-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add macOS pkg installer to deployment (#7554) #7555
Conversation
paulober
commented
Jun 8, 2023
- Fixes Add macOS pkg installer #7554
3abfe1a
to
a2e6927
Compare
See the connected issue for more details on the implementation |
a2e6927
to
f1c3534
Compare
@vilmibm @williammartin Any updates on this? |
Will my work now finally after nearly one year be accepted and merged, or should i just delete it and distribute a gh pkg for macOS on my own? (You are currently maintaining 12 artifacts for linux with 3 different packages per one of the 4 supported architectures. |
@andyfeller Hi, if you find some time may you review this PR for merging please? |
@paulober : 🫡 Firstly, let me say thank you for putting the time and effort into this as well as your patience given the impact attrition has taken on the team over the past year. I'm blocking off time first thing tomorrow morning to review this. Not having a background with |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@paulober : again thanks for your patience especially as my background in packaging is predominantly OSS with RPMs and DEBs.
few minor nits and some honest questions I'd appreciate your thoughts on while running down hubbers on GitHub Desktop and Mobile to understand these changes in context to those product lines. additionally, I still want to ensure the CLI team has an opportunity to review these.
build/macOS/distribution.xml
Outdated
@@ -0,0 +1,19 @@ | |||
<?xml version="1.0" encoding="utf-8" standalone="yes"?> | |||
<installer-gui-script minSpecVersion="1"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For documentation on this file, see Apple Distribution Definition reference
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, i think we can change the minSpecVersion to 2
. But i'll check that first.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to be clear, I'm mostly adding reference comments because completely unfamiliar with the spec and I use comments like sticky notes for myself 😅
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh, sorry. didn't know that.
<title>Github Cli</title> | ||
<license file="LICENSE" mime-type="text/plain"/> | ||
<options hostArchitectures="arm64,x86_64" customize="never" require-scripts="false" allow-external-scripts="false"/> | ||
<domains enable_localSystem="true"/> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should GitHub CLI be system-wide, per-user, or can be anywhere?
GitHub Desktop zips up the application and on start up will ask the user if they want to move it from Downloads (in my case) to Applications.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@williammartin : would appreciate your 2 cents here as brew
installs packages such that any user on the workstation can add /opt/homebrew
to their path where the configuration is per user.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I'd be inclined to say /usr/local/bin
. When I look at the contents of my /usr/local/bin
it feels like a familiar idea. Homebrew seems to have a variety of reasons relating to Apple Silicon to use /opt/homebrew
.
I would anticipate the vast majority of users:
- Don't feel the need to use amd64 and arm versions of
gh
- Have a single user account on their personal machine
So I think I would suggest we sidestep that mess and install into /usr/local/bin
, knowing that it's on the path already.
What do you think?
build/macOS/distribution.xml
Outdated
<pkg-ref id="com.github.cli.pkg" auth="Root" packageIdentifier="com.github.cli"> | ||
<bundle-version/> | ||
</pkg-ref> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the impact of this being empty versus being managed from package data?
Defines the version of the bundles delivered by the parent element. You do not typically specify this element;
productbuild
inserts it from the actual package data when the product archive is created.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just checked the code i wrote one year ago and removed some of this xml as it's not needed.
The pkg-ref bundle-version part is generated by productbuild and it also uses this empty bundle-version as the real version can be looked up by installer
in the included pkg or the generated named version property on pkg-ref.
script/pkgmacos
Outdated
cp "LICENSE" "build/macOS/resources" | ||
touch .gi | ||
|
||
# build distribution |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For information on productbuild, see Apple "Packaging Mac software for distribution"
script/pkgmacos
Outdated
while [ $# -gt 0 ]; do | ||
case "$1" in | ||
-h | --help ) | ||
print_help | ||
exit 0 | ||
;; | ||
-* ) | ||
printf "unrecognized flag: %s\n" "$1" >&2 | ||
exit 1 | ||
;; | ||
* ) | ||
tag_name="$1" | ||
shift 1 | ||
;; | ||
esac | ||
done |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are there any conditions we should short circuit running this script?
- Running it on unsupported OS
- If
pkgbuild
orproductbuild
aren't installed - ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not really required but it's better.
I adopted your suggested requirements and as unsupported OS i set all macOS versions prior to macOS 12 (Monterey).
For Linux it's not accounted for as it would exit with code 127 at the start anyways as sw_vers
is not available on Linux.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think that's sufficient for this build script or should i also write a safe fail for Linux?
Thanks for taking the time to review. I'll address all comments. |
Co-authored-by: Andy Feller <andyfeller@github.com>
The only product tangentially relevant to GitHub that built |
Co-authored-by: Andy Feller <andyfeller@github.com>
Thanks for taking the time to bring the PR of the finish line. Lets see how it works with the next release. I also though about maybe adding a second install script that removes old gh man pages in case some get removed with a new release they wouldn't remain on the users disk if they upgrade with a new pkg... |
Unfortunately this broke the release: https://github.com/cli/cli/actions/runs/9272921562/job/25511828490 Looking into it now but if you have any idea that would be great, thanks. |
I see in #7555 (comment) the example command and the new makefile target build |
And I think we don't have completions because they are only build on Line 13 in f1dedc9
I think they are only built on linux because they are only packaged up inside the Lines 93 to 98 in f1dedc9
Perhaps this is as simple as changing that conditional so that they are also produced on |
Created #9136 which I believe fixes this. |
Oh right, i guess that's why i originally added: #7555 (comment) |
Sorry, shouldn't have removed it. |
No worries, Workflows mostly being collections of cobbled together scripts makes things extremely challenging to write and review. I'm not at all surprised we missed something. |
It looks like we built the pkg successfully but we failed to sign it: https://github.com/cli/cli/actions/runs/9284093254/job/25545720127#step:9:11 Looking at the workflow we expect something called cli/.github/workflows/deployment.yml Line 122 in 3620e79
Is it supposed to be |
No, because to sign installers you need a special purpose certificate from Apple. In the portal where you also created your APPLE_DEVELOPER_ID certificate you can create a new one for installer signing. It should start with |
Thanks. Because Apple enforce a limit of 5 certificates, the CLI team does not own or manage them. If this is a different certificate as you say, I don't think it's likely this will be resolved today. We may have to either revert this or release without it being signed in the interim. Will look into this now but I suspect the people with the answer are in the US timezone. |
Ok understand. Not sure what you mean with a limit of 5 certificate. I have about 15 active. Alternatively i could offer to sign the first release manually with my Developer ID Installer certificate or we release it unsigned (maybe with a little note in the release). |
Well, the limit is documented here and that is what has been communicated to our team. I think it would be better to release unsigned than signed by your personal cert, thanks. Unsigned may be acceptable as an MVP that we improve. The binaries themselves weren't signed from the beginning either. I'll discuss with @andyfeller when he comes online. |
Oh right, didn't know that. |
And as you can see from https://github.blog/2023-01-30-action-needed-for-github-desktop-and-atom-users/, we really, really want to take care of these limited certs 😬 |
@paulober when you sign your binaries, how do you ensure that the certificate is in the keychain and accessible. For example, my understanding of our release process is that we import the certificate used for signing and then later when we I believe the same is true for cli/.github/workflows/deployment.yml Lines 91 to 92 in 3620e79
|
If I sign from terminal manually i normally install the certificate via drag and drop. (not applicable here) It should not be the same as the Developer ID Installer and Developer ID Application are different certificates with different "permissions" (though i never tried signing a binary with a Developer ID Installer certificate). |
Thanks. I think we're in shared understanding. I also believe we need another cert and we need to load it into the keychain.
Yeh I'm not sure about that either. The docs for
Which doesn't indicate the need for |
Agreed 😞 Relevant docs: Apple "Packaging Mac Software for distribution > Build an Installer package":
Additional doc on Creating Developer ID certificates |
Some answers in here indicate that |
@paulober when you say:
When getting certificates now we noticed on the Apple developer website and the docs there was a difference between |
Strange, i'm sill looking for a documentation about where to find these partitions and which are required for which usecase/tools. |
I'm not sure if i understand you question correctly. But I guess you where asking about the differences between these two certificates in our case: So you would need to create a csr and upload it to apple dev center and request a Developer ID Installer which you can then inject like the code-signing certificate into the action. |
Ah not quite. I was referring to the fact there are two different identities that can be used to sign From the docs:
These are both separate from |
Oh, yes, I might overlooked that one. So for my understanding the Installer Distribution one is not that restricted because Apple can take a look at the software before it is distributed to the end user. Whereas a Developer ID Installer certificate gives you much higher responsibility. And by "about 15 certificates" I meant the amount of all certificates across all types as i though you meant this limit. |
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cli/cli](https://togithub.com/cli/cli) | minor | `v2.49.2` -> `v2.50.0` | --- ### Release Notes <details> <summary>cli/cli (cli/cli)</summary> ### [`v2.50.0`](https://togithub.com/cli/cli/releases/tag/v2.50.0): GitHub CLI 2.50.0 [Compare Source](https://togithub.com/cli/cli/compare/v2.49.2...v2.50.0) #### What's Changed - Refactor git credential flow code by [@​williammartin](https://togithub.com/williammartin) in [cli/cli#9089 - feat: add json output for `gh pr checks` by [@​nobe4](https://togithub.com/nobe4) in [cli/cli#9079 - Rework first auth tests with new gitcredential abstractions by [@​williammartin](https://togithub.com/williammartin) in [cli/cli#9095 - list the various alias permutations for the command and subcommands, via '--help' and 'gh reference' by [@​gabemontero](https://togithub.com/gabemontero) in [cli/cli#8824 - Removed tty message when checking for extension upgrades by [@​leevic31](https://togithub.com/leevic31) in [cli/cli#9088 - Fix doc bug for gh run watch by [@​jasonodonnell](https://togithub.com/jasonodonnell) in [cli/cli#9052 - feat: add support for stateReason in `gh pr view` by [@​nobe4](https://togithub.com/nobe4) in [cli/cli#9080 - fix: rename the `Attempts` field to `Attempt`; expose in `gh run view` and `gh run ls` by [@​cawfeecake](https://togithub.com/cawfeecake) in [cli/cli#8905 - Update regex in changedFilesNames to handle quoted paths by [@​anda3](https://togithub.com/anda3) in [cli/cli#9115 - Add a `gh variable get FOO` command by [@​arnested](https://togithub.com/arnested) in [cli/cli#9106 - Add macOS pkg installer to deployment ([#​7554](https://togithub.com/cli/cli/issues/7554)) by [@​paulober](https://togithub.com/paulober) in [cli/cli#7555 - Add integration tests for `gh attestation verify` shared workflow use case by [@​malancas](https://togithub.com/malancas) in [cli/cli#9107 - Add build provenance for gh CLI releases by [@​malancas](https://togithub.com/malancas) in [cli/cli#9087 - build(deps): bump github.com/gabriel-vasile/mimetype from 1.4.3 to 1.4.4 by [@​dependabot](https://togithub.com/dependabot) in [cli/cli#9124 - Build completions during release on macos by [@​williammartin](https://togithub.com/williammartin) in [cli/cli#9136 - Clarify Mac OS Installer packages are unsigned by [@​andyfeller](https://togithub.com/andyfeller) in [cli/cli#9140 #### New Contributors - [@​gabemontero](https://togithub.com/gabemontero) made their first contribution in [cli/cli#8824 - [@​jasonodonnell](https://togithub.com/jasonodonnell) made their first contribution in [cli/cli#9052 - [@​anda3](https://togithub.com/anda3) made their first contribution in [cli/cli#9115 - [@​arnested](https://togithub.com/arnested) made their first contribution in [cli/cli#9106 - [@​paulober](https://togithub.com/paulober) made their first contribution in [cli/cli#7555 **Full Changelog**: cli/cli@v2.49.2...v2.50.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/izumin5210/dotfiles). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zNzcuOCIsInVwZGF0ZWRJblZlciI6IjM3LjM3Ny44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: izumin5210-update-aqua-checksum[bot] <169593670+izumin5210-update-aqua-checksum[bot]@users.noreply.github.com>