Fix codesign macos for application and installer (#974)

Co-authored-by: Hien To <[email protected]>
janhq · Aug 5, 2024 · bb55bb8 · bb55bb8
1 parent b40100d
commit bb55bb8
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 8 deletions.
diff --git a/.github/workflows/cortex-build.yml b/.github/workflows/cortex-build.yml
@@ -234,11 +234,11 @@ jobs:
 
           - os: "mac"
             name: "amd64"
-            runs-on: "macos-desktop"
+            runs-on: "macos-13"
 
           - os: "mac"
             name: "arm64"
-            runs-on: "macos-silicon"
+            runs-on: "macos-latest"
     steps:
       - name: Clone
         id: checkout
@@ -279,7 +279,6 @@ jobs:
           registry-url: "https://registry.npmjs.org"
 
       - uses: actions/setup-python@v3
-        if: runner.os != 'macOS'
         with:
           python-version: "3.10"
 
@@ -291,10 +290,10 @@ jobs:
 
       - name: Get Cer for code signing
         if: runner.os == 'macOS'
-        run: base64 -d <<< "$CODE_SIGN_P12_BASE64" > /tmp/codesign.p12
+        run: base64 -d <<< "$NOTARIZE_P8_BASE64" > /tmp/notary-key.p8
         shell: bash
         env:
-          CODE_SIGN_P12_BASE64: ${{ secrets.CODE_SIGN_P12_BASE64 }}
+          NOTARIZE_P8_BASE64: ${{ secrets.NOTARIZE_P8_BASE64 }}
 
       - uses: apple-actions/import-codesign-certs@v2
         continue-on-error: true
@@ -328,6 +327,16 @@ jobs:
           ./cortex --help
           make codesign-binary CODE_SIGN=true DEVELOPER_ID="${{ secrets.DEVELOPER_ID }}"
 
+          # install quill
+          curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh | sh -s -- -b /usr/local/bin
+
+          # Notarize the binary
+          quill notarize ./cortex
+        env:
+          QUILL_NOTARY_KEY_ID: ${{ secrets.NOTARY_KEY_ID }}
+          QUILL_NOTARY_ISSUER: ${{ secrets.NOTARY_ISSUER }}
+          QUILL_NOTARY_KEY: "/tmp/notary-key.p8"
+
       - name: Create MacOS PKG Installer
         if: runner.os == 'macOS'
         run: |
@@ -338,7 +347,10 @@ jobs:
           pkgbuild --identifier ai.cortex.pkg --install-location ./usr/local/bin/ --root ./installer cortex-installer.pkg
           make codesign-installer CODE_SIGN=true DEVELOPER_ID="${{ secrets.DEVELOPER_ID }}"
 
-      - name: Create MacOS PKG Installer
+          # Notary the installer
+          xcrun notarytool submit cortex-installer.pkg --apple-id ${{ secrets.APPLE_ID }} --password ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} --team-id ${{ secrets.APPLE_TEAM_ID }} --wait
+
+      - name: Create Linux DEB Installer
         if: runner.os == 'Linux'
         run: |
           cd cortex-js

diff --git a/cortex-js/Makefile b/cortex-js/Makefile
@@ -29,7 +29,7 @@ else ifeq ($(shell uname -s),Linux)
 	@echo "Skipping Code Sign for linux"
 	@exit 0
 else
-	find "cortex" -type f -exec codesign --force -s "$(DEVELOPER_ID)" --options=runtime {} \;
+	codesign --force -s "$(DEVELOPER_ID)" --options=runtime --entitlements="./entitlements.plist" ./cortex;
 endif
 
 codesign-installer:
@@ -45,7 +45,9 @@ else ifeq ($(shell uname -s),Linux)
 	@echo "Skipping Code Sign for linux"
 	@exit 0
 else
-	find "cortex" -type f -exec codesign --force -s "$(DEVELOPER_ID)" --options=runtime {} \;
+	productsign --sign "Developer ID Installer: $(DEVELOPER_ID)" cortex-installer.pkg cortex-installer-signed.pkg;
+	rm cortex-installer.pkg;
+	mv cortex-installer-signed.pkg cortex-installer.pkg;
 endif
 
 postbundle:

diff --git a/cortex-js/entitlements.plist b/cortex-js/entitlements.plist
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <!-- These are required for binaries built by PyInstaller -->
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+
+    <!-- Add these for additional permissions -->
+    <key>com.apple.security.app-sandbox</key>
+    <false/>
+    <key>com.apple.security.network.client</key>
+    <true/>
+    <key>com.apple.security.network.server</key>
+    <true/>
+    <key>com.apple.security.device.audio-input</key>
+    <true/>
+    <key>com.apple.security.device.microphone</key>
+    <true/>
+    <key>com.apple.security.device.camera</key>
+    <true/>
+    <key>com.apple.security.files.user-selected.read-write</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.allow-executable-memory</key>
+    <true/>
+</dict>
+</plist>