mirror of
https://github.com/nomic-ai/gpt4all.git
synced 2024-10-05 17:28:12 +03:00
Add basic Macos signing + notarizing workflow (#2319)
Adds basic CircleCI workflow to sign, notarize, and staple MacOS app bundle and associated DMG, then publishes signed binary in CircleCI artifacts Signed-off-by: Adam Treat <treat.adam@gmail.com>
This commit is contained in:
parent
88d85be0f9
commit
30febbe3d2
@ -77,8 +77,90 @@ jobs:
|
|||||||
~/Qt/Tools/CMake/CMake.app/Contents/bin/cmake --build . --target package
|
~/Qt/Tools/CMake/CMake.app/Contents/bin/cmake --build . --target package
|
||||||
mkdir upload
|
mkdir upload
|
||||||
cp gpt4all-installer-* upload
|
cp gpt4all-installer-* upload
|
||||||
|
# persist the unsigned installer
|
||||||
- store_artifacts:
|
- store_artifacts:
|
||||||
path: build/upload
|
path: build/upload
|
||||||
|
# add workspace so signing jobs can connect & obtain dmg
|
||||||
|
- persist_to_workspace:
|
||||||
|
root: build
|
||||||
|
# specify path to only include components we want to persist
|
||||||
|
# accross builds
|
||||||
|
paths:
|
||||||
|
- upload
|
||||||
|
|
||||||
|
sign-offline-chat-installer-macos:
|
||||||
|
macos:
|
||||||
|
xcode: 14.0.0
|
||||||
|
steps:
|
||||||
|
- checkout
|
||||||
|
# attach to a workspace containing unsigned dmg
|
||||||
|
- attach_workspace:
|
||||||
|
at: build
|
||||||
|
- run:
|
||||||
|
name: "Setup Keychain"
|
||||||
|
command: |
|
||||||
|
echo $MAC_SIGNING_CERT | base64 --decode > cert.p12
|
||||||
|
# cat \<<< "$MAC_SIGNING_CERT" > certs1.pem
|
||||||
|
# file certs1.pem
|
||||||
|
# iconv -c -f UTF8 -t ASCII certs1.pem > certs.pem
|
||||||
|
# openssl pkcs12 -legacy -export -out cert.p12 -in certs.pem -inkey certs.pem -passin pass:"$MAC_SIGNING_CERT_PWD" -passout pass:"$MAC_SIGNING_CERT_PWD"
|
||||||
|
security create-keychain -p "$MAC_KEYCHAIN_KEY" sign.keychain
|
||||||
|
security default-keychain -s sign.keychain
|
||||||
|
security unlock-keychain -p "$MAC_KEYCHAIN_KEY" sign.keychain
|
||||||
|
security import cert.p12 -k sign.keychain -P "$MAC_SIGNING_CERT_PWD" -T /usr/bin/codesign
|
||||||
|
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MAC_KEYCHAIN_KEY" sign.keychain
|
||||||
|
rm cert.p12
|
||||||
|
- run:
|
||||||
|
name: "Sign App Bundle"
|
||||||
|
command: |
|
||||||
|
python3 -m pip install click
|
||||||
|
python3 gpt4all-chat/cmake/sign_dmg.py --input-dmg build/upload/gpt4all-installer-darwin.dmg --output-dmg build/upload/gpt4all-installer-darwin-signed.dmg --signing-identity "$MAC_SIGNING_CERT_NAME"
|
||||||
|
- run:
|
||||||
|
name: "Sign DMG"
|
||||||
|
command: |
|
||||||
|
codesign --options runtime --timestamp -s "$MAC_SIGNING_CERT_NAME" build/upload/gpt4all-installer-darwin-signed.dmg
|
||||||
|
# add workspace so signing jobs can connect & obtain dmg
|
||||||
|
- persist_to_workspace:
|
||||||
|
root: build
|
||||||
|
# specify path to only include components we want to persist
|
||||||
|
# accross builds
|
||||||
|
paths:
|
||||||
|
- upload
|
||||||
|
|
||||||
|
notarize-offline-chat-installer-macos:
|
||||||
|
macos:
|
||||||
|
xcode: 14.0.0
|
||||||
|
steps:
|
||||||
|
- checkout
|
||||||
|
- attach_workspace:
|
||||||
|
at: build
|
||||||
|
# - run:
|
||||||
|
# name: "Setup Notarize Keychain"
|
||||||
|
# command: |
|
||||||
|
# security create-keychain
|
||||||
|
# sudo xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MAC_NOTARIZATION_ID" --team-id "$MAC_NOTARIZATION_TID" --password "$MAC_NOTARIZATION_KEY" --keychain /Library/Keychains/System.keychain
|
||||||
|
- run:
|
||||||
|
name: "Notarize"
|
||||||
|
command: |
|
||||||
|
xcrun notarytool submit build/upload/gpt4all-installer-darwin-signed.dmg --apple-id "$MAC_NOTARIZATION_ID" --team-id "$MAC_NOTARIZATION_TID" --password "$MAC_NOTARIZATION_KEY" --wait | tee notarize_log.txt
|
||||||
|
- run:
|
||||||
|
name: "Report Notarization Failure"
|
||||||
|
command: |
|
||||||
|
NID=`python3 .circleci/grab_notary_id.py notarize_log.txt` && export NID
|
||||||
|
xcrun notarytool log $NID --keychain-profile "notary-profile"
|
||||||
|
exit 1
|
||||||
|
when: on_fail
|
||||||
|
# - run:
|
||||||
|
# name: "Rename and move"
|
||||||
|
# command: |
|
||||||
|
# mv build/upload/gpt4all-installer-darwin-signed.dmg build/upload-signed/gpt4all-installer-darwin-signed.dmg
|
||||||
|
- run:
|
||||||
|
name: "Staple"
|
||||||
|
command: |
|
||||||
|
xcrun stapler staple build/upload/gpt4all-installer-darwin-signed.dmg
|
||||||
|
- store_artifacts:
|
||||||
|
path: build/upload
|
||||||
|
|
||||||
build-offline-chat-installer-linux:
|
build-offline-chat-installer-linux:
|
||||||
machine:
|
machine:
|
||||||
image: ubuntu-2204:2023.04.2
|
image: ubuntu-2204:2023.04.2
|
||||||
@ -848,6 +930,12 @@ workflows:
|
|||||||
- build-offline-chat-installer-macos:
|
- build-offline-chat-installer-macos:
|
||||||
requires:
|
requires:
|
||||||
- hold
|
- hold
|
||||||
|
- sign-offline-chat-installer-macos:
|
||||||
|
requires:
|
||||||
|
- build-offline-chat-installer-macos
|
||||||
|
- notarize-offline-chat-installer-macos:
|
||||||
|
requires:
|
||||||
|
- sign-offline-chat-installer-macos
|
||||||
- build-offline-chat-installer-windows:
|
- build-offline-chat-installer-windows:
|
||||||
requires:
|
requires:
|
||||||
- hold
|
- hold
|
||||||
|
17
.circleci/grab_notary_id.py
Normal file
17
.circleci/grab_notary_id.py
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
import re
|
||||||
|
import sys
|
||||||
|
|
||||||
|
ID_REG = r"id: (.*)"
|
||||||
|
|
||||||
|
def main() -> None:
|
||||||
|
notary_log = sys.argv[1]
|
||||||
|
with open(notary_log, "r") as f:
|
||||||
|
notary_output = f.read()
|
||||||
|
id_m = re.search(ID_REG, notary_output)
|
||||||
|
if id_m:
|
||||||
|
print(id_m.group(1))
|
||||||
|
else:
|
||||||
|
raise RuntimeError("Unable to parse ID from notarization logs")
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
Loading…
Reference in New Issue
Block a user