Define macOS code signing identity via AC_APPLICATION_IDENTITY environment variable #996
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…nment variable The release workflows use the "Gon" tool to sign and notarize the macOS builds. The signing identity of the code signing certificate must be provided to the tool. Previously, this was hardcoded into the workflows. That was not ideal because the workflows are intended to be generally applicable to any project, including 3rd party projects which will have a different signing identity from that of Arduino's certificates. In addition to posing an inconvenience to hard forks, the previous hardcoding also made it more difficult for community contributors to validate changes to the release system in their fork in preparation for submitting a pull request to Arduino's repository. In addition to the configuration file that was previously used to configure the identity, Gon supports configuration via environment variables. Environment variables are already used for the other certificate-specific configuration. The reason an environment variable was not done for the identity is simply that Gon did not have support for doing so at the time the notarization system was developed. However, it is supported from version 0.0.28. Since this is public information, a repository variable (as opposed to the GitHub Actions secrets mechanism used by the workflow for the non-public data) is used to configure the identity via the repository settings. This will make it possible to run the workflow with any suitable certificate and credentials, without any changes to the workflow code. --- Even though it no longer contains any data, it was necessary to leave the empty `sign` block in the **Gon** configuration file, as the presence of this block is required by the tool: ``` ❗️ `sign` configuration required with `source` set When you set the `source` configuration, you must also specify the `sign` configuration to sign the input files. ```
per1234
added
type: enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The release workflows use the Gon tool to sign and notarize the macOS builds.
The signing identity of the code signing certificate must be provided to the tool. Previously, this was hardcoded into the workflows. That was not ideal because the workflows are intended to be generally applicable to any project, including 3rd party projects which will have a different signing identity from that of Arduino's certificates.
In addition to posing an inconvenience to hard forks, the previous hardcoding also made it more difficult for community contributors to validate changes to the release system in their fork in preparation for submitting a pull request to Arduino's repository.
In addition to the configuration file that was previously used to configure the identity, Gon supports configuration via environment variables. Environment variables are already used for the other certificate-specific configuration. The reason an environment variable was not done for the identity is simply that Gon did not have support for doing so at the time the notarization system was developed. However, it is supported from version 0.0.28 (Bearer/gon@c3c48ad).
Since this is public information, a repository variable (as opposed to the GitHub Actions secrets mechanism used by the workflow for the non-public data) is used to configure the identity via the repository settings. This will make it possible to run the workflow with any suitable certificate and credentials, without any changes to the workflow code.
Even though it no longer contains any data, it was necessary to leave the empty
signblock in the Gon configuration file, as the presence of this block is required by the tool: