Skip to content

Add MacOS signing #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 9, 2025
Merged

Add MacOS signing #33

merged 1 commit into from
May 9, 2025

Conversation

nmburgan
Copy link
Member

@nmburgan nmburgan commented May 1, 2025
edited
Loading

This utilizes changes in Vanagon to enable signing locally, instead of shipping files to a signing server. Details for how to set this up given the appropriate certs/keys can be found on the wiki.

With the changes from OpenVoxProject/vanagon#13, when the VANAGON_FORCE_SIGNING env var is set, vanagon will attempt the signing flow as noted in that PR. Otherwise, it will skip signing entirely. In order for signing to succeed, you must run the build on a VM that contains:

  • A keychain created by root that contains the Developer Application and Installer identities (cert + key), and a Notarization profile.
  • SIGNING_KEYCHAIN set to the name/location of the keychain
  • SIGNING_KEYCHAIN_PW set to the password to unlock the keychain
  • APPLICATION_SIGNING_CERT set to the description of the application signing identity
  • INSTALLER_SIGNING_CERT set to the description of the installer signing identity
  • NOTARY_PROFILE set to the name of the profile set up with a user account tied to the above signing identities

At some point, we may move all this out of vanagon and put it back in here, but since this should never really change and the only thing we're signing right now is the agent for MacOS, this works well enough.

This also removes the "commit" PR check, since we don't require adding ticket numbers or (maint) to each commit message like Perforce does.

nmburgan
nmburgan commented May 1, 2025
View reviewed changes
@nmburgan nmburgan force-pushed the macos_signing branch 11 times, most recently from e188eb1 to 31ff062 Compare May 9, 2025 00:03
@nmburgan
Add MacOS signing
68f27fd 
This utilizes changes in Vanagon to enable signing locally, instead of shipping files to a signing server. Details for how to set this up given the appropriate certs/keys can be found on the wiki.

With the changes from OpenVoxProject/vanagon#13, when the VANAGON_FORCE_SIGNING env var is set, vanagon will attempt the signing flow as noted in that PR. Otherwise, it will skip signing entirely. In order for signing to succeed, you must run the build on a VM that contains:
- A keychain created by root that contains the Developer Application and Installer identities (cert + key), and a Notarization profile.
- SIGNING_KEYCHAIN set to the name/location of the keychain
- SIGNING_KEYCHAIN_PW set to the password to unlock the keychain
- APPLICATION_SIGNING_CERT set to the description of the application signing identity
- INSTALLER_SIGNING_CERT set to the description of the installer signing identity
- NOTARY_PROFILE set to the name of the profile set up with a user account tied to the above signing identities

At some point, we may move all this out of vanagon and put it back in here, but since this should never really change and the only thing we're signing right now is the agent for MacOS, this works well enough.
@nmburgan nmburgan merged commit e149607 into main May 9, 2025
1 check passed
@nmburgan nmburgan deleted the macos_signing branch May 9, 2025 17:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@nmburgan