Sign OSX bundle

Author: mlech-reef

.github/workflows/cd.yml

@@ -12,6 +12,7 @@ jobs:
   deploy:
     env:
       B2_PYPI_PASSWORD: ${{ secrets.B2_PYPI_PASSWORD }}
+      ACTIONS_STEP_DEBUG: ${{ secrets.ACTIONS_STEP_DEBUG }}
     runs-on: ubuntu-latest
     outputs:
       upload_url: ${{ steps.create-release.outputs.upload_url }}
@@ -40,7 +41,7 @@ jobs:
           tag_name: ${{ github.ref }}
           release_name: ${{ steps.build.outputs.version }}
           body: ${{ steps.read-changelog.outputs.log_entry }}
-          draft: false
+          draft: ${{ env.ACTIONS_STEP_DEBUG == 'true' }}
           prerelease: false
       - name: Upload the distribution to GitHub
         uses: actions/upload-release-asset@v1
@@ -57,6 +58,10 @@ jobs:
           password: ${{ env.B2_PYPI_PASSWORD }}
   deploy-bundle:
     needs: deploy
+    env:
+      B2_OSX_CODE_SIGNING_CERTIFICATE: ${{ secrets.B2_OSX_CODE_SIGNING_CERTIFICATE }}
+      B2_OSX_CODE_SIGNING_CERTIFICATE_NAME: ${{ secrets.B2_OSX_CODE_SIGNING_CERTIFICATE_NAME }}
+      B2_OSX_CODE_SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.B2_OSX_CODE_SIGNING_CERTIFICATE_PASSWORD }}
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
@@ -75,6 +80,15 @@ jobs:
       - name: Bundle the distribution
         id: bundle
         run: nox -vs bundle
+      - name: Import certificate
+        if: ${{ env.B2_OSX_CODE_SIGNING_CERTIFICATE != '' && runner.os == 'macOS' }}
+        uses: apple-actions/import-codesign-certs@v1
+        with:
+          p12-file-base64: ${{ env.B2_OSX_CODE_SIGNING_CERTIFICATE }}
+          p12-password: ${{ env.B2_OSX_CODE_SIGNING_CERTIFICATE_PASSWORD }}
+      - name: Sign the bundle
+        if: ${{ env.B2_OSX_CODE_SIGNING_CERTIFICATE != '' && runner.os == 'macOS' }}
+        run: nox -vs sign -- --sign '${{ env.B2_OSX_CODE_SIGNING_CERTIFICATE_NAME }}'
       - name: Upload the distribution to GitHub
         uses: actions/upload-release-asset@v1
         with:

CHANGELOG.md

@@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+* Sign OSX binary
+
 ### Fixed
 * Exclude packages inside the test package when installing
 

noxfile.py

@@ -29,6 +29,8 @@
 REQUIREMENTS_TEST = ['pytest==6.1.1', 'pytest-cov==2.10.1']
 REQUIREMENTS_BUILD = ['setuptools>=20.2']
 
+OSX_BUNDLE_IDENTIFIER = 'com.backblaze.b2'
+
 nox.options.reuse_existing_virtualenvs = True
 nox.options.sessions = [
     'lint',
@@ -169,6 +171,12 @@ def bundle(session):
     session.install('pyinstaller')
     session.run('rm', '-rf', 'build', 'dist', 'b2.egg-info', external=True)
     install_myself(session)
+
+    system = platform.system().lower()
+
+    if system == 'darwin':
+        session.posargs.extend(['--osx-bundle-identifier', OSX_BUNDLE_IDENTIFIER])
+
     session.run('pyinstaller', '--onefile', *session.posargs, 'b2.spec')
 
     # Set outputs for GitHub Actions
@@ -177,11 +185,33 @@ def bundle(session):
         print('::set-output name=asset_path::', asset_path, sep='')
 
         name, ext = os.path.splitext(os.path.basename(asset_path))
-        system = platform.system().lower()
         asset_name = '{}-{}{}'.format(name, system, ext)
         print('::set-output name=asset_name::', asset_name, sep='')
 
 
+@nox.session(python=False)
+def sign(session):
+    """Sign the bundled distribution (OSX only)."""
+    system = platform.system().lower()
+
+    if system != 'darwin':
+        session.skip('signing process is for OSX only')
+
+    session.run('security', 'find-identity', external=True)
+    session.run(
+        'codesign',
+        '--force',
+        '--verbose',
+        '--timestamp',
+        '--identifier',
+        OSX_BUNDLE_IDENTIFIER,
+        *session.posargs,
+        'dist/b2',
+        external=True
+    )
+    session.run('codesign', '--verify', '--verbose', 'dist/b2', external=True)
+
+
 @nox.session(python=PYTHON_DEFAULT_VERSION)
 def doc(session):
     """Build the documentation."""