chore(ci): add code sign step (#9)

oomol-lab · Oct 30, 2023 · 77ce215 · 77ce215
1 parent 8f42141
commit 77ce215
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -21,8 +21,22 @@ jobs:
       - name: Apply Patch
         run: make apply-all-patch
 
+      - name: Setup Codesign
+        run: |
+          echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+          security create-keychain -p action build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p action build.keychain
+          security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k action build.keychain
+        env:
+          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+
       - name: Build
         run: make build
+        env:
+          CODESIGN_IDENTITY: ${{ secrets.MACOS_CODESIGN_IDENTITY }}
 
       - name: Release
         uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15

diff --git a/Makefile b/Makefile
@@ -27,6 +27,7 @@ CODESIGN_IDENTITY ?= -
 	@case $(_DIR) in \
 		gvproxy) \
 			GOARCH=$(_ARCH) $(GO_BUILD) -C $(ROOTDIR)/gvproxy/ -ldflags '-s -w' -o $(ROOTDIR)/out/gvproxy-$(_ARCH) ./cmd/gvproxy; \
+			codesign --force --options runtime --sign $(CODESIGN_IDENTITY) $(ROOTDIR)/out/gvproxy-$(_ARCH); \
 			;; \
 		vfkit) \
 			CGO_ENABLED=1 CGO_CFLAGS=-mmacosx-version-min=12.3 GOARCH=$(_ARCH) $(GO_BUILD) -C $(ROOTDIR)/vfkit/ -o $(ROOTDIR)/out/vfkit-$(_ARCH) ./cmd/vfkit; \