Macos sign binary (#12)

* Sign MacOS binaries, take 2 * Fixes * Test * Try using zsign * Try different build * Fixing * Kick it * Debug print * Debugging * Use secret * Use mac os builder * Debug echo prints * Change env name * Checkout * Test codesign exists * Tuning cmd * LAst try * Hook instead of sign * No parallelism * No timestamp * Outside of hook * Verbose? * keychain passwork hypothesis * Cleanup * limit keychain * Test different setup of keys * Another try * Sign via hooks * Notarize it * Test again * Back to debug * Try using gon * add config * Test * extract sign script * Test * Fix * No gettext * Escapes * Patterns * Tilde! * goreleaser hook * assign more time * Just sign binary * RBAC message
komodorio · Jun 25, 2023 · 6714f55 · 6714f55
1 parent 98c508b
commit 6714f55
Show file tree

Hide file tree

Showing 5 changed files with 99 additions and 15 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -2,13 +2,16 @@ name: Build
 
 on:
  push:
- branches: main
+ branches:
+ - main
  pull_request:
- branches: "*"
+ branches:
+ - "*"
 
 jobs:
  build:
  runs-on: ubuntu-latest
+ timeout-minutes: 10
  steps:
  - name: Checkout
  uses: actions/checkout@v3
@@ -30,9 +33,14 @@ jobs:
  uses: goreleaser/goreleaser-action@v2
  with:
  version: latest
- args: release --snapshot --clean
+ args: release --parallelism 1 --snapshot --clean
  - name: Test Binary is Runnable
- run: "dist/komocli_linux_amd64_v1/komocli --help"
+ run: "dist/build_win_and_linux_linux_amd64_v1/komocli --help"
+ - uses: actions/upload-artifact@v3
+ with:
+ name: binaries
+ path: dist/
+ retention-days: 1
  - name: golangci-lint
  uses: golangci/[email protected]
  with:
@@ -41,3 +49,59 @@ jobs:
  skip-pkg-cache: true
  skip-build-cache: true
  # args: --timeout=15m
+ build_with_signing:
+ runs-on: macos-latest
+ timeout-minutes: 10
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v3
+ - name: Set up Go
+ uses: actions/setup-go@v4
+ with:
+ go-version: 1.20.2
+ - name: Prepare keys
+ env:
+ CERT: certificate.p12
+ CERT_PASSWORD: ""
+ MY_KEYCHAIN: build.keychain
+ MY_KEYCHAIN_PASSWORD: ${{ secrets.CERTIFICATE_ID }}
+ IDENTITY_CERTIFICATE: "Developer ID Application: Komodor Automation LTD (F584U99DLC)"
+ run: |
+ echo Decode the certificate
+ echo ${{ secrets.CERTIFICATE_BASE64 }} | base64 --decode > $CERT
+ 
+ # default again user login keychain
+ security list-keychains -d user -s login.keychain
+ 
+ # Create temp keychain
+ security create-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN"
+ 
+ # Append temp keychain to the user domain
+ security list-keychains -d user -s "$MY_KEYCHAIN" $(security list-keychains -d user | sed s/\"//g)
+ 
+ # Remove relock timeout
+ security set-keychain-settings "$MY_KEYCHAIN"
+ 
+ # Unlock keychain
+ security unlock-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN"
+ 
+ # Add certificate to keychain
+ security import $CERT -k "$MY_KEYCHAIN" -P "$CERT_PASSWORD" -A -T "/usr/bin/codesign"
+ 
+ # Enable codesigning from a non user interactive shell
+ security set-key-partition-list -S apple-tool:,apple:, -t private -s -k "$MY_KEYCHAIN_PASSWORD" -D "${IDENTITY_CERTIFICATE}" "$MY_KEYCHAIN"
+ - name: Dry Run GoReleaser
+ uses: goreleaser/goreleaser-action@v2
+ with:
+ version: latest
+ args: release --config .goreleaser-mac.yml --parallelism 1 --snapshot --clean
+ env:
+ CERTIFICATE_ID: ${{ secrets.CERTIFICATE_ID }}
+ - name: Test Binary is Signed
+ run: |
+ codesign -dv dist/build_macos_darwin_amd64_v1/komocli
+ - uses: actions/upload-artifact@v3
+ with:
+ name: binaries-mac
+ path: dist/
+ retention-days: 1
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -11,17 +11,13 @@ jobs:
  steps:
  - name: Checkout
  uses: actions/checkout@v3
- with:
- fetch-depth: 0
 
  release:
  needs: pre_release
  runs-on: ubuntu-latest
  steps:
  - name: Checkout
  uses: actions/checkout@v3
- with:
- fetch-depth: 0
  - name: Set up Go
  uses: actions/setup-go@v3
  with:

diff --git a/.goreleaser-mac.yml b/.goreleaser-mac.yml
@@ -0,0 +1,20 @@
+# .goreleaser.yml
+# Build customization
+builds:
+ - id: build_macos
+ main: ./main.go
+ binary: komocli
+ ldflags: -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}}
+ goos:
+ - darwin
+ goarch:
+ - amd64
+ - arm64
+ env:
+ - CGO_ENABLED=0
+ hooks:
+ post:
+ - codesign --keychain build.keychain --sign "{{ .Env.CERTIFICATE_ID }}" "{{ .Path }}"
+archives:
+ - id: komocli
+ format: binary
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -1,12 +1,12 @@
 # .goreleaser.yml
 # Build customization
 builds:
- - main: ./main.go
+ - id: build_win_and_linux
+ main: ./main.go
  binary: komocli
  ldflags: -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}}
  goos:
  - windows
- - darwin
  - linux
  goarch:
  - amd64
@@ -18,7 +18,4 @@ builds:
  - CGO_ENABLED=0
 archives:
  - id: komocli
- format: tar.gz
- format_overrides:
- - goos: windows
- format: zip
+ format: binary
diff --git a/pkg/portforward/ctl.go b/pkg/portforward/ctl.go
@@ -5,6 +5,7 @@ import (
  "fmt"
  log "github.com/sirupsen/logrus"
  "net"
+ "strings"
  "sync"
  "time"
 )
@@ -60,7 +61,13 @@ func (c *Controller) testConnection(ctx context.Context, initMsg *SessionMessage
  ws := NewWSConnectionWrapper(ctx, nil, c.RemoteSpec.AgentId, c.Token, true, *initMsg, c.timeout)
  err := ws.Run()
  if err != nil {
- log.Warnf("Failed to test port-forward operability: %+v", err)
+ komodorRBACSignature := "you are missing permissions to perform the following action"
+ if strings.Contains(err.Error(), komodorRBACSignature) {
+ log.Warnf("You have no RBAC permissions in Komodor to do port forwarding on this resource")
+ } else {
+ log.Warnf("Failed to test port-forward operability: %+v", err)
+ }
+
  return err
  }