-
Notifications
You must be signed in to change notification settings - Fork 250
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add macos codesigning of opm binary for apple silicon #1491
base: master
Are you sure you want to change the base?
Conversation
Signed-off-by: Jordan Keister <[email protected]>
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: grokspawn The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #1491 +/- ##
==========================================
- Coverage 48.61% 46.80% -1.81%
==========================================
Files 135 135
Lines 12793 15760 +2967
==========================================
+ Hits 6219 7377 +1158
- Misses 5533 7342 +1809
Partials 1041 1041 ☔ View full report in Codecov by Sentry. |
@@ -55,6 +55,10 @@ $(CMDS): | |||
$(OPM): opm_version_flags=-ldflags "-X '$(PKG)/cmd/opm/version.gitCommit=$(GIT_COMMIT)' -X '$(PKG)/cmd/opm/version.opmVersion=$(OPM_VERSION)' -X '$(PKG)/cmd/opm/version.buildDate=$(BUILD_DATE)'" | |||
$(OPM): | |||
$(extra_env) $(GO) build $(opm_version_flags) $(extra_flags) $(TAGS) -o $@ ./cmd/$(notdir $@) | |||
ifeq ($(shell go env GOARCH),arm64) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will also hit Raspberry Pi, and miss those older Intel models that can run Sequoia. Did you want to check explicitly for macOS?
ifeq ($(shell go env GOARCH),arm64) | |
ifeq ($(shell go env GOOS),darwin) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't want to test GOOS, because intel-based darwin doesn't have this requirement. I couldn't figure out how to do a double conditional well to select only the darwin+arm64 set of targets.
Due to apple's requirement that all apple silicon apps must be signed, the app make targets here will not be able to be executed unless they are signed in macos sequoia and later.
For example, if this generates the
opm
binary at $HOME/devel/operator-registry/bin/opm and we invoke it, without being signed the result will beKilled: 9
messages for each attempted invocation of the compiled unsigned app, for e.g.:This is a completely naive approach to rectifying this, and we probably need some more thought on the subject, but this approach at least lets me execute locally-built binaries to examine catalog content.
Description of the change:
Motivation for the change:
Reviewer Checklist
/docs