Skip to content

Update macOS notarization to use notarytool (#254) #920

Update macOS notarization to use notarytool (#254)

Update macOS notarization to use notarytool (#254) #920

Workflow file for this run

name: ci
on:
push:
branches: [ main, release-* ]
tags:
'v*'
pull_request:
branches: [ main ]
env:
QT_VERSION: 6.5.2
jobs:
# This is a super hacky way to get this into a place that can actually be
# used by downstream jobs because YAML values don't allow shell
# interpolation, only github expression interpolation
run-info:
name: Gather Run Info
runs-on: ubuntu-latest
outputs:
sha8: ${{ steps.calc-info.outputs.sha8 }}
isRelease: ${{ steps.calc-info.outputs.isRelease }}
signMacRelease: ${{ steps.calc-info.outputs.signMacRelease }}
signWinRelease: ${{ steps.calc-info.outputs.signWinRelease }}
steps:
- name: CheckRun Info
env:
MCERT: ${{secrets.MACOS_CERT}}
WCERT: ${{ secrets.WINDOWS_CERT }}
id: calc-info
run: |
MSIGN="false"
WSIGN="false"
RELEASE="false"
if [[ "$GITHUB_REF" == *"tags/v"* || "$GITHUB_REF" == *"refs/heads/release" ]]; then
RELEASE="true"
NAME="$GITHUB_REF_NAME"
fi
if [[ "$MCERT" != "" ]]; then
MSIGN="true"
fi
if [[ "$WCERT" != "" ]]; then
WSIGN="true"
fi
if [[ "$NAME" == "" ]]; then
NAME="continuous"
fi
echo "signMacRelease=$MSIGN" >> $GITHUB_OUTPUT
echo "signWinRelease=$WSIGN" >> $GITHUB_OUTPUT
echo "sha8=$NAME" >> $GITHUB_OUTPUT
echo "isRelease=$RELEASE" >> $GITHUB_OUTPUT
build:
name: ${{ matrix.config.name }}
runs-on: ${{ matrix.config.os }}
needs: run-info
strategy:
fail-fast: false
matrix:
config:
- {
name: "Linux"
, os: ubuntu-20.04
, QT_INST_DIR: /opt
, extraCMakeConfig: "-DCMAKE_INSTALL_PREFIX=/usr"
}
- {
name: "Mac"
, os: macos-latest
, QT_INST_DIR: /Users/runner
, extraCMakeConfig: "-DCMAKE_OSX_ARCHITECTURES=\"arm64;x86_64\""
, cmakeSigning: "-DNOTARIZE_AS=\"John Kennedy\""
, buildTarget: "--target package"
}
- {
name: "Windows", WIN_ARCH: "x64"
, os: windows-2019
, QT_INST_DIR: "C:/", QT_ARCH: win64_msvc2019_64
, extraCMakeConfig: "-G Ninja"
, buildTarget: "--target package"
}
steps:
- name: Setup env
shell: bash
run: |
echo "name=ashirt-${{ needs.run-info.outputs.sha8 }}" >> $GITHUB_ENV
echo "githash=${{ needs.run-info.outputs.sha8 }}" >> $GITHUB_ENV
echo "signMacRelease=${{ needs.run-info.outputs.signMacRelease }}" >> $GITHUB_ENV
echo "signWinRelease=${{ needs.run-info.outputs.signWinRelease }}" >> $GITHUB_ENV
- name: Check out code
uses: actions/checkout@v4
with:
submodules: true
fetch-depth: 0
- run: git fetch --tags --force
- name: Env Script (windows)
uses: ilammy/msvc-dev-cmd@v1
if: runner.os == 'Windows'
with:
arch: ${{matrix.config.WIN_ARCH}}
- name: Import Signing Certificate ( windows )
if: runner.os == 'Windows' && env.signWinRelease == 'true'
run: |
New-Item -ItemType directory -Path build\certificate
Set-Content -Path build\certificate\certificate.txt -Value '${{ secrets.WINDOWS_CERT }}'
certutil -decode build\certificate\certificate.txt build\certificate\certificate.pfx
- name: Import Signing Certificate ( macos )
if: runner.os == 'macOS' && env.signMacRelease == 'true'
uses: Apple-Actions/import-codesign-certs@v3
with:
p12-file-base64: ${{ secrets.MACOS_CERT }}
p12-password: ${{ secrets.MACOS_PASS }}
- name: Install Qt
uses: jurplel/[email protected]
with:
aqtversion: ==2.0.0
py7zrversion: ==0.16.2
dir: ${{matrix.config.QT_INST_DIR}}
arch: ${{ matrix.config.QT_ARCH }}
version: ${{ env.QT_VERSION }}
- name: Install Dependencies
shell: bash
run: |
if [ "$RUNNER_OS" == "Linux" ]; then
sudo apt-get update > /dev/null && sudo apt-get install -qqq libxcb-keysyms1-dev libxkbcommon-dev libxkbcommon-x11-dev libxcb-cursor0 > /dev/null
elif [ "$RUNNER_OS" == "Windows" ]; then
choco install ninja --ignore-checksums
fi
- name: Build
shell: bash
run: |
if [[ "${{ env.signMacRelease }}" == "true" ]]; then
cmake -S. -Bbuild -DCMAKE_BUILD_TYPE=Release -DCPACK_PACKAGE_VERSION="${{env.githash}}" ${{matrix.config.extraCMakeConfig}} ${{matrix.config.cmakeSigning}}
else
cmake -S. -Bbuild -DCMAKE_BUILD_TYPE=Release -DCPACK_PACKAGE_VERSION="${{env.githash}}" ${{matrix.config.extraCMakeConfig}}
fi
cmake --build build ${{ matrix.config.buildTarget }}
cd build
mkdir -p dist
if [ "$RUNNER_OS" == "Linux" ]; then
wget -qc "https://github.com/linuxdeploy/linuxdeploy/releases/download/continuous/linuxdeploy-x86_64.AppImage"
wget -qc "https://github.com/linuxdeploy/linuxdeploy-plugin-qt/releases/download/continuous/linuxdeploy-plugin-qt-x86_64.AppImage"
chmod a+x linuxdeploy*.AppImage
export VERSION=${{ env.githash }}
export PATH=$PATH:/opt/Qt/${{env.QT_VERSION}}/gcc_64/libexec
./linuxdeploy-x86_64.AppImage --appdir=appdir --output appimage \
-e src/ashirt \
-d ../deploy/ashirt.desktop \
-i ../deploy/hicolor/128x128/apps/ashirt.png \
--plugin=qt
elif [[ "$RUNNER_OS" == "macOS" && "${{ env.signMacRelease }}" == "true" ]]; then
# Prepare application for notarization
xcrun notarytool store-credentials "AC_PASSWORD" --apple-id ${{ secrets.APPLE_ID }} --team-id ${{ secrets.TEAM_ID }} --password ${{ secrets.APP_SPECIFIC_PASSWORD }}
# Notarize the application
xcrun notarytool submit ${{env.name}}.dmg --keychain-profile "AC_PASSWORD" --wait
# Staple the ticket to the application
xcrun stapler staple ${{env.name}}.dmg
elif [[ "$RUNNER_OS" == "Windows" && "${{ env.signWinRelease }}" == "true" ]]; then
signtool sign -f certificate\\certificate.pfx -fd certHash -p '${{ secrets.WIN_CERT_PASS }}' -t http://timestamp.digicert.com ${{env.name}}.exe
fi
mv ashirt*.* dist/
- name: Archive production artifacts
uses: actions/upload-artifact@v4
with:
name: ${{env.name}}-${{ matrix.config.os }}
path: build/dist/ashirt*.*
release:
name: Release
needs: [run-info, build]
runs-on: ubuntu-latest
steps:
- name: Download Files
uses: actions/download-artifact@v4
- name: Deploy Continuous
if: github.ref == 'refs/heads/main'
uses: "marvinpinto/action-automatic-releases@latest"
with:
repo_token: "${{ secrets.GITHUB_TOKEN }}"
automatic_release_tag: "continuous"
prerelease: true
title: "Continuous Build"
files: ashirt-*/ashirt-*.*
- name: Deploy Tag
if: contains(github.ref, 'tags/v') || github.ref == 'refs/heads/release'
uses: "marvinpinto/action-automatic-releases@latest"
with:
repo_token: "${{ secrets.GITHUB_TOKEN }}"
automatic_release_tag: ${{ github.ref_name }}
prerelease: false
title: ${{ github.ref }}
files: ashirt-*/ashirt-*.*