diff --git a/.github/workflows/cortex-build.yml b/.github/workflows/cortex-build.yml index 0bde2654b..c3efe7bbe 100644 --- a/.github/workflows/cortex-build.yml +++ b/.github/workflows/cortex-build.yml @@ -234,11 +234,11 @@ jobs: - os: "mac" name: "amd64" - runs-on: "macos-desktop" + runs-on: "macos-13" - os: "mac" name: "arm64" - runs-on: "macos-silicon" + runs-on: "macos-latest" steps: - name: Clone id: checkout @@ -279,7 +279,6 @@ jobs: registry-url: "https://registry.npmjs.org" - uses: actions/setup-python@v3 - if: runner.os != 'macOS' with: python-version: "3.10" @@ -291,10 +290,10 @@ jobs: - name: Get Cer for code signing if: runner.os == 'macOS' - run: base64 -d <<< "$CODE_SIGN_P12_BASE64" > /tmp/codesign.p12 + run: base64 -d <<< "$NOTARIZE_P8_BASE64" > /tmp/notary-key.p8 shell: bash env: - CODE_SIGN_P12_BASE64: ${{ secrets.CODE_SIGN_P12_BASE64 }} + NOTARIZE_P8_BASE64: ${{ secrets.NOTARIZE_P8_BASE64 }} - uses: apple-actions/import-codesign-certs@v2 continue-on-error: true @@ -328,6 +327,16 @@ jobs: ./cortex --help make codesign-binary CODE_SIGN=true DEVELOPER_ID="${{ secrets.DEVELOPER_ID }}" + # install quill + curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh | sh -s -- -b /usr/local/bin + + # Notarize the binary + quill notarize ./cortex + env: + QUILL_NOTARY_KEY_ID: ${{ secrets.NOTARY_KEY_ID }} + QUILL_NOTARY_ISSUER: ${{ secrets.NOTARY_ISSUER }} + QUILL_NOTARY_KEY: "/tmp/notary-key.p8" + - name: Create MacOS PKG Installer if: runner.os == 'macOS' run: | @@ -338,7 +347,10 @@ jobs: pkgbuild --identifier ai.cortex.pkg --install-location ./usr/local/bin/ --root ./installer cortex-installer.pkg make codesign-installer CODE_SIGN=true DEVELOPER_ID="${{ secrets.DEVELOPER_ID }}" - - name: Create MacOS PKG Installer + # Notary the installer + xcrun notarytool submit cortex-installer.pkg --apple-id ${{ secrets.APPLE_ID }} --password ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} --team-id ${{ secrets.APPLE_TEAM_ID }} --wait + + - name: Create Linux DEB Installer if: runner.os == 'Linux' run: | cd cortex-js diff --git a/cortex-js/Makefile b/cortex-js/Makefile index fb85efffe..798d55a1a 100644 --- a/cortex-js/Makefile +++ b/cortex-js/Makefile @@ -29,7 +29,7 @@ else ifeq ($(shell uname -s),Linux) @echo "Skipping Code Sign for linux" @exit 0 else - find "cortex" -type f -exec codesign --force -s "$(DEVELOPER_ID)" --options=runtime {} \; + codesign --force -s "$(DEVELOPER_ID)" --options=runtime --entitlements="./entitlements.plist" ./cortex; endif codesign-installer: @@ -45,7 +45,9 @@ else ifeq ($(shell uname -s),Linux) @echo "Skipping Code Sign for linux" @exit 0 else - find "cortex" -type f -exec codesign --force -s "$(DEVELOPER_ID)" --options=runtime {} \; + productsign --sign "Developer ID Installer: $(DEVELOPER_ID)" cortex-installer.pkg cortex-installer-signed.pkg; + rm cortex-installer.pkg; + mv cortex-installer-signed.pkg cortex-installer.pkg; endif postbundle: diff --git a/cortex-js/entitlements.plist b/cortex-js/entitlements.plist new file mode 100644 index 000000000..e56476ecf --- /dev/null +++ b/cortex-js/entitlements.plist @@ -0,0 +1,33 @@ + + + + + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + + + com.apple.security.app-sandbox + + com.apple.security.network.client + + com.apple.security.network.server + + com.apple.security.device.audio-input + + com.apple.security.device.microphone + + com.apple.security.device.camera + + com.apple.security.files.user-selected.read-write + + com.apple.security.cs.disable-library-validation + + com.apple.security.cs.allow-dyld-environment-variables + + com.apple.security.cs.allow-executable-memory + + + \ No newline at end of file