Setup Notarization Pipeline (#54)

* setup KeyChain

* setup Notarization

* Remove custom name template in archives for consistency and skip snap publishing

---------

Co-authored-by: João Palet <joao.palet@outlook.com>

Author: HaiberL

.github/workflows/release.yaml

@@ -16,7 +16,7 @@ permissions:
 
 jobs:
   goreleaser:
-    runs-on: ubuntu-latest
+    runs-on: macOS-latest
     env:
       SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_TOKEN }}
     steps:
@@ -34,6 +34,24 @@ jobs:
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.GPG_PASSPHRASE }}
+      - name: Set up keychain
+        run: |
+          echo -n $SIGNING_CERTIFICATE_BASE64 | base64 -d -o ./ApplicationID.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/ios_signing_temp.keychain-db
+          security create-keychain -p  "${{ secrets.TEMP_KEYCHAIN }}" $KEYCHAIN_PATH
+          security default-keychain -s $KEYCHAIN_PATH
+          security unlock-keychain -p "${{ secrets.TEMP_KEYCHAIN }}" $KEYCHAIN_PATH
+          security import ./ApplicationID.p12 -P "${{ secrets.APPLICATION_ID }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
+          echo -n $AUTHKEY_BASE64 | base64 -d -o ./AuthKey.p8
+          xcrun notarytool store-credentials stackit-cli -i $APPLE_ISSUER -d $APPLE_KEY_ID -k AuthKey.p8 --keychain $KEYCHAIN_PATH
+          rm ./ApplicationID.p12
+          rm ./AuthKey.p8
+        env:
+          APPLE_ISSUER: ${{ secrets.APPLE_ISSUER }}
+          APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }}
+          SIGNING_CERTIFICATE_BASE64: ${{ secrets.APPLICATION_ID_CERT }}
+          AUTHKEY_BASE64: ${{ secrets.APPLE_API_KEY }}
       - name: Install Snapcraft
         uses: samuelmeuli/action-snapcraft@v2
       - name: Run GoReleaser

.goreleaser.yaml

@@ -20,20 +20,30 @@ builds:
   - id: macos-builds
     env:
       - CGO_ENABLED=0
+      - BUNDLE_ID=cloud.stackit.cli
+      - 'APPLE_APPLICATION_IDENTITY=Developer ID Application: Schwarz IT KG'
     goos:
       - darwin
     binary: "stackit"
+    goarch:
+      - arm64
+      - amd64
+    hooks:
+      post:
+        - |
+          sh -c '
+          codesign -s "{{.Env.APPLE_APPLICATION_IDENTITY}}" -f -v --options=runtime "dist/macos-builds_{{.Target}}/{{.Name}}"
+          codesign -vvv --deep --strict "dist/macos-builds_{{.Target}}/{{.Name}}"
+          ls -l "dist/macos_{{.Target}}"
+          hdiutil create -volname "STACKIT-CLI" -srcfolder "dist/macos-builds_{{.Target}}/{{.Name}}" -ov -format UDZO "dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg"
+          codesign -s "{{.Env.APPLE_APPLICATION_IDENTITY}}" -f -v --options=runtime "dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg"
+          xcrun notarytool submit --keychain-profile "stackit-cli" --wait --progress dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg
+          xcrun stapler staple "dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg"
+          spctl -a -t open --context context:primary-signature -v dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg
+          '
 
 archives:
   - format: tar.gz
-    # This name template makes the OS and Arch compatible with the results of `uname`
-    name_template: >-
-      {{ .ProjectName }}_
-      {{- title .Os }}_
-      {{- if eq .Arch "amd64" }}x86_64
-      {{- else if eq .Arch "386" }}i386
-      {{- else }}{{ .Arch }}{{ end }}
-      {{- if .Arm }}v{{ .Arm }}{{ end }}
     format_overrides:
       - goos: windows
         format: zip
@@ -95,3 +105,5 @@ snapcrafts:
     license: Apache-2.0
     # Will only publish to `edge` and `beta` channels 
     grade: devel
+    # Skip publishing until we get approval for used interfaces or classic confinement
+    publish: false