-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement macOS code signing and notarization #34
Comments
@pietroalbini Wouldn't be easier for the mac to just pick up from a defined location (i.e : s3) sign it and notify the release process that signing is completed, instead of moving binaries between components? |
Yes, that would also work! I'm thinking something like this:
I'm not sure it's worth changing the third step to have the mac mini upload the signed binares directly to S3, as the release process would then need to download them back to do the following processing steps (recompressing tarballs in different formats, gpg-signing them, generating the manifests...). |
Changing step 3 might be an extra effort in complexity but as a tradeoff, I think in that way we can avoid dealing with authentication/security on the mac (ensure the binary is pulled by the right release process, etc) Thoughts about that? |
Hmm, to ensure we're on the same page, what would be the interactions between the release process and the signing server you envision? |
It’d be something along the lines of:
|
Code signing and notarization are becoming crucial to ship software to macOS, but we currently neither codesign nor notarize Rust releases. We should ensure that all binaries we ship do both, to avoid our users getting warnings or being unable to run the compiler.
This is trickier than just calling the Xcode CLI though. Our release process roughly works this way:
promote-release
fetches the artifacts for the latest commit on the master, beta or stable branch (depending on which channel we're releasing), signs everything with GPG, generates the manifests and uploads everything tostatic.rust-lang.org
.The main problem is where we should run codesigning and notarization: CI is not trusted enough to have the developer certificates and credentials in it, and the release process runs on Linux. Apple's tools to codesign and notarize instead only work on macOS, preventing us from just running them during
promote-release
.The idea me, @Mark-Simulacrum and @kinnison had a bit ago is to develop a separate HTTP service that runs on a persistent Mac Mini somewhere. The release process would upload the binaries to the Mac Mini, which would sign them and send them back to the release process. The HTTP service would also need to ensure the binaries come from a trusted source.
The text was updated successfully, but these errors were encountered: