[skip changelog] Update notarization job, now usable with p12 cert format (#1062)

* update notarization job usable with p12 cert

* Apply suggestions from code review

Co-authored-by: per1234 <accounts@perglass.com>

* update nightly.yaml to use p12 cert

* replace third party action to handle keychain with shell code

* revert to previous gon installation

with homebrew tap is not possible to install an exact version of an app

* forgot to modify step name

Co-authored-by: per1234 <accounts@perglass.com>

Author: umbynos

.github/workflows/nightly.yaml

@@ -46,27 +46,35 @@ jobs:
         with:
           name: dist
 
-      - name: Download Gon
+      - name: Import Code-Signing Certificates
+        env:
+          KEYCHAIN: "sign.keychain"
+          INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12"
+        run: |
+          echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > ${{ env.INSTALLER_CERT_MAC_PATH }}
+          security create-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
+          security default-keychain -s ${{ env.KEYCHAIN }}
+          security unlock-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
+          security import ${{ env.INSTALLER_CERT_MAC_PATH }} -k ${{ env.KEYCHAIN }} -f pkcs12 -A -T /usr/bin/codesign -P ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
+          security set-key-partition-list -S apple-tool:,apple: -s -k ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
+
+      - name: Install gon for code signing and app notarization
         run: |
-          wget -q https://github.com/mitchellh/gon/releases/download/v0.2.2/gon_0.2.2_macos.zip
-          unzip gon_0.2.2_macos.zip -d /usr/local/bin
-          rm -f gon_0.2.2_macos.zip
+          wget -q https://github.com/mitchellh/gon/releases/download/v0.2.3/gon_macos.zip
+          unzip gon_macos.zip -d /usr/local/bin
 
-      - name: Notarize binary, re-package it and update checksum
+      - name: Sign and notarize binary
         env:
           AC_USERNAME: ${{ secrets.AC_USERNAME }}
           AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
-        # This step performs the following:
-        # 1. Download keychain from GH secrets and decode it from base64
-        # 2. Add the keychain to the system keychains and unlock it
-        # 3. Call Gon to start notarization process (using AC_USERNAME and AC_PASSWORD)
-        # 4. Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
-        # 5. Recalculate package checksum and replace it in the goreleaser nnnnnn-checksums.txt file
         run: |
-          echo "${{ secrets.KEYCHAIN }}" | base64 --decode  > ~/Library/Keychains/apple-developer.keychain-db
-          security list-keychains -s ~/Library/Keychains/apple-developer.keychain-db
-          security unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" ~/Library/Keychains/apple-developer.keychain-db
           gon gon.config.hcl
+
+      - name: Re-package binary and update checksum
+        # This step performs the following:
+        # 1. Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
+        # 2. Recalculate package checksum and replace it in the goreleaser nnnnnn-checksums.txt file
+        run: |
           # GitHub's upload/download-artifact@v1 actions don't preserve file permissions,
           # so we need to add execution permission back until @v2 actions are released.
           chmod +x dist/arduino_cli_osx_darwin_amd64/arduino-cli

.github/workflows/release.yaml

@@ -41,27 +41,35 @@ jobs:
         with:
           name: dist
 
-      - name: Download Gon
+      - name: Import Code-Signing Certificates
+        env:
+          KEYCHAIN: "sign.keychain"
+          INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12"
+        run: |
+          echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > ${{ env.INSTALLER_CERT_MAC_PATH }}
+          security create-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
+          security default-keychain -s ${{ env.KEYCHAIN }}
+          security unlock-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
+          security import ${{ env.INSTALLER_CERT_MAC_PATH }} -k ${{ env.KEYCHAIN }} -f pkcs12 -A -T /usr/bin/codesign -P ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
+          security set-key-partition-list -S apple-tool:,apple: -s -k ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
+
+      - name: Install gon for code signing and app notarization
         run: |
-          wget -q https://github.com/mitchellh/gon/releases/download/v0.2.2/gon_0.2.2_macos.zip
-          unzip gon_0.2.2_macos.zip -d /usr/local/bin
-          rm -f gon_0.2.2_macos.zip
+          wget -q https://github.com/mitchellh/gon/releases/download/v0.2.3/gon_macos.zip
+          unzip gon_macos.zip -d /usr/local/bin
 
-      - name: Notarize binary, re-package it and update checksum
+      - name: Sign and notarize binary
         env:
           AC_USERNAME: ${{ secrets.AC_USERNAME }}
           AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
-        # This step performs the following:
-        # 1. Download keychain from GH secrets and decode it from base64
-        # 2. Add the keychain to the system keychains and unlock it
-        # 3. Call Gon to start notarization process (using AC_USERNAME and AC_PASSWORD)
-        # 4. Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
-        # 5. Recalculate package checksum and replace it in the goreleaser nnnnnn-checksums.txt file
         run: |
-          echo "${{ secrets.KEYCHAIN }}" | base64 --decode  > ~/Library/Keychains/apple-developer.keychain-db
-          security list-keychains -s ~/Library/Keychains/apple-developer.keychain-db
-          security unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" ~/Library/Keychains/apple-developer.keychain-db
           gon gon.config.hcl
+
+      - name: Re-package binary and update checksum
+        # This step performs the following:
+        # 1. Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
+        # 2. Recalculate package checksum and replace it in the goreleaser nnnnnn-checksums.txt file
+        run: |
           # GitHub's upload/download-artifact@v1 actions don't preserve file permissions,
           # so we need to add execution permission back until @v2 actions are released.
           chmod +x dist/arduino_cli_osx_darwin_amd64/arduino-cli