JK Sign and Notarize (#76)

* trying sign * gon * signing only on release tag * fixing creds and upload * including master * testing conditions Co-authored-by: John Kennedy <jkennedy@verizonmedia.com>
2021-02-23 16:48:39 -08:00 · 2021-02-23 16:48:39 -08:00 · 6d59b332fb
parent 9570561ee3
commit 6d59b332fb
2 changed files with 36 additions and 5 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -2,7 +2,7 @@ name: ci

 on:
  push:
-    branches: [ master ]
+    branches: [ master, release-* ]
    tags:
      'v*'
  pull_request:
@ -22,7 +22,6 @@ jobs:
        id: calc-short
        run: echo "::set-output name=sha8::${GITHUB_SHA::8}"

-
  build:
    name: Build
    needs: [store-sha8]
@ -40,8 +39,8 @@ jobs:
      with:
        submodules: true

-    - name: Build (mac)
-      if: matrix.os == 'macos-latest'
+    - name: Build PR (mac)
+      if: matrix.os == 'macos-latest' && !contains(github.ref, 'tags/v') && !contains(github.ref, 'refs/heads/master') && !contains(github.ref, 'refs/heads/release-')
      run: |
        brew install qt
        export PATH="/usr/local/opt/qt/bin:$PATH"
@ -50,10 +49,41 @@ jobs:
        make
        macdeployqt ashirt.app -dmg
        mkdir dist
-        cp -r ashirt.dmg dist/
+        cp ashirt.dmg dist/ashirt.dmg
        cp LICENSE dist/LICENSE
        cp README.md dist/README.md

+    - name: Import Code-Signing Certificates
+      if: matrix.os == 'macos-latest' && (contains(github.ref, 'tags/v') || contains(github.ref, 'refs/heads/master') || contains(github.ref, 'refs/heads/release-'))
+      uses: Apple-Actions/import-codesign-certs@v1
+      with:
+        p12-file-base64: ${{ secrets.MACOS_CERT }}
+        p12-password: ${{ secrets.MACOS_PASS }}
+
+    - name: Build and Sign Release (mac)
+      if: matrix.os == 'macos-latest' && (contains(github.ref, 'tags/v') || contains(github.ref, 'refs/heads/master') || contains(github.ref, 'refs/heads/release-'))
+      run: |
+        brew install qt
+        export PATH="/usr/local/opt/qt/bin:$PATH"
+        brew link -f qt
+        qmake -config release
+        make
+        macdeployqt ashirt.app -dmg -always-overwrite -sign-for-notarization="John Kennedy"
+        mkdir dist
+        cp ashirt.dmg dist/ashirt.dmg
+        cp LICENSE dist/LICENSE
+        cp README.md dist/README.md
+
+    - name: Install gon via HomeBrew and Notarize Release (mac)
+      if: matrix.os == 'macos-latest' && (contains(github.ref, 'tags/v') || contains(github.ref, 'refs/heads/master') || contains(github.ref, 'refs/heads/release-'))
+      env: 
+        GON_CONF: ${{ secrets.GON_CONF }}
+      run: |
+        brew tap mitchellh/gon
+        brew install mitchellh/gon/gon
+        echo "$GON_CONF" | base64 -D -i - > notarize.json
+        gon notarize.json
+
    - name: Archive production artifacts
      uses: actions/upload-artifact@v2
      with:
--- a/ashirt.pro
+++ b/ashirt.pro
@ -134,6 +134,7 @@ include(tools/UGlobalHotkey/uglobalhotkey.pri)

 macx {
  ICON = icons/ashirt.icns
+  QMAKE_TARGET_BUNDLE_PREFIX = com.theparanoids
 }

 # Default rules for deployment.