Skip to content
This repository was archived by the owner on Sep 5, 2025. It is now read-only.

Add MacOS signing#33

Merged
nmburgan merged 1 commit into
mainfrom
macos_signing
May 9, 2025
Merged

Add MacOS signing#33
nmburgan merged 1 commit into
mainfrom
macos_signing

Conversation

@nmburgan
Copy link
Copy Markdown
Member

@nmburgan nmburgan commented May 1, 2025
edited
Loading

This utilizes changes in Vanagon to enable signing locally, instead of shipping files to a signing server. Details for how to set this up given the appropriate certs/keys can be found on the wiki.

With the changes from OpenVoxProject/vanagon#13, when the VANAGON_FORCE_SIGNING env var is set, vanagon will attempt the signing flow as noted in that PR. Otherwise, it will skip signing entirely. In order for signing to succeed, you must run the build on a VM that contains:

  • A keychain created by root that contains the Developer Application and Installer identities (cert + key), and a Notarization profile.
  • SIGNING_KEYCHAIN set to the name/location of the keychain
  • SIGNING_KEYCHAIN_PW set to the password to unlock the keychain
  • APPLICATION_SIGNING_CERT set to the description of the application signing identity
  • INSTALLER_SIGNING_CERT set to the description of the installer signing identity
  • NOTARY_PROFILE set to the name of the profile set up with a user account tied to the above signing identities

At some point, we may move all this out of vanagon and put it back in here, but since this should never really change and the only thing we're signing right now is the agent for MacOS, this works well enough.

This also removes the "commit" PR check, since we don't require adding ticket numbers or (maint) to each commit message like Perforce does.

nmburgan
nmburgan commented May 1, 2025
View reviewed changes
Comment thread configs/projects/openvox-agent.rb Outdated
@nmburgan nmburgan force-pushed the macos_signing branch 11 times, most recently from e188eb1 to 31ff062 Compare May 9, 2025 00:03
@nmburgan
Add MacOS signing
68f27fd 
This utilizes changes in Vanagon to enable signing locally, instead of shipping files to a signing server. Details for how to set this up given the appropriate certs/keys can be found on the wiki.

With the changes from OpenVoxProject/vanagon#13, when the VANAGON_FORCE_SIGNING env var is set, vanagon will attempt the signing flow as noted in that PR. Otherwise, it will skip signing entirely. In order for signing to succeed, you must run the build on a VM that contains:
- A keychain created by root that contains the Developer Application and Installer identities (cert + key), and a Notarization profile.
- SIGNING_KEYCHAIN set to the name/location of the keychain
- SIGNING_KEYCHAIN_PW set to the password to unlock the keychain
- APPLICATION_SIGNING_CERT set to the description of the application signing identity
- INSTALLER_SIGNING_CERT set to the description of the installer signing identity
- NOTARY_PROFILE set to the name of the profile set up with a user account tied to the above signing identities

At some point, we may move all this out of vanagon and put it back in here, but since this should never really change and the only thing we're signing right now is the agent for MacOS, this works well enough.
@nmburgan nmburgan merged commit e149607 into main May 9, 2025
1 check passed
@nmburgan nmburgan deleted the macos_signing branch May 9, 2025 17:51
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nmburgan