OpenLens icon indicating copy to clipboard operation
OpenLens copied to clipboard

Published 20 hours ago verified publisher icon MuhammedKalkan

Add code sign and notarization

Open jkroepke opened this issue 2 years ago • 9 comments

Fixes #1 Fixes #18

Credentials for code sign

  • CSC_LINK: (http url OR base64 encoded p12 file container developer id certificate)
  • CSC_KEY_PASSWORD: password for p12 file

Credentials for notarization:

  • APPLEID: Apple ID for notarization (need access for App Store Connect)
  • APPLEIDPASS: App specific password of the Apple ID

Test Binaries: https://github.com/jkroepke/OpenLens/releases/tag/v6.0.0

Thanks to @xavierLowmiller for providing a code sign certificate

Screenshot for notarization:

Bildschirmfoto 2022-08-02 um 14 57 33

Mention, the code sign certificate has 1 year expiry date and needs to be renewed each year.

jkroepke avatar Aug 02 '22 12:08 jkroepke

I believe secrets are not getting copied from PRs.

MuhammedKalkan avatar Aug 02 '22 13:08 MuhammedKalkan

Correct, but I can not expose credentials inside workflows.

jkroepke avatar Aug 02 '22 14:08 jkroepke

Yes, need to define them inside this repository as secrets, if you think that would not compromise credentials security. Only then we can merge this PR successfully

MuhammedKalkan avatar Aug 02 '22 14:08 MuhammedKalkan

Make sure that Send secrets to workflows from fork pull requests. option is unchecked:

image

zoispag avatar Aug 02 '22 14:08 zoispag

Thanks for stepping up @jkroepke. I uploaded my cert and set corresponding repo env vars as secrets (using REST API as GitHub UI won't let you do it unless you are repo owner, but rest api lets you set secrets as contributor).

This is how I uploaded my cert and cert-pw:

# Tooling
brew install gh
gh auth login
# Get repo's public key
gh api /repos/MuhammedKalkan/OpenLens/actions/secrets/public-key
# Upload certificate
gh api \
  --method PUT \
  -H "Accept: application/vnd.github.v3+json" \
  /repos/MuhammedKalkan/OpenLens/actions/secrets/MACOS_CERTIFICATE \
  -f encrypted_value='xxxxx' \
  -f key_id='xxxx'
# Upload certificate password
gh api \
  --method PUT \\n  -H "Accept: application/vnd.github.v3+json" \  /repos/MuhammedKalkan/OpenLens/actions/secrets/MAOS_CERTIFICATE_PWD \
  -f encrypted_value='xxxxx' \
  -f key_id='xxxx'
# Check that secrets are now there
gh api -H "Accept: application/vnd.github.v3+json" \                
  /repos/MuhammedKalkan/OpenLens/actions/secrets

I had to convert my p12 certificate and password to base64 format to insert in place of 'xxxxx' above.

janhoy avatar Aug 03 '22 08:08 janhoy

Mention that the p12 itself needs base64 format. Even if I manually enter the value through UI. If you have to encode all values with base64 in the API call, you have to encode the p12 file twice.

jkroepke avatar Aug 03 '22 08:08 jkroepke

@janhoy do you need any assistance?

jkroepke avatar Aug 04 '22 11:08 jkroepke

@janhoy do you need any assistance?

If you are made a committer on this project you will be able to push your signing cert as a secret like I did. @MuhammedKalkan ?

janhoy avatar Aug 04 '22 17:08 janhoy

I am waiting for a feedback https://github.com/MuhammedKalkan/OpenLens/pull/21#issuecomment-1202703694 @jkroepke can be made a collaborator like you are and define secrets in this repository like you did. if he is ok about security concerns of the account he used

MuhammedKalkan avatar Aug 04 '22 20:08 MuhammedKalkan

Btw, secrets added by a contributor can not be seen, only can be updated. I dont think there will be any security issues. We can merge this when you decide and define secrets @jkroepke

MuhammedKalkan avatar Aug 06 '22 14:08 MuhammedKalkan

Very interesting, this. Didn't know contributors could set/reset secrets via API. Without this, I'd advise you two to exchange age or gpg keys, then transmit the secret material encrypted to the repo owner. But if doable via API, even better, since owner does not need to see the material.

Either way: great work 👍, please finish this when possible, I'm really done with building OpenLens myself due to lack of notarization. It would be great to also include a sha256 sum of the final notarized binary in the build logs so we can check it's built from pristine sources.

rpardini avatar Aug 06 '22 16:08 rpardini

I need one more week to re-gernerate the p12 file with a stronger passphrase. Currently it's protect with a simple test passphrase and the guy who currently provide the certificate is in holiday.

jkroepke avatar Aug 09 '22 13:08 jkroepke

Alright great, in the mean time, i will add you as collaborator. But in the long run we need our own apple account and certificate for windows.

I am trying to get an opencollective account approved but that is taking time. Anyone who whishes to speed up the process and sponsor this , please reach out for direct donation.

MuhammedKalkan avatar Aug 09 '22 14:08 MuhammedKalkan

SHA256 sums are now available inside CI.

Secrets are configured now through gh cli

gh secret --repo MuhammedKalkan/OpenLens set CSC_LINK --body "***"
gh secret --repo MuhammedKalkan/OpenLens set CSC_KEY_PASSWORD --body "***"
gh secret --repo MuhammedKalkan/OpenLens set APPLEID --body "***"
gh secret --repo MuhammedKalkan/OpenLens set APPLEIDPASS --body "***"

Currently, its not possible to test this from this PR here.

The current workflow is tested here: https://github.com/jkroepke/OpenLens/actions/runs/2828318746

jkroepke avatar Aug 10 '22 09:08 jkroepke

Seems secrets are defined. İ am merging this for further testing

MuhammedKalkan avatar Aug 10 '22 09:08 MuhammedKalkan

I spend a couple weeks moving house and someone beats me to the punch :-) Huge kudos @MuhammedKalkan and @jkroepke for picking this up, and thanks from the community!

holograph avatar Aug 10 '22 12:08 holograph