try sign

nicholascioli · nicholascioli · commit db4eeaed801d · 2025-05-13T15:32:06.000-04:00
diff --git a/.github/workflows/release-bins.yml b/.github/workflows/release-bins.yml
@@ -13,15 +13,28 @@ jobs:
           # Linux compiles itself
           - os: ubuntu-24.04
             bundle: linux
+            targets: |
+              cross-aarch64-unknown-linux-gnu
+              cross-aarch64-unknown-linux-musl
+              cross-x86_64-unknown-linux-gnu
+              cross-x86_64-unknown-linux-musl
 
           # We can compile the windows target from linux
           - os: ubuntu-24.04
             bundle: windows
+            targets: |
+              cross-aarch64-pc-windows-gnullvm
+              cross-x86_64-pc-windows-gnullvm
 
           # Apple SDK does not allow us to cross compile from non-apple-branded
           # machines, so we run that bundle on a macOS runner
-          - os: macos-latest
+          # Note: We use macos-13 here since it is the latest version that runs
+          # on an x86_64-apple-darwin machine
+          - os: macos-13
             bundle: darwin
+            targets: |
+              cross-aarch64-apple-darwin
+              default
     runs-on: ${{ matrix.os }}
     permissions:
       contents: write
@@ -47,7 +60,133 @@ jobs:
           gc-max-store-size: 5G
 
       - name: Build binaries
-        run: nix build .#${{ matrix.bundle }}-release-bundle
+        run: |
+          mkdir release
+          for BUILD_TARGET in "${{ matrix.targets }}"; do
+            # Hack for x86_64-apple-darwin since it doesn't yet work with cross compilation
+            if [ "$BUILD_TARGET" == "default" ]; then
+              TARGET="x86_64-apple-darwin"
+            else
+              TARGET=${BUILD_TARGET#"cross-"}
+            fi
+
+            echo "Scaffolding release for $TARGET..."
+            mkdir -p "release/$TARGET/dist"
+            cp README.md LICENSE "release/$TARGET/dist"
+
+            echo "Building release for $TARGET..."
+            nix build .#$TARGET
+            cp result/bin/* "release/$TARGET/dist/"
+          done
+
+      - name: Sign Apple Binary
+        if: ${{ runner.os == 'macOS' }}
+        env:
+          MACOS_CERT_BUNDLE_PASSWORD: ${{ secrets.MACOS_CERT_BUNDLE_PASSWORD }}
+          MACOS_CERT_BUNDLE_BASE64: ${{ secrets.MACOS_CERT_BUNDLE_BASE64 }}
+          MACOS_KEYCHAIN_PASSWORD: ${{ secrets.MACOS_KEYCHAIN_PASSWORD }}
+
+          APPLE_NOTARIZATION_PASSWORD: ${{ secrets.APPLE_NOTARIZATION_PASSWORD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+          APPLE_USERNAME: ${{ secrets.APPLE_USERNAME }}
+
+          KEYCHAIN_NAME: "apollo-mcp-server-keychain"
+          ENTITLEMENTS_PATH: "macos-entitlements.plist"
+          VERSION: ${{ github.ref }}
+        run: |
+          echo "Pre-check: Valid Codesigning Identify"
+          security find-identity -v -p codesigning
+          echo "Pre-check: Codesigning Identify"
+          security find-identity -p codesigning
+          echo "Pre-check: Any Identify"
+          security find-identity
+
+          echo "|||||||||||||||||||||||||||||||||||||||||||||"
+
+          # Create a temporary keychain
+          EPHEMERAL_KEYCHAIN=`mktemp`
+
+          echo "Creating keychain..."
+          security create-keychain -p "${MACOS_KEYCHAIN_PASSWORD}" $KEYCHAIN_NAME
+          echo "Removing relock timeout on keychain..."
+          security set-keychain-settings $KEYCHAIN_NAME
+
+          echo "Decoding certificate bundle..."
+          echo "${MACOS_CERT_BUNDLE_BASE64}" | base64 --decode > $EPHEMERAL_KEYCHAIN/certificate.p12
+
+          echo "Importing codesigning certificate to build keychain..."
+          security import $EPHEMERAL_KEYCHAIN/certificate.p12 -k $KEYCHAIN_NAME -P "${MACOS_CERT_BUNDLE_PASSWORD}" -T /usr/bin/codesign
+
+          echo "Adding the codesign tool to the security partition-list..."
+          security set-key-partition-list -S "apple-tool:,apple:,codesign:" -s -k "${MACOS_KEYCHAIN_PASSWORD}" $KEYCHAIN_NAME
+
+          echo "Setting default keychain..."
+          security default-keychain -d user -s $KEYCHAIN_NAME
+
+          echo "Unlocking keychain..."
+          security unlock-keychain -p "${MACOS_KEYCHAIN_PASSWORD}" $KEYCHAIN_NAME
+
+          echo "Verifying keychain is set up correctly..."
+          security find-identity -v -p codesigning
+
+          echo "|||||||||||||||||||||||||||||||||||||||||||||"
+
+          echo "Post-check: Valid Codesigning Identify"
+          security find-identity -v -p codesigning
+          echo "Post-check: Codesigning Identify"
+          security find-identity -p codesigning
+          echo "Post-check: Any Identify"
+          security find-identity
+
+          echo "|||||||||||||||||||||||||||||||||||||||||||||"
+          # Sign each binary
+          for RELEASE in release/*/; do
+            RELEASE=${RELEASE%/}
+            RELEASE=${RELEASE#"release/"}
+
+            BINARY_PATH="release/$RELEASE/dist/apollo-mcp-server"
+            echo "Starting code signing for $RELEASE..."
+
+            echo "> Signing code (step 1)..."
+            codesign --sign "$APPLE_TEAM_ID" --options runtime --entitlements $ENTITLEMENTS_PATH --force --timestamp "$BINARY_PATH" -v
+
+            echo "> Signing code (step 2)..."
+            codesign -vvv --deep --strict "$BINARY_PATH"
+
+            echo "> Zipping dist..."
+            TMP_DIST=`mktemp`
+            mkdir $TMP_DIST/dist
+            cp "$BINARY_PATH" "$TMP_DIST/dist/"
+            zip -r "$TMP_DIST/apollo-mcp-server-$VERSION.zip" "$TMP_DIST/dist"
+
+            echo "> Beginning notarization process (might take up to 20m)..."
+            xcrun notarytool submit "$TMP_DIST/apollo-mcp-server-$VERSION.zip" \
+              --apple-id "$APPLE_USERNAME" \
+              --password "$APPLE_NOTARIZATION_PASSWORD" \
+              --team-id "$APPLE_TEAM_ID" \
+              --wait \
+              --timeout 20m
+
+            echo "> Cleaning up release..."
+            rm -rf $TMP_DIST
+          done
+
+          echo "Cleaning up ephemeral keychain..."
+          rm -rf $EPHEMERAL_KEYCHAIN/
+
+      - name: Create release bundles
+        env:
+          VERSION: ${{ github.ref }}
+        run: |
+          mkdir artifacts
+          for RELEASE in release/*/; do
+            # Remove trailing slash and leading parent
+            RELEASE=${RELEASE%/}
+            RELEASE=${RELEASE#"release/"}
+
+            echo "Creating an artifact for $RELEASE"
+            tar -C release/$RELEASE -cf - dist/ | gzip -9 > artifacts/apollo-mcp-server-$VERSION-$RELEASE.tar.gz
+          done
 
       - name: Upload release artifacts
         uses: softprops/action-gh-release@v2
diff --git a/flake.nix b/flake.nix
@@ -46,28 +46,6 @@
         inherit crane;
         toolchain = nativeToolchain;
       };
-      mkReleaseBundle = platform: targets: let
-        bundleToolchain = p:
-          p.rust-bin.stable.latest.minimal.override {
-            inherit targets;
-          };
-        apollo-mcp-cross = unstable-pkgs.callPackage ./nix/apollo-mcp.nix {
-          inherit crane;
-          toolchain = bundleToolchain;
-        };
-      in
-        unstable-pkgs.symlinkJoin {
-          name = "${platform}-release-bundle";
-          paths = builtins.map (target: let
-            bins = apollo-mcp-cross.packages.builder target;
-          in
-            pkgs.runCommandLocal "${target}-bins" {} ''
-              mkdir -p $out
-              cd ${bins}/bin
-              ${pkgs.gnutar}/bin/tar -cf - ./* | ${pkgs.gzip}/bin/gzip -9 > $out/apollo-mcp-v${bins.version}-${target}.tar.gz
-            '')
-          targets;
-        };
 
       # Supporting tools
       mcphost = pkgs.callPackage ./nix/mcphost.nix {};
@@ -114,29 +92,45 @@
         }
         // apollo-mcp-builder.checks;
 
-      packages = rec {
-        inherit (garbageCollector) saveFromGC;
-
-        default = apollo-mcp;
-        apollo-mcp = apollo-mcp-builder.packages.apollo-mcp;
-
-        # Release bundles for each supported platform
-        # TODO: x86_64-apple-darwin causes a zig issue and needs an upstream fix
-        darwin-release-bundle = mkReleaseBundle "darwin" [
-          "aarch64-apple-darwin"
-          # "x86_64-apple-darwin"
-        ];
-        linux-release-bundle = mkReleaseBundle "linux" [
-          "aarch64-unknown-linux-gnu"
-          "aarch64-unknown-linux-musl"
-          "x86_64-unknown-linux-gnu"
-          "x86_64-unknown-linux-musl"
-        ];
-        windows-release-bundle = mkReleaseBundle "windows" [
-          "aarch64-pc-windows-gnullvm"
-          "x86_64-pc-windows-gnullvm"
-        ];
-      };
+      packages = let
+        # Cross targets for supported architectures
+        cross = let
+          # Note: x86_64-apple-darwin doesn't yet work with zig due to an upstream bug
+          supportedTargets = [
+            "aarch64-apple-darwin"
+            "aarch64-pc-windows-gnullvm"
+            "aarch64-unknown-linux-gnu"
+            "aarch64-unknown-linux-musl"
+            "x86_64-pc-windows-gnullvm"
+            "x86_64-unknown-linux-gnu"
+            "x86_64-unknown-linux-musl"
+          ];
+
+          crossBuild = target: let
+            crossToolchain = p:
+              p.rust-bin.stable.latest.minimal.override {
+                targets = [target];
+              };
+            apollo-mcp-cross = unstable-pkgs.callPackage ./nix/apollo-mcp.nix {
+              inherit crane;
+              toolchain = crossToolchain;
+            };
+          in
+            apollo-mcp-cross.packages.builder target;
+        in
+          builtins.listToAttrs (builtins.map (target: {
+              name = "cross-${target}";
+              value = crossBuild target;
+            })
+            supportedTargets);
+      in
+        rec {
+          inherit (garbageCollector) saveFromGC;
+
+          default = apollo-mcp;
+          apollo-mcp = apollo-mcp-builder.packages.apollo-mcp;
+        }
+        // cross;
 
       # TODO: This does not work on macOS without cross compiling, so maybe
       # we need to disable flake-utils and manually specify the supported
