sign fleetctl for macOS during releases (#16670)

possible approach to solve #16664 --------- Co-authored-by: Luke Heath <luke@fleetdm.com>
2026-04-21 13:37:30 +00:00 · 2024-04-19 14:36:30 -03:00 · 2024-04-19 14:36:30 -03:00 · d677546e04
commit d677546e04
parent 4bde12e8a5
3 changed files with 65 additions and 0 deletions
--- a/.github/workflows/goreleaser-fleet.yaml
+++ b/.github/workflows/goreleaser-fleet.yaml
@ -58,6 +58,20 @@ jobs:
      - name: Install Go Dependencies
        run: make deps-go

+      - name: Install macOS signing + notarization tools
+        run: |
+          pushd /tmp
+          readonly version="0.27.0"
+          readonly codesign_package="apple-codesign-${version}-x86_64-unknown-linux-musl.tar.gz"
+          curl -O -L "https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F${version}/${codesign_package}"
+          curl -O -L "https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F${version}/${codesign_package}.sha256"
+          echo "$(cat $codesign_package.sha256)  $codesign_package" | sha256sum --quiet --strict --check -
+          tar --extract --strip-components 1 --file "$codesign_package"
+          mkdir -p $HOME/.bin
+          mv rcodesign $HOME/.bin/
+          echo "$HOME/.bin" >> $GITHUB_PATH
+          popd
+
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b
        with:
@ -67,6 +81,11 @@ jobs:
        env:
          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          APPLE_APPLICATION_CERTIFICATE: ${{ secrets.APPLE_APPLICATION_CERTIFICATE }}
+          APPLE_APPLICATION_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_APPLICATION_CERTIFICATE_PASSWORD }}
+          APPLE_APP_STORE_CONNECT_KEY: ${{ secrets.APPLE_APP_STORE_CONNECT_KEY }}
+          APPLE_APP_STORE_CONNECT_KEY_ID: ${{ secrets.APPLE_APP_STORE_CONNECT_KEY_ID }}
+          APPLE_APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.APPLE_APP_STORE_CONNECT_ISSUER_ID }}

      - name: Get tag
        run: |
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -79,6 +79,9 @@ universal_binaries:
    ids: [fleetctl-macos] # source binaries
    replace: true
    name_template: fleetctl # resulting binary name
+    hooks:
+      post:
+        - sh -c "FLEETCTL_BINARY_PATH={{ .Path }} ./tools/sign-fleetctl/main.sh"

 archives:
  - id: fleet
--- a/tools/sign-fleetctl/main.sh
+++ b/tools/sign-fleetctl/main.sh
@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+check_env_var() {
+    if [[ -z "${!1}" ]]; then
+        echo "Error: Environment variable $1 not set."
+        exit 1
+    fi
+}
+
+# check required environment variables
+check_env_var "APPLE_APPLICATION_CERTIFICATE"
+check_env_var "APPLE_APPLICATION_CERTIFICATE_PASSWORD"
+check_env_var "APPLE_APP_STORE_CONNECT_KEY"
+check_env_var "APPLE_APP_STORE_CONNECT_KEY_ID"
+check_env_var "APPLE_APP_STORE_CONNECT_ISSUER_ID"
+check_env_var "FLEETCTL_BINARY_PATH"
+
+cleanup() {
+    echo "Cleaning up..."
+    rm -f certificate.p12
+    rm -rf private_keys
+    rm -f fleetctl.zip
+}
+
+# trap EXIT signal to call cleanup function
+trap cleanup EXIT
+
+echo "Signing binary..."
+printf "%s" "$APPLE_APPLICATION_CERTIFICATE" | base64 --decode > certificate.p12
+rcodesign sign --p12-file certificate.p12 \
+               --p12-password "$APPLE_APPLICATION_CERTIFICATE_PASSWORD" \
+               --for-notarization "$FLEETCTL_BINARY_PATH"
+
+echo "Notarizing binary..."
+mkdir -p private_keys
+printf "%s" "$APPLE_APP_STORE_CONNECT_KEY" > "private_keys/AuthKey_$APPLE_APP_STORE_CONNECT_KEY_ID.p8"
+zip fleetctl.zip "$FLEETCTL_BINARY_PATH"
+rcodesign notary-submit \
+          --api-issuer "$APPLE_APP_STORE_CONNECT_ISSUER_ID" \
+          --api-key "$APPLE_APP_STORE_CONNECT_KEY_ID" \
+          --wait --max-wait-seconds 300 fleetctl.zip
+