Merge pull request #12 from gruntwork-io/sign-macos

Add support for signing macOS binaries

Author: josh-padnick

.github/assets/.gon_amd64.hcl

@@ -0,0 +1,19 @@
+# See https://github.com/gruntwork-io/terraform-aws-ci/blob/main/modules/sign-binary-helpers/
+# for further instructions on how to sign the binary + submitting for notarization.
+
+source = ["./bin/runbooks_darwin_amd64"]
+
+bundle_id = "io.gruntwork.app.runbooks"
+
+apple_id {
+  username = "@env:AC_USERNAME"
+}
+
+sign {
+  application_identity = "Developer ID Application: Gruntwork, Inc."
+}
+
+zip {
+  output_path = "runbooks_darwin_amd64.zip"
+}
+

.github/assets/.gon_arm64.hcl

@@ -0,0 +1,18 @@
+# See https://github.com/gruntwork-io/terraform-aws-ci/blob/main/modules/sign-binary-helpers/
+# for further instructions on how to sign the binary + submitting for notarization.
+
+source = ["./bin/runbooks_darwin_arm64"]
+bundle_id = "io.gruntwork.app.runbooks"
+
+apple_id {
+  username = "@env:AC_USERNAME"
+}
+
+sign {
+  application_identity = "Developer ID Application: Gruntwork, Inc."
+}
+
+zip {
+  output_path = "runbooks_darwin_arm64.zip"
+}
+

.github/assets/README.md

@@ -0,0 +1,25 @@
+# GitHub Assets
+
+This directory contains configuration files used in the release and CI/CD workflows.
+
+## Files
+
+### `release-assets-config.json`
+
+Configuration file that defines the release asset matrix for the runbooks binary. It specifies:
+
+- **Platforms**: The target OS/architecture combinations, including which ones require code signing.
+
+- **Archive Formats**: The compression formats used for distribution (e.g. `zip`, `tar.gz`)
+
+- **Additional Files**: Extra files included in releases (e.g., `SHA256SUMS` for checksum verification)
+
+> **Note:** As of Dec 1, 20225, this config is only consumed by the macOS signing workflow (`sign-macos.yml`) to determine which binaries need signing. The build matrix in `release.yml` is maintained separately.
+
+### `.gon_xxx.hcl`
+
+[Gon](https://github.com/mitchellh/gon) configuration file for signing and notarizing the **macOS ARM64** (Apple Silicon) binary. Gon is a tool that automates the Apple code signing and notarization process required for distributing macOS binaries outside the App Store.
+
+## Related
+
+The [lib-release-config.sh](/.github/scripts/release/lib-release-config.sh) script consumes the `release-assets-config.json` file.

.github/assets/release-assets-config.json

@@ -0,0 +1,63 @@
+{
+  "platforms": [
+    {
+      "os": "darwin",
+      "arch": "amd64",
+      "binary": "runbooks_darwin_amd64",
+      "signed": true
+    },
+    {
+      "os": "darwin",
+      "arch": "arm64",
+      "binary": "runbooks_darwin_arm64",
+      "signed": true
+    },
+    {
+      "os": "linux",
+      "arch": "386",
+      "signed": false,
+      "binary": "runbooks_linux_386"
+    },
+    {
+      "os": "linux",
+      "arch": "amd64",
+      "signed": false,
+      "binary": "runbooks_linux_amd64"
+    },
+    {
+      "os": "linux",
+      "arch": "arm64",
+      "signed": false,
+      "binary": "runbooks_linux_arm64"
+    },
+    {
+      "os": "windows",
+      "arch": "386",
+      "signed": false,
+      "binary": "runbooks_windows_386.exe"
+    },
+    {
+      "os": "windows",
+      "arch": "amd64",
+      "signed": false,
+      "binary": "runbooks_windows_amd64.exe"
+    }
+  ],
+  "archive_formats": [
+    {
+      "extension": "zip",
+      "description": "ZIP archive"
+    },
+    {
+      "extension": "tar.gz",
+      "description": "TAR.GZ archive"
+    }
+  ],
+  "additional_files": [
+    {
+      "name": "SHA256SUMS",
+      "description": "Checksums file"
+    }
+  ]
+}
+

.github/scripts/release/lib-release-config.sh

@@ -0,0 +1,90 @@
+#!/bin/bash
+
+# Library script to read release assets configuration
+# Usage: source .github/scripts/release/lib-release-config.sh
+
+readonly RELEASE_CONFIG_FILE=".github/assets/release-assets-config.json"
+
+# Get list of all binary filenames
+get_all_binaries() {
+  jq -r '.platforms[].binary' "$RELEASE_CONFIG_FILE"
+}
+
+# Get list of binaries for a specific OS
+get_binaries_for_os() {
+  local os="$1"
+  jq -r --arg os "$os" '.platforms[] | select(.os == $os) | .binary' "$RELEASE_CONFIG_FILE"
+}
+
+# Get total binary count (computed from platforms array)
+get_binary_count() {
+  jq -r '.platforms | length' "$RELEASE_CONFIG_FILE"
+}
+
+# Get total expected file count (computed: binaries + archives + additional files)
+get_total_file_count() {
+  jq -r '
+    (.platforms | length) as $binaries |
+    (.archive_formats | length) as $formats |
+    (.additional_files | length) as $additional |
+    $binaries + ($binaries * $formats) + $additional
+  ' "$RELEASE_CONFIG_FILE"
+}
+
+# Get list of archive extensions
+get_archive_extensions() {
+  jq -r '.archive_formats[].extension' "$RELEASE_CONFIG_FILE"
+}
+
+# Get list of additional files
+get_additional_files() {
+  jq -r '.additional_files[].name' "$RELEASE_CONFIG_FILE"
+}
+
+# Generate expected files list (for verification)
+get_all_expected_files() {
+  local binaries archive_ext additional
+
+  # Get binaries
+  binaries=$(get_all_binaries)
+
+  # Generate list: binaries + archives + additional files
+  echo "$binaries"
+
+  # Add archives for each binary
+  for binary in $binaries; do
+    while IFS= read -r ext; do
+      echo "${binary}.${ext}"
+    done < <(get_archive_extensions)
+  done
+
+  # Add additional files
+  get_additional_files
+}
+
+# Get platform info as JSON for a specific binary
+get_platform_info() {
+  local binary="$1"
+  jq --arg binary "$binary" '.platforms[] | select(.binary == $binary)' "$RELEASE_CONFIG_FILE"
+}
+
+# Generate markdown table rows for summary
+generate_platform_table_rows() {
+  jq -r '.platforms[] | "| \(.os | ascii_downcase) | \(.arch) | \(if .signed then "Yes" else "No" end) | Uploaded |"' "$RELEASE_CONFIG_FILE" |
+  awk '{
+    # Capitalize first letter of OS
+    if ($2 == "darwin") $2 = "macOS"
+    else if ($2 == "linux") $2 = "Linux"
+    else if ($2 == "windows") $2 = "Windows"
+    print
+  }'
+}
+
+# Check if config file exists
+verify_config_file() {
+  if [[ ! -f "$RELEASE_CONFIG_FILE" ]]; then
+    echo "ERROR: Release config file not found: $RELEASE_CONFIG_FILE" >&2
+    return 1
+  fi
+}
+

.github/scripts/release/macos/import-cert.sh

@@ -0,0 +1,118 @@
+#!/bin/bash
+
+set -e
+
+################################################################################
+# Script: import-cert.sh
+# Description: Imports the macOS developer certificate into the system keychain.
+#              Creates a temporary keychain, imports the P12 certificate, and
+#              downloads the Apple root certificate for validation. This is a
+#              one-time setup step before signing binaries.
+#
+# Usage: import-cert.sh [--macos-skip-root-certificate]
+#
+# Required Environment Variables:
+#   MACOS_CERTIFICATE: macOS developer certificate in P12 format (base64 encoded)
+#   MACOS_CERTIFICATE_PASSWORD: macOS certificate password
+#
+# Optional Arguments:
+#   --macos-skip-root-certificate: Skip importing Apple Root certificate
+################################################################################
+
+# Apple certificate used to validate developer certificates https://www.apple.com/certificateauthority/
+readonly APPLE_ROOT_CERTIFICATE="http://certs.apple.com/devidg2.der"
+
+function print_usage {
+  echo
+  echo "Usage: $0 [OPTIONS]"
+  echo
+  echo "Required Environment Variables:"
+  echo -e "  MACOS_CERTIFICATE\t\tmacOS developer certificate in P12 format, encoded in base64."
+  echo -e "  MACOS_CERTIFICATE_PASSWORD\tmacOS certificate password"
+  echo
+  echo "Optional Arguments:"
+  echo -e "  --macos-skip-root-certificate\t\tSkip importing Apple Root certificate. Useful when running in already configured environment."
+  echo -e "  --help\t\t\t\tShow this help text and exit."
+}
+
+function main {
+  local mac_skip_root_certificate=""
+
+  while [[ $# -gt 0 ]]; do
+    local key="$1"
+    case "$key" in
+      --macos-skip-root-certificate)
+        mac_skip_root_certificate=true
+        shift
+        ;;
+      --help)
+        print_usage
+        exit
+        ;;
+      -* )
+        echo "ERROR: Unrecognized argument: $key"
+        print_usage
+        exit 1
+        ;;
+      * )
+        echo "ERROR: Unexpected positional argument: $1"
+        print_usage
+        exit 1
+        ;;
+    esac
+  done
+
+  ensure_macos
+  import_certificate_mac "${mac_skip_root_certificate}"
+}
+
+function ensure_macos {
+  if [[ $OSTYPE != 'darwin'* ]]; then
+    echo -e "Certificate import is supported only on macOS"
+    exit 1
+  fi
+}
+
+function import_certificate_mac {
+  local -r mac_skip_root_certificate="$1"
+  assert_env_var_not_empty "MACOS_CERTIFICATE"
+  assert_env_var_not_empty "MACOS_CERTIFICATE_PASSWORD"
+
+  local mac_certificate_pwd="${MACOS_CERTIFICATE_PASSWORD}"
+  local keystore_pw="${RANDOM}"
+
+  # Create separated keychain file to store certificate and do quick cleanup of sensitive data
+  local db_file
+  db_file=$(mktemp "/tmp/XXXXXX-keychain")
+  rm -rf "${db_file}"
+  echo "Creating separated keychain for certificate"
+  security create-keychain -p "${keystore_pw}" "${db_file}"
+  security default-keychain -s "${db_file}"
+  security unlock-keychain -p "${keystore_pw}" "${db_file}"
+  echo "${MACOS_CERTIFICATE}" | base64 -d | security import /dev/stdin -f pkcs12 -k "${db_file}" -P "${mac_certificate_pwd}" -T /usr/bin/codesign
+  if [[ "${mac_skip_root_certificate}" == "" ]]; then
+    # Download Apple root certificate used as root for developer certificate
+    curl -v "${APPLE_ROOT_CERTIFICATE}" --output certificate.der
+    sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain certificate.der
+  fi
+  security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keystore_pw}" "${db_file}"
+  
+  echo "Certificate imported successfully"
+  
+  # NOTE: Do NOT add a trap to clean up the keychain here!
+  # The keychain must persist for sign.sh to use it.
+  # Cleanup is handled by sign-and-verify-binaries.sh after signing is complete.
+}
+
+function assert_env_var_not_empty {
+  local -r var_name="$1"
+  local -r var_value="${!var_name}"
+
+  if [[ -z "$var_value" ]]; then
+    echo "ERROR: Required environment variable $var_name not set."
+    exit 1
+  fi
+}
+
+main "$@"
+