Skip to content
This repository was archived by the owner on Jun 24, 2025. It is now read-only.

Feature/arm signing v2 #1688

Closed
eliandoran wants to merge 4 commits into from
Closed

Feature/arm signing v2 #1688

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4854e96
chore(release): build only windows arm64 for now
eliandoran Apr 12, 2025
7693a5c
chore(build): try setting npm_config_arch at install time
eliandoran Apr 12, 2025
c21742e
chore(release): make changes for nightly workflow instead
eliandoran Apr 12, 2025
ccc9229
chore(release): try no backslashes and with --
eliandoran Apr 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
283 changes: 141 additions & 142 deletions .github/actions/build-electron/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,146 +18,145 @@ inputs:
runs:
using: composite
steps:
# Certificate setup
- name: Import Apple certificates
if: inputs.os == 'macos'
uses: apple-actions/import-codesign-certs@v3
with:
p12-file-base64: ${{ env.APPLE_APP_CERTIFICATE_BASE64 }}
p12-password: ${{ env.APPLE_APP_CERTIFICATE_PASSWORD }}
keychain: build
keychain-password: ${{ github.run_id }}

- name: Install Installer certificate
if: inputs.os == 'macos'
uses: apple-actions/import-codesign-certs@v3
with:
p12-file-base64: ${{ env.APPLE_INSTALLER_CERTIFICATE_BASE64 }}
p12-password: ${{ env.APPLE_INSTALLER_CERTIFICATE_PASSWORD }}
keychain: build
keychain-password: ${{ github.run_id }}
# We don't need to create a keychain here because we're using the build keychain that was created in the previous step
create-keychain: false

- name: Verify certificates
if: inputs.os == 'macos'
shell: ${{ inputs.shell }}
run: |
echo "Available signing identities:"
security find-identity -v -p codesigning build.keychain

- name: Set up Python and other macOS dependencies
if: ${{ inputs.os == 'macos' }}
shell: ${{ inputs.shell }}
run: |
brew install python-setuptools
brew install create-dmg

- name: Install dependencies for RPM and Flatpak package building
if: ${{ inputs.os == 'linux' }}
shell: ${{ inputs.shell }}
run: |
sudo apt-get update && sudo apt-get install rpm flatpak-builder elfutils
flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
FLATPAK_ARCH=$(if [[ ${{ inputs.arch }} = 'arm64' ]]; then echo 'aarch64'; else echo 'x86_64'; fi)
FLATPAK_VERSION='24.08'
flatpak install --user --no-deps --arch $FLATPAK_ARCH --assumeyes runtime/org.freedesktop.Platform/$FLATPAK_ARCH/$FLATPAK_VERSION runtime/org.freedesktop.Sdk/$FLATPAK_ARCH/$FLATPAK_VERSION org.electronjs.Electron2.BaseApp/$FLATPAK_ARCH/$FLATPAK_VERSION

# Build setup
- name: Install dependencies
shell: ${{ inputs.shell }}
run: npm ci

- name: Update build info
shell: ${{ inputs.shell }}
run: npm run chore:update-build-info

# Critical debugging configuration
- name: Run electron-forge build with enhanced logging
shell: ${{ inputs.shell }}
env:
# Pass through required environment variables for signing and notarization
APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }}
APPLE_ID: ${{ env.APPLE_ID }}
APPLE_ID_PASSWORD: ${{ env.APPLE_ID_PASSWORD }}
WINDOWS_SIGN_EXECUTABLE: ${{ env.WINDOWS_SIGN_EXECUTABLE }}
TRILIUM_ARTIFACT_NAME_HINT: TriliumNextNotes-${{ github.ref_name }}-${{ inputs.os }}-${{ inputs.arch }}
run: |
npm run electron-forge:make -- \
--arch=${{ inputs.arch }} \
--platform=${{ inputs.forge_platform }}

# Add DMG signing step
- name: Sign DMG
if: inputs.os == 'macos'
shell: ${{ inputs.shell }}
run: |
echo "Signing DMG file..."
dmg_file=$(find ./dist -name "*.dmg" -print -quit)
if [ -n "$dmg_file" ]; then
echo "Found DMG: $dmg_file"
# Get the first valid signing identity from the keychain
SIGNING_IDENTITY=$(security find-identity -v -p codesigning build.keychain | grep "Developer ID Application" | head -1 | sed -E 's/.*"([^"]+)".*/\1/')
if [ -z "$SIGNING_IDENTITY" ]; then
echo "Error: No valid Developer ID Application certificate found in keychain"
exit 1
fi
echo "Using signing identity: $SIGNING_IDENTITY"
# Sign the DMG
codesign --force --sign "$SIGNING_IDENTITY" --options runtime --timestamp "$dmg_file"
# Notarize the DMG
xcrun notarytool submit "$dmg_file" --apple-id "$APPLE_ID" --password "$APPLE_ID_PASSWORD" --team-id "$APPLE_TEAM_ID" --wait
# Staple the notarization ticket
xcrun stapler staple "$dmg_file"
else
echo "No DMG found to sign"
fi

- name: Verify code signing
if: inputs.os == 'macos'
shell: ${{ inputs.shell }}
run: |
echo "Verifying code signing for all artifacts..."

# First check the .app bundle
echo "Looking for .app bundle..."
app_bundle=$(find ./dist -name "*.app" -print -quit)
if [ -n "$app_bundle" ]; then
echo "Found app bundle: $app_bundle"
echo "Verifying app bundle signing..."
codesign --verify --deep --strict --verbose=2 "$app_bundle"
echo "Displaying app bundle signing info..."
codesign --display --verbose=2 "$app_bundle"

echo "Checking entitlements..."
codesign --display --entitlements :- "$app_bundle"

echo "Checking notarization status..."
xcrun stapler validate "$app_bundle" || echo "Warning: App bundle not notarized yet"
else
echo "No .app bundle found to verify"
fi

# Then check DMG if it exists
echo "Looking for DMG..."
dmg_file=$(find ./dist -name "*.dmg" -print -quit)
if [ -n "$dmg_file" ]; then
echo "Found DMG: $dmg_file"
echo "Verifying DMG signing..."
codesign --verify --deep --strict --verbose=2 "$dmg_file"
echo "Displaying DMG signing info..."
codesign --display --verbose=2 "$dmg_file"

echo "Checking DMG notarization..."
xcrun stapler validate "$dmg_file" || echo "Warning: DMG not notarized yet"
else
echo "No DMG found to verify"
fi

# Finally check ZIP if it exists
echo "Looking for ZIP..."
zip_file=$(find ./dist -name "*.zip" -print -quit)
if [ -n "$zip_file" ]; then
echo "Found ZIP: $zip_file"
echo "Note: ZIP files are not code signed, but their contents should be"
# Certificate setup
- name: Import Apple certificates
if: inputs.os == 'macos'
uses: apple-actions/import-codesign-certs@v3
with:
p12-file-base64: ${{ env.APPLE_APP_CERTIFICATE_BASE64 }}
p12-password: ${{ env.APPLE_APP_CERTIFICATE_PASSWORD }}
keychain: build
keychain-password: ${{ github.run_id }}

- name: Install Installer certificate
if: inputs.os == 'macos'
uses: apple-actions/import-codesign-certs@v3
with:
p12-file-base64: ${{ env.APPLE_INSTALLER_CERTIFICATE_BASE64 }}
p12-password: ${{ env.APPLE_INSTALLER_CERTIFICATE_PASSWORD }}
keychain: build
keychain-password: ${{ github.run_id }}
# We don't need to create a keychain here because we're using the build keychain that was created in the previous step
create-keychain: false

- name: Verify certificates
if: inputs.os == 'macos'
shell: ${{ inputs.shell }}
run: |
echo "Available signing identities:"
security find-identity -v -p codesigning build.keychain

- name: Set up Python and other macOS dependencies
if: ${{ inputs.os == 'macos' }}
shell: ${{ inputs.shell }}
run: |
brew install python-setuptools
brew install create-dmg

- name: Install dependencies for RPM and Flatpak package building
if: ${{ inputs.os == 'linux' }}
shell: ${{ inputs.shell }}
run: |
sudo apt-get update && sudo apt-get install rpm flatpak-builder elfutils
flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
FLATPAK_ARCH=$(if [[ ${{ inputs.arch }} = 'arm64' ]]; then echo 'aarch64'; else echo 'x86_64'; fi)
FLATPAK_VERSION='24.08'
flatpak install --user --no-deps --arch $FLATPAK_ARCH --assumeyes runtime/org.freedesktop.Platform/$FLATPAK_ARCH/$FLATPAK_VERSION runtime/org.freedesktop.Sdk/$FLATPAK_ARCH/$FLATPAK_VERSION org.electronjs.Electron2.BaseApp/$FLATPAK_ARCH/$FLATPAK_VERSION

# Build setup
- name: Install dependencies
shell: ${{ inputs.shell }}
run: npm ci
env:
npm_config_arch: ${{ inputs.arch }}

- name: Update build info
shell: ${{ inputs.shell }}
run: npm run chore:update-build-info

# Critical debugging configuration
- name: Run electron-forge build with enhanced logging
shell: ${{ inputs.shell }}
env:
# Pass through required environment variables for signing and notarization
APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }}
APPLE_ID: ${{ env.APPLE_ID }}
APPLE_ID_PASSWORD: ${{ env.APPLE_ID_PASSWORD }}
WINDOWS_SIGN_EXECUTABLE: ${{ env.WINDOWS_SIGN_EXECUTABLE }}
TRILIUM_ARTIFACT_NAME_HINT: TriliumNextNotes-${{ github.ref_name }}-${{ inputs.os }}-${{ inputs.arch }}
run: npm run electron-forge:make -- --arch=${{ inputs.arch }} --platform=${{ inputs.forge_platform }}

# Add DMG signing step
- name: Sign DMG
if: inputs.os == 'macos'
shell: ${{ inputs.shell }}
run: |
echo "Signing DMG file..."
dmg_file=$(find ./dist -name "*.dmg" -print -quit)
if [ -n "$dmg_file" ]; then
echo "Found DMG: $dmg_file"
# Get the first valid signing identity from the keychain
SIGNING_IDENTITY=$(security find-identity -v -p codesigning build.keychain | grep "Developer ID Application" | head -1 | sed -E 's/.*"([^"]+)".*/\1/')
if [ -z "$SIGNING_IDENTITY" ]; then
echo "Error: No valid Developer ID Application certificate found in keychain"
exit 1
fi
echo "Using signing identity: $SIGNING_IDENTITY"
# Sign the DMG
codesign --force --sign "$SIGNING_IDENTITY" --options runtime --timestamp "$dmg_file"
# Notarize the DMG
xcrun notarytool submit "$dmg_file" --apple-id "$APPLE_ID" --password "$APPLE_ID_PASSWORD" --team-id "$APPLE_TEAM_ID" --wait
# Staple the notarization ticket
xcrun stapler staple "$dmg_file"
else
echo "No DMG found to sign"
fi

- name: Verify code signing
if: inputs.os == 'macos'
shell: ${{ inputs.shell }}
run: |
echo "Verifying code signing for all artifacts..."

# First check the .app bundle
echo "Looking for .app bundle..."
app_bundle=$(find ./dist -name "*.app" -print -quit)
if [ -n "$app_bundle" ]; then
echo "Found app bundle: $app_bundle"
echo "Verifying app bundle signing..."
codesign --verify --deep --strict --verbose=2 "$app_bundle"
echo "Displaying app bundle signing info..."
codesign --display --verbose=2 "$app_bundle"

echo "Checking entitlements..."
codesign --display --entitlements :- "$app_bundle"

echo "Checking notarization status..."
xcrun stapler validate "$app_bundle" || echo "Warning: App bundle not notarized yet"
else
echo "No .app bundle found to verify"
fi

# Then check DMG if it exists
echo "Looking for DMG..."
dmg_file=$(find ./dist -name "*.dmg" -print -quit)
if [ -n "$dmg_file" ]; then
echo "Found DMG: $dmg_file"
echo "Verifying DMG signing..."
codesign --verify --deep --strict --verbose=2 "$dmg_file"
echo "Displaying DMG signing info..."
codesign --display --verbose=2 "$dmg_file"

echo "Checking DMG notarization..."
xcrun stapler validate "$dmg_file" || echo "Warning: DMG not notarized yet"
else
echo "No DMG found to verify"
fi

# Finally check ZIP if it exists
echo "Looking for ZIP..."
zip_file=$(find ./dist -name "*.zip" -print -quit)
if [ -n "$zip_file" ]; then
echo "Found ZIP: $zip_file"
echo "Note: ZIP files are not code signed, but their contents should be"
fi
10 changes: 1 addition & 9 deletions .github/workflows/nightly.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,16 +23,8 @@ jobs:
strategy:
fail-fast: false
matrix:
arch: [x64, arm64]
arch: [arm64]
os:
- name: macos
image: macos-latest
shell: bash
forge_platform: darwin
- name: linux
image: ubuntu-latest
shell: bash
forge_platform: linux
- name: windows
image: win-signing
shell: cmd
Expand Down
Loading