diff --git a/.cirrus.yml b/.cirrus.yml index 31f6533..2cb9ada 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -6,19 +6,44 @@ task: macos_instance: image: ghcr.io/cirruslabs/macos-runner:tahoe env: - MACOS_CERTIFICATE: ENCRYPTED[552b9d275d1c2bdbc1bff778b104a8f9a53cbd0d59344d4b7f6d0ca3c811a5cefb97bef9ba0ef31c219cb07bdacdd2c2] - AC_PASSWORD: ENCRYPTED[4a761023e7e06fe2eb350c8b6e8e7ca961af193cb9ba47605f25f1d353abc3142606f412e405be48fd897a78787ea8c2] + MACOS_SIGN_P12: ENCRYPTED[!183482723ca1a95f9c4439f7a79c9d3b115472bb18c739ed1586e12d3914ccf94ade8169eeda7332fc204f8be9c27d9f!] + MACOS_SIGN_PASSWORD: ENCRYPTED[!417423346c567f12007f42d084bff1cfee30ee14f7e8258550157679a269c70d541c9f19224224ab0293b10f2c6d4c5e!] + MACOS_NOTARY_ISSUER_ID: ENCRYPTED[!74076906e9fa36bca3c1da1637b0759b58bb009eb1a707446896eefad3767e8dba1d0f87e71106b98cde98ac4b037a2a!] + MACOS_NOTARY_KEY_ID: ENCRYPTED[!af9e5da1010a6b04e548ef494acc77a6e0ce176549de98f81c5b5cdd72856de09f77e51cf0849e3c4b7a2d2c22f25ca8!] + MACOS_NOTARY_KEY: ENCRYPTED[!c70c53f3e6c163931c7cdf9d90aff8934ef21d5dd1090158688e00b94e97c68257d9cf4ae1df873e6ae0d949866aee72!] + CERTIFICATE_PATH: $CIRRUS_WORKING_DIR/goreleaser.p12 + KEY_PATH: $CIRRUS_WORKING_DIR/goreleaser.p8 + KEYCHAIN_PATH: $CIRRUS_WORKING_DIR/goreleaser.keychain-db GITHUB_TOKEN: ENCRYPTED[!98ace8259c6024da912c14d5a3c5c6aac186890a8d4819fad78f3e0c41a4e0cd3a2537dd6e91493952fb056fa434be7c!] GORELEASER_KEY: ENCRYPTED[!9b80b6ef684ceaf40edd4c7af93014ee156c8aba7e6e5795f41c482729887b5c31f36b651491d790f1f668670888d9fd!] - setup_script: - - cd $HOME - - echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 - - security create-keychain -p password101 build.keychain - - security default-keychain -s build.keychain - - security unlock-keychain -p password101 build.keychain - - security import certificate.p12 -k build.keychain -P password101 -T /usr/bin/codesign -T /usr/bin/pkgbuild - - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k password101 build.keychain - - xcrun notarytool store-credentials "notarytool" --apple-id "hello@cirruslabs.org" --team-id "9M2P8L4D89" --password $AC_PASSWORD + kek_script: | + # import certificate and key from secrets + echo -n "$MACOS_SIGN_P12" | base64 --decode -o $CERTIFICATE_PATH + echo -n "$MACOS_NOTARY_KEY" | base64 --decode -o $KEY_PATH + + # create temporary keychain + security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + security set-keychain-settings -lut 21600 $KEYCHAIN_PATH + security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + + # import certificate to keychain + security import $CERTIFICATE_PATH -P "$MACOS_SIGN_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH + security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + security list-keychain -d user -s $KEYCHAIN_PATH + + # create notary profile + echo xcrun notarytool store-credentials "$MACOS_NOTARY_PROFILE_NAME" \ + --key "$KEY_PATH" \ + --key-id "$MACOS_NOTARY_KEY_ID" \ + --issuer "$MACOS_NOTARY_ISSUER_ID" \ + --keychain $KEYCHAIN_PATH + + # create notary profile + echo xcrun notarytool store-credentials "$MACOS_NOTARY_PROFILE_NAME" \ + --key "$KEY_PATH" \ + --key-id "$MACOS_NOTARY_KEY_ID" \ + --issuer "$MACOS_NOTARY_ISSUER_ID" \ + --keychain $KEYCHAIN_PATH install_script: - brew install go - brew install --cask goreleaser/tap/goreleaser-pro diff --git a/.goreleaser.yml b/.goreleaser.yml index bdbbd41..50044b6 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -40,13 +40,13 @@ notarize: macos_native: - enabled: "true" sign: - keychain: "build.keychain" + keychain: "{{ .Env.KEYCHAIN_PATH }}" identity: "Developer ID Application: Cirrus Labs, Inc." - #options: [runtime] + options: [runtime] entitlements: ./Resources/tart-prod.entitlements notarize: profile_name: "notarytool" - #wait: true + wait: true archives: - name_template: "{{ .ProjectName }}"