mit-plv/fiat-crypto

Sign & noatarize MacOS binaries?

JasonGross opened this issue · 0 comments

JasonGross commented

Perhaps we should sign & notarize the MacOS binaries for ease of use?

ChatGPT suggests that the steps are:

Without a Mac, you can still handle code signing and notarization using GitHub Actions. Here’s a step-by-step approach:

  1. Apple Developer Account: Ensure that you have an Apple Developer account, as you'll need certificates and credentials for signing and notarization.

  2. Create and Export Signing Certificate:

    • Use a Mac to create a Developer ID Application certificate, or obtain one from your team.
    • Export the certificate as a .p12 file.

  3. Add Secrets to GitHub:

    • Encrypt your .p12 file and add it as a GitHub Actions secret, along with the certificate password and your Apple Developer account credentials.

  4. Install and Configure xcnotary:

    • Use xcnotary, a third-party tool that supports notarizing applications via CI, which works well with GitHub Actions.
    • Install xcnotary in your GitHub Actions workflow by adding:
    - name: Install xcnotary
  run: brew install keith/formulae/xcnotary

  5. Import Certificate:

    • Import the .p12 file in your CI workflow using:
    - name: Import Signing Certificate
  env:
    P12_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
  run: |
    security create-keychain -p "" build.keychain
    security import certificate.p12 -k build.keychain -P "$P12_PASSWORD" -T /usr/bin/codesign

  6. Sign the Universal Binary:

    • After combining the architectures using lipo, sign it with:
    - name: Code Sign
  run: |
    codesign --sign "Developer ID Application: Your Name (TeamID)" --timestamp --keychain build.keychain universal_binary

  7. Notarize the Binary:

    • Use xcnotary to notarize your signed binary:
    - name: Notarize Binary
  run: |
    xcnotary notarize universal_binary --apple-id ${{ secrets.APPLE_ID }} --password ${{ secrets.APPLE_PASSWORD }} --team-id "YourTeamID"

  8. Staple the Notarization:

    • After successful notarization, apply the notarization ticket to the binary:
    - name: Staple Notarization
  run: xcrun stapler staple universal_binary

Make sure your secrets are stored securely within GitHub Actions. This setup allows you to automate signing and notarization entirely through GitHub Actions without direct access to a Mac.