add macOS signing steps

microsoft · Jul 25, 2024 · 76629e9 · 76629e9
1 parent cefa93d
commit 76629e9
Showing 1 changed file with 29 additions and 0 deletions.
diff --git a/eng/signing/Sign.proj b/eng/signing/Sign.proj
@@ -13,6 +13,11 @@
     <PackageReference Include="Microsoft.VisualStudioEng.MicroBuild.Core" Version="1.0.0" />
   </ItemGroup>
 
+  <PropertyGroup>
+    <!-- Required for macOS signing -->
+    <EnableCodeSigning>false</EnableCodeSigning>
+  </PropertyGroup>
+
   <Target Name="PrepSign" BeforeTargets="AfterBuild">
     <Error Condition="'$(SignType)' != 'real' AND '$(SignType)' != 'test'" Text="Unexpected SignType '$(SignType)'" />
     <PropertyGroup>
@@ -38,6 +43,9 @@
       <GoZipFile Include="$([MSBuild]::NormalizeDirectory('$(SignFilesDir)'))**/go*.zip" />
       <GoZipFile ExtractedDir="$([MSBuild]::NormalizeDirectory('%(Identity).extracted'))" />
 
+      <GoMacOSTarFile Include="$([MSBuild]::NormalizeDirectory('$(SignFilesDir)'))**/go*darwin*.tar.gz" />
+      <GoMacOSTarFile ExtractedDir="$([MSBuild]::NormalizeDirectory('%(Identity).extracted'))" />
+
       <FileExtensionSignInfo Include=".sig" CertificateName="LinuxSignManagedLanguageCompiler" />
     </ItemGroup>
 
@@ -68,6 +76,20 @@
       -->
       <FilesToSign Remove="%(GoZipFile.ExtractedDir)**\testdata\**" />
     </ItemGroup>
+    <!-- macOS codesign -->
+    <Exec Command="if not exist %(GoMacOSTarFile.ExtractedDir) mkdir %(GoMacOSTarFile.ExtractedDir)" />
+    <Exec Command="tar -xzf %(GoMacOSTarFile.Identity) -C %(GoMacOSTarFile.ExtractedDir)" />
+    <ItemGroup>
+      <FilesToSign Include="%(GoMacOSTarFile.ExtractedDir)**\*">
+        <Authenticode>MacDeveloperHarden</Authenticode>
+      </FilesToSign>
+      <!--
+        Remove test data: some files (especially zip files) are set up in very particular ways that
+        SignTool doesn't reconstruct properly after recursing into the container. This causes "go
+        tool dist test" to fail when run on a signed build.
+      -->
+      <FilesToSign Remove="%(GoMacOSTarFile.ExtractedDir)**\testdata\**" />
+    </ItemGroup>
   </Target>
 
   <Target Name="AfterSign" AfterTargets="SignFiles">
@@ -84,6 +106,13 @@
 
     <!-- Remove the large extracted dir so the build job doesn't upload it. -->
     <RemoveDir Directories="@(GoZipFile -> '%(ExtractedDir)')" />
+
+    <!-- Repack macOS tar.gz -->
+    <Exec Command="tar -czf %(GoMacOSTarFile.Identity) -C %(GoMacOSTarFile.ExtractedDir) ." />
+    <Exec Command="pwsh ..\run.ps1 write-checksum @(GoMacOSTarFile, ' ')" />
+
+    <!-- Remove the large extracted dir so the build job doesn't upload it. -->
+    <RemoveDir Directories="@(GoMacOSTarFile -> '%(ExtractedDir)')" />
   </Target>
 
   <Target Name="SignFiles" BeforeTargets="PrepSign">