Skip to content

Sign macOS build #323

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 16 commits into from
Feb 18, 2025
Merged

Sign macOS build #323

merged 16 commits into from
Feb 18, 2025

Conversation

edvilme
Copy link
Contributor

@edvilme edvilme commented Jan 28, 2025
edited
Loading

Fixes #300

Uses 1ESPipelineTemplates EsrpCodesigning task to sign macOS builds.
Successfully generates signed binary artifacts for both x64 and arm64 on Mac.
See below output of codesign -dv on a M1 Mac.

image

image

@edvilme edvilme force-pushed the edvilme-macos-signing branch 6 times, most recently from 14b77dc to 8cec3f7 Compare February 4, 2025 17:35
@edvilme edvilme changed the title (Draft) Sign macOS build Sign macOS build Feb 4, 2025
@edvilme edvilme marked this pull request as ready for review February 4, 2025 23:49
@edvilme edvilme requested a review from Copilot February 5, 2025 17:16
Copilot
Copilot AI reviewed Feb 5, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 1 out of 1 changed files in this pull request and generated no comments.

edvilme
edvilme commented Feb 5, 2025
View reviewed changes
edvilme
edvilme commented Feb 5, 2025
View reviewed changes
edvilme
edvilme commented Feb 5, 2025
View reviewed changes
@edvilme edvilme requested a review from a team February 5, 2025 19:11
edvilme
edvilme commented Feb 5, 2025
View reviewed changes
@edvilme edvilme requested a review from a team February 5, 2025 19:48
@edvilme edvilme force-pushed the edvilme-macos-signing branch 2 times, most recently from 8a3c16d to cd0cf3d Compare February 5, 2025 22:51
@mmitche
Copy link
Member

mmitche commented Feb 6, 2025

@edvilme FYI, newer versions of arcade do support mac signing and notarization via microbuild. No need need to use AzDO tasks. That said, performance is somewhat dependent on the number of files signed, at least for the next month or so. A low number (< 10) will be fine. Beyond that, the scaling of Microbuild is poor on Mac/Linux right now.

@Forgind
Copy link
Contributor

Forgind commented Feb 6, 2025

@edvilme FYI, newer versions of arcade do support mac signing and notarization via microbuild. No need need to use AzDO tasks. That said, performance is somewhat dependent on the number of files signed, at least for the next month or so. A low number (< 10) will be fine. Beyond that, the scaling of Microbuild is poor on Mac/Linux right now.

This repo is tiny, so number of files shouldn't be an issue. This might be a good direction if it isn't hard. (If this already works, I wouldn't put too much time into it, though.)

MiYanni
MiYanni approved these changes Feb 6, 2025
View reviewed changes
Copy link
Member

@MiYanni MiYanni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes generally look good. Keep in mind, I don't know this repo or its CI. I'd just check with Chet about the zip vs tar.gz thing.

@edvilme
Copy link
Contributor Author

edvilme commented Feb 7, 2025
edited
Loading

@Forgind @MiYanni the first commit contains changes made to make signing under 1ES and confirmed it worked. However that is no longer the case after updating arcade. The second commit is work in progress to testing signing with arcade instead.

I would like to investigate the arcade issue on main first before continuing testing :)

See #328

@edvilme edvilme marked this pull request as draft February 11, 2025 17:29
@edvilme edvilme force-pushed the edvilme-macos-signing branch from 6a8eb0f to defa237 Compare February 11, 2025 18:04
@edvilme edvilme force-pushed the edvilme-macos-signing branch from 3045564 to 359b843 Compare February 11, 2025 18:39
@edvilme edvilme marked this pull request as ready for review February 18, 2025 17:55
@edvilme
Copy link
Contributor Author

edvilme commented Feb 18, 2025

This PR was rewritten but is now generating valid signed binaries for macOS using microbuild

@edvilme edvilme requested review from MiYanni and Copilot February 18, 2025 17:59
Copilot
Copilot AI reviewed Feb 18, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

Files not reviewed (1)
  • eng/Signing.props: Language not supported

@edvilme edvilme force-pushed the edvilme-macos-signing branch from 480f19f to 7206567 Compare February 18, 2025 18:21
@edvilme edvilme merged commit 06d1e0e into main Feb 18, 2025
8 checks passed
edvilme added a commit that referenced this pull request Apr 4, 2025
@edvilme
Squashed commit of the following:
9aa602d 
commit 2011e55
Author: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date:   Thu Apr 3 10:02:00 2025 -0700

    Windows: Remove version from .msi (#384)

commit cfc4641
Author: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date:   Thu Apr 3 10:01:48 2025 -0700

    Mac: Add rid to tar.gz artifacts (#383)

commit 6f834e0
Author: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date:   Mon Mar 31 17:08:40 2025 -0700

    CI check signatures (#382)

    * Fix signing on Windows and macOS
    * Added signing verification steps to CI

commit 7ea9cf1
Author: dotnet-maestro[bot] <42748379+dotnet-maestro[bot]@users.noreply.github.com>
Date:   Sat Mar 29 10:55:39 2025 -0700

    [main] Update dependencies from dotnet/arcade (#375)

commit edff54c
Author: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date:   Thu Mar 27 10:53:37 2025 -0700

    Update options (#380)

    * dry-run: Add option --preserve-vs-for-mac-sdks

    * Do not hide --version

    * Add version description string

commit b4be6e6
Author: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date:   Mon Mar 24 15:37:22 2025 -0700

    Update help text (#376)

    Update help text

    ---------

    Co-authored-by: Noah Gilson <OTAKUPENGUINOP@GMAIL.COM>

commit 9fba2f3
Author: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date:   Mon Mar 24 13:28:21 2025 -0700

    Windows: Detect arm64 correctly (#370)

commit 289b92f
Author: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date:   Thu Mar 20 11:06:51 2025 -0700

    Update ci workflow (#372)

commit 13d1cf7
Author: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date:   Wed Mar 19 14:35:24 2025 -0700

    macOS: Fix corrupted binary (#346)

    Add entitlements.plist

commit 4da3500
Author: dotnet-maestro[bot] <42748379+dotnet-maestro[bot]@users.noreply.github.com>
Date:   Wed Mar 19 13:50:00 2025 -0700

    Update dependencies from https://github.com/dotnet/arcade build 20250314.6 (#343)

    Microsoft.DotNet.Arcade.Sdk
     From Version 10.0.0-beta.25157.1 -> To Version 10.0.0-beta.25164.6

    Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>

commit 882aff1
Author: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date:   Fri Mar 14 13:42:02 2025 -0700

    Require enter on user input (#340)

commit 24bea7d
Author: dotnet-maestro[bot] <42748379+dotnet-maestro[bot]@users.noreply.github.com>
Date:   Thu Mar 13 08:51:54 2025 -0700

    Update dependencies from https://github.com/dotnet/arcade build 20250307.1 (#336)

    Microsoft.DotNet.Arcade.Sdk
     From Version 10.0.0-beta.25126.4 -> To Version 10.0.0-beta.25157.1

    Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>

commit e72b91f
Author: Marc Paine <marcpop@microsoft.com>
Date:   Thu Mar 13 08:51:43 2025 -0700

    Update to AwesomeAssertions (#337)

    * Update to AwesomeAssertions
    Update the addreportable call

    * Remove unused using directive

commit 03c8952
Author: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date:   Wed Mar 5 12:18:25 2025 -0600

    Remove Visual Studio macOS checks (#318)

    * Remove checks for VSfM

    * Add --preserve-mac-vs-sdks flag

    * Update tests

commit b648857
Author: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date:   Tue Mar 4 16:55:10 2025 -0600

    Update CLI options and help text (#335)

    * Add target argument

    * Add TARGET argument

    * Add not for list by now

    * Update LocalizableStrings

    * Update --all description

    * Remove target from options (?)

    * Restore xlf translation

    * Show bundle types in <TARGET> argument

    * Update help link format

    * Restore CommandLine Arguments

    * Add --arm64 option

    * Fix archSelection.HasFlag

commit 9823503
Author: dotnet-maestro[bot] <42748379+dotnet-maestro[bot]@users.noreply.github.com>
Date:   Mon Mar 3 11:36:05 2025 -0800

    [main] Update dependencies from dotnet/arcade (#327)

    * Update dependencies from https://github.com/dotnet/arcade build 20250206.4

    Microsoft.DotNet.Arcade.Sdk
     From Version 10.0.0-beta.25080.7 -> To Version 10.0.0-beta.25106.4

    * Update dependencies from https://github.com/dotnet/arcade build 20250213.2

    Microsoft.DotNet.Arcade.Sdk
     From Version 10.0.0-beta.25080.7 -> To Version 10.0.0-beta.25113.2

    * Update dependencies from https://github.com/dotnet/arcade build 20250220.6

    Microsoft.DotNet.Arcade.Sdk
     From Version 10.0.0-beta.25080.7 -> To Version 10.0.0-beta.25120.6

    * Update dependencies from https://github.com/dotnet/arcade build 20250225.2

    Microsoft.DotNet.Arcade.Sdk
     From Version 10.0.0-beta.25080.7 -> To Version 10.0.0-beta.25125.2

    * Update dependencies from https://github.com/dotnet/arcade build 20250226.4

    Microsoft.DotNet.Arcade.Sdk
     From Version 10.0.0-beta.25080.7 -> To Version 10.0.0-beta.25126.4

    ---------

    Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>

commit ea26b97
Author: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date:   Mon Mar 3 12:31:19 2025 -0600

    Remove System.Reflection.Metadata (#334)

commit 275578e
Author: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date:   Mon Mar 3 11:41:07 2025 -0600

    Remove Microsoft.Win32.Registry package (#333)

commit 2ac5028
Author: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date:   Fri Feb 28 13:14:49 2025 -0600

    Small refactorings (#331)

commit 2393ca9
Author: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date:   Tue Feb 25 16:51:31 2025 -0600

    Hide .xlf files in PRs (#330)

commit 62b46a0
Author: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date:   Tue Feb 25 13:58:14 2025 -0600

    Fix Windows Signing (#329)

    Add CreateLightCommandPackageDrop to generate wixpack.zip and sign

commit 06d1e0e
Author: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date:   Tue Feb 18 12:33:11 2025 -0600

    Sign macOS build (#323)

    * Sign on Mac

    * Fix typo on ArtifactName

    * Add TeamName variable

    * Add certificatename to binary

    * Update binary path

    * Update build command to include signing

    * Typos

    * Globb files to sign

    * Add proper certificate

    * Add proper certificate

    * MacDeveloperHarden

    * Add files separately

    * Change flags

    * Update certificate name

    * Update build parameters

    * Update cert name

commit 85f5414
Author: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date:   Mon Feb 10 09:01:45 2025 -0800

    Remove unused signing target

    Add files to ItemsToSign

    Sign .msi file too

    Update `ItemsToSign`

    Update certificate name

    UseDotNetCertificate

    Add .msi certificatename

commit 8c89301
Author: MerlinBot <MerlinBot>
Date:   Fri Feb 7 21:44:29 2025 +0000

    This pull request includes baselines **with an expiration date of 180 days from now** automatically generated for your 1ES PT-based pipelines. Complete this pull request as soon as possible to make sure that your pipeline becomes compliant. Longer delays in completing this PR can trigger additional emails or S360 alerts in the future.

    1ES PT Auto-baselining feature helps capture existing violations in your repo and ensures to break your pipeline only for newly introduced SDL violations after baselining. Running SDL tools in break mode is required for your pipeline to be compliant. Go to https://aka.ms/1espt-autobaselining for more details.
    **Please do not Abandon this PR.** Please reach out to 1ES PT for support. More details: https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/1es-pipeline-templates/support

commit 6a94223
Author: dotnet-maestro[bot] <42748379+dotnet-maestro[bot]@users.noreply.github.com>
Date:   Wed Feb 5 14:33:46 2025 -0800

    [main] Update dependencies from dotnet/arcade (#316)

    * Update dependencies from https://github.com/dotnet/arcade build 20241222.1

    Microsoft.DotNet.Arcade.Sdk
     From Version 10.0.0-beta.24504.4 -> To Version 10.0.0-beta.24622.1

    * Update dependencies from https://github.com/dotnet/arcade build 20241226.1

    Microsoft.DotNet.Arcade.Sdk
     From Version 10.0.0-beta.24504.4 -> To Version 10.0.0-beta.24626.1

    * Update dependencies from https://github.com/dotnet/arcade build 20250103.3

    Microsoft.DotNet.Arcade.Sdk
     From Version 10.0.0-beta.24504.4 -> To Version 10.0.0-beta.25053.3

    * Update dependencies from https://github.com/dotnet/arcade build 20250106.1

    Microsoft.DotNet.Arcade.Sdk
     From Version 10.0.0-beta.24504.4 -> To Version 10.0.0-beta.25056.1

    * Update dependencies from https://github.com/dotnet/arcade build 20250111.1

    Microsoft.DotNet.Arcade.Sdk
     From Version 10.0.0-beta.24504.4 -> To Version 10.0.0-beta.25061.1

    * Update dependencies from https://github.com/dotnet/arcade build 20250117.3

    Microsoft.DotNet.Arcade.Sdk
     From Version 10.0.0-beta.24504.4 -> To Version 10.0.0-beta.25067.3

    * Update dependencies from https://github.com/dotnet/arcade build 20250126.1

    Microsoft.DotNet.Arcade.Sdk
     From Version 10.0.0-beta.24504.4 -> To Version 10.0.0-beta.25076.1

    * Update dependencies from https://github.com/dotnet/arcade build 20250130.7

    Microsoft.DotNet.Arcade.Sdk
     From Version 10.0.0-beta.24504.4 -> To Version 10.0.0-beta.25080.7

    ---------

    Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>

commit 0cc67a3
Author: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date:   Mon Feb 3 17:51:20 2025 -0600

    Refactor macOS build pipeline (#325)

    Use matrix strategy to avoid repeating code

commit 11995ad
Author: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date:   Fri Jan 31 11:43:31 2025 -0600

    macOS: Support building on Apple Silicon (#322)

    Update solution file, project file and ci/cd to support building for osx-arm64

commit aa40644
Author: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date:   Wed Jan 29 17:54:52 2025 -0600

    GetBundleVersion: Parse versions correctly to avoid duplicates or incomplete versions (#324)

commit 288db58
Author: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date:   Mon Jan 27 15:08:07 2025 -0600

    Identify macOS runtimes correctly (#321)

commit 802fef7
Author: Eduardo Villalpando Mello <eduardov@microsoft.com>
Date:   Fri Jan 24 18:40:01 2025 -0600

    macOS: Show correct arm64 architecture (#320)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@joeloff joeloff joeloff approved these changes

@MiYanni MiYanni Awaiting requested review from MiYanni

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Malicious software warning on MacOS when using the latest version
5 participants
@edvilme @mmitche @Forgind @joeloff @MiYanni