
APP="dist/DataTools.app"
|
||||||
|
|
||||||
|
# 1. Import the Developer ID cert into an ephemeral keychain.
|
||||||
|
KEYCHAIN="$RUNNER_TEMP/build.keychain-db"
|
||||||
|
KEYCHAIN_PW="$(uuidgen)"
|
||||||
|
security create-keychain -p "$KEYCHAIN_PW" "$KEYCHAIN"
|
||||||
|
security set-keychain-settings -lut 3600 "$KEYCHAIN"
|
||||||
|
security unlock-keychain -p "$KEYCHAIN_PW" "$KEYCHAIN"
|
||||||
|
echo "$CERT_P12_BASE64" | base64 --decode > "$RUNNER_TEMP/cert.p12"
|
||||||
|
security import "$RUNNER_TEMP/cert.p12" -k "$KEYCHAIN" -P "$CERT_PASSWORD" \
|
||||||
|
-T /usr/bin/codesign
|
||||||
|
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PW" "$KEYCHAIN" >/dev/null
|
||||||
|
# Make the ephemeral keychain searchable (preserve the login keychain).
|
||||||
|
security list-keychains -d user -s "$KEYCHAIN" \
|
||||||
|
$(security list-keychains -d user | sed 's/"//g')
|
||||||
|
|
||||||
|
IDENTITY="$(security find-identity -v -p codesigning "$KEYCHAIN" \
|
||||||
|
| grep 'Developer ID Application' | head -1 | awk -F'"' '{print $2}')"
|
||||||
|
if [ -z "$IDENTITY" ]; then
|
||||||
|
echo "::error::No 'Developer ID Application' identity found in the imported cert."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
echo "Signing with: $IDENTITY"
|
||||||
|
|
||||||
|
# 2. Sign the bundle (hardened runtime + secure timestamp + entitlements).
|
||||||
|
# --deep signs the nested dylibs/.so the PyInstaller bundle carries.
|
||||||
|
codesign --deep --force --options runtime --timestamp \
|
||||||
|
--entitlements build/macos/entitlements.plist \
|
||||||
|
--sign "$IDENTITY" "$APP"
|
||||||
|
codesign --verify --strict --verbose=2 "$APP"
|
||||||
|
|
||||||
|
# 3. Notarize the .app (notarytool needs a zip/dmg/pkg, not a bare .app),
|
||||||
|
# then staple so Gatekeeper validates offline.
|
||||||
|
if [ -n "${NOTARY_APPLE_ID:-}" ]; then
|
||||||
|
ditto -c -k --keepParent "$APP" "$RUNNER_TEMP/DataTools.zip"
|
||||||
|
xcrun notarytool submit "$RUNNER_TEMP/DataTools.zip" \
|
||||||
|
--apple-id "$NOTARY_APPLE_ID" \
|
||||||
|
--team-id "$NOTARY_TEAM_ID" \
|
||||||
|
--password "$NOTARY_PASSWORD" \
|
||||||
|
--wait
|
||||||
|
xcrun stapler staple "$APP"
|
||||||
|
xcrun stapler validate "$APP"
|
||||||
|
else
|
||||||
|
echo "::warning::Notary credentials not set — app is signed but NOT notarized (Gatekeeper will still warn)."
|
||||||
|
fi
|
||||||
|
|
||||||
|
rm -f "$RUNNER_TEMP/cert.p12"
|
||||||
|
|
||||||
# ---- Per-platform installer packaging ------------------------
|
# ---- Per-platform installer packaging ------------------------
|
||||||
|
|
||||||
- name: Package macOS DMG (installer)
|
- name: Package macOS DMG (installer)
|
||||||
|
|||||||
@@ -112,12 +112,15 @@ pyinstaller build/datatools.spec --clean --noconfirm
|
|||||||
|
|
||||||
## Signing (Phase 2 — needs accounts/credentials)
|
## Signing (Phase 2 — needs accounts/credentials)
|
||||||
|
|
||||||
Both code-signing steps are intentionally not in CI yet because they
|
**macOS signing + notarization is now wired into `build.yml`** (the
|
||||||
require credentials the owner sets up first.
|
"Sign & notarize macOS app" step, with `build/macos/entitlements.plist`).
|
||||||
|
It is guarded: if `MACOS_DEVELOPER_ID_CERT_P12_BASE64` is absent the step
|
||||||
|
warns and exits 0, so dry-run dispatches still produce an unsigned build.
|
||||||
|
To activate it, just add the secrets below — no code change needed.
|
||||||
|
**Windows** code-signing is still not wired (accepted v1 friction).
|
||||||
|
|
||||||
**macOS** — Apple Developer Program enrollment ($99/yr). Once enrolled,
|
**macOS** — Apple Developer Program enrollment ($99/yr). Once enrolled,
|
||||||
add these GitHub Secrets and uncomment the `codesign` + `notarytool`
|
add these GitHub Secrets to activate the signing step in `build.yml`:
|
||||||
steps in `build.yml`:
|
|
||||||
|
|
||||||
| Secret | Value |
|
| Secret | Value |
|
||||||
|---|---|
|
|---|---|
|
||||||
|
|||||||
28
build/macos/entitlements.plist
Normal file
28
build/macos/entitlements.plist
Normal file
@@ -0,0 +1,28 @@
|
|||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||||
|
<!--
|
||||||
|
Hardened-runtime entitlements for the notarized DataTools.app.
|
||||||
|
|
||||||
|
PyInstaller freezes a CPython interpreter that maps writable+executable
|
||||||
|
memory and loads many unsigned .so/.dylib modules at runtime. Without
|
||||||
|
these entitlements the hardened runtime kills the process on launch
|
||||||
|
(or notarization rejects the bundle). Keep this list minimal — the app
|
||||||
|
is a local-only Streamlit server, so no network-server/device/camera
|
||||||
|
entitlements are needed.
|
||||||
|
-->
|
||||||
|
<plist version="1.0">
|
||||||
|
<dict>
|
||||||
|
<!-- CPython JIT-style writable/executable memory + ctypes trampolines -->
|
||||||
|
<key>com.apple.security.cs.allow-jit</key>
|
||||||
|
<true/>
|
||||||
|
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
|
||||||
|
<true/>
|
||||||
|
<!-- Load the bundled C-extension .so / .dylib modules (pandas, pdfplumber,
|
||||||
|
Pillow, the bundled Tesseract dylibs) that aren't Team-ID signed -->
|
||||||
|
<key>com.apple.security.cs.disable-library-validation</key>
|
||||||
|
<true/>
|
||||||
|
<!-- Launcher sets DATATOOLS_*/TESSDATA_PREFIX/PYTHON* before exec -->
|
||||||
|
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
|
||||||
|
<true/>
|
||||||
|
</dict>
|
||||||
|
</plist>
|
||||||
Reference in New Issue
Block a user