Skip to content

build: sign macos binaries for arm and amd architectures and universal packagings #124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zimeg merged 5 commits into from
Jun 11, 2025
Merged

build: sign macos binaries for arm and amd architectures and universal packagings #124

zimeg merged 5 commits into from
Jun 11, 2025

Conversation

@zimeg
Copy link
Member

@zimeg zimeg commented Jun 10, 2025

Summary

This PR attempts to sign all macOS binaries before packaging these into development and latest bundles for a tarball.

Notes

A feature build will be tagged in this PR to test this!

Requirements

@zimeg zimeg added this to the Next Release milestone Jun 10, 2025
@zimeg zimeg self-assigned this Jun 10, 2025
@zimeg zimeg added semver:patch Use on pull requests to describe the release version increment build M-T: Changes to compilation and CI processes labels Jun 10, 2025
@codecov
Copy link

codecov bot commented Jun 10, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 63.48%. Comparing base (c64e342) to head (856b07d).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #124   +/-   ##
=======================================
  Coverage   63.48%   63.48%           
=======================================
  Files         212      212           
  Lines       22344    22344           
=======================================
  Hits        14185    14185           
  Misses       7079     7079           
  Partials     1080     1080

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@zimeg zimeg mentioned this pull request Jun 10, 2025
Merged
2 tasks
@zimeg
Copy link
Member Author

zimeg commented Jun 10, 2025

📣 From the logs, these changes appear to be signing darwin builds from zip before packaging things into separate tarballs during archive:

https://github.com/slackapi/slack-cli/releases/tag/v3.3.0-zimeg-build-sign-macos-archs-feature

slack: signed Mach-O universal (x86_64 arm64) [slack]
slack: valid on disk
slack: satisfies its Designated Requirement
slack: signed Mach-O thin (x86_64) [slack]
slack: valid on disk
slack: satisfies its Designated Requirement
slack: replacing existing signature
slack: signed Mach-O thin (arm64) [slack]
slack: valid on disk
slack: satisfies its Designated Requirement

Linked in the release above, downloads can be collected and tested with these commands:

$ curl -fsSL https://downloads.slack-edge.com/slack-cli/install-dev.sh | bash -s -- -v 3.3.0-zimeg-build-sign-macos-archs-feature lack-dev
$ file $(readlink $(which lack-dev))
~/.slack/dev-build/bin/slack: Mach-O universal binary with 2 architectures: [arm64:\012- Mach-O 64-bit arm64 executable, flags:<|DYLDLINK|PIE>] [\012- x86_64]
$ spctl -a -vvv -t install $(which lack-dev)
/usr/local/bin/lack-dev: accepted
source=Notarized Developer ID
origin=Developer ID Application: SLACK TECHNOLOGIES L.L.C. (BQR82RBBHL)

Attempt an installation for the architecture:

$ ./scripts/install-dev.sh -v 3.3.0-zimeg-build-sign-macos-archs-feature lack-dev
$ file $(readlink $(which lack-dev))
~/.slack/dev-build/bin/slack: Mach-O 64-bit arm64 executable, flags:<|DYLDLINK|PIE>
$ spctl -a -vvv -t install $(which lack-dev)
/usr/local/bin/lack-dev: accepted
source=Notarized Developer ID
origin=Developer ID Application: SLACK TECHNOLOGIES L.L.C. (BQR82RBBHL)

Confirm another architecture is signed:

$ curl https://downloads.slack-edge.com/slack-cli/slack_cli_3.3.0-zimeg-build-sign-macos-archs-feature_macOS_amd64.tar.gz > amd64.tar.gz
$ tar -xf amd64.tar.gz
$ file ./bin/slack
./bin/slack: Mach-O 64-bit x86_64 executable, flags:<|DYLDLINK|PIE>
$ spctl -a -vvv -t install ./bin/slack
./bin/slack: accepted
source=Notarized Developer ID
origin=Developer ID Application: SLACK TECHNOLOGIES L.L.C. (BQR82RBBHL)

@zimeg zimeg marked this pull request as ready for review June 10, 2025 20:18
@zimeg zimeg requested a review from a team as a code owner June 10, 2025 20:18
@zimeg
Copy link
Member Author

zimeg commented Jun 10, 2025

🔍 FWIW I noticed the notarization doesn't happen right after the script completes and might take a few minutes.

That was confusing me when testing this, but it resolved after a bit.

mwbrooks
mwbrooks approved these changes Jun 11, 2025
View reviewed changes
Copy link
Member

@mwbrooks mwbrooks left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ We have arm support with code signed binaries for tagged releases! 🎉

🧪 I manually downloaded the .zip and .tar.gz files from https://github.com/slackapi/slack-cli/releases/tag/v3.3.0-zimeg-build-sign-macos-archs-feature and verified that all 13 files are code signed using:

$ codesign -dv --verbose=4 ~/Downloads/bin/slack

⚒️ Fantastic work @zimeg! This is very exciting!

.circleci/runner/src/scripts/mac/code-sign.sh
Comment on lines +18 to +28
cd "${ARTIFACTS_DIR}"

for package in "${PROD_NAME}"*macOS_*.zip; do
echo "Signing: ${package}"
unzip "${package}"
codesign --force --deep --verbose --verify --sign "Developer ID Application: SLACK TECHNOLOGIES L.L.C. (BQR82RBBHL)" --options runtime "${PROD_NAME}"
codesign -vvv --deep --strict "${PROD_NAME}"
zip -r "${package}" "${PROD_NAME}"
rm "${PROD_NAME}"
xcrun notarytool submit "${package}" -p "HERMES_NOTARY"
done
Copy link
Member

@mwbrooks mwbrooks Jun 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice refactor to use the loop 👌🏻 ✨

Originally, I think this code was meant to stay in-sync with the other mac code sign implementation. But, since we need to use a loop we're naturally going to need to refactor it.

Copy link
Member Author

@zimeg zimeg Jun 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Originally, I think this code was meant to stay in-sync with the other mac code sign implementation.

Ooh I might not be familiar with that implementation, but I'd love to know about it for future reference if possible 🤖

I'm hoping that a loop instead of repeated script lines is more ideal with multiple binaries now needing signed as well!

@zimeg
Copy link
Member Author

zimeg commented Jun 11, 2025

@mwbrooks What a collection of tasks this was with so much learning of our CI setups! I'm glad we're improving this before next release too, so upgrades go smooth. 👾

If more build updates are needed I'll also be sure to make fast fixes, but for now let's merge this so our nightly builds can exercise this 🐮 🚲 🌝

@zimeg zimeg merged commit 41cf0f5 into main Jun 11, 2025
7 checks passed
@zimeg zimeg deleted the zimeg-build-sign-macos-archs branch June 11, 2025 17:26
@zimeg zimeg mentioned this pull request Jun 12, 2025
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mwbrooks mwbrooks mwbrooks approved these changes

Assignees

@zimeg zimeg

Labels

build M-T: Changes to compilation and CI processes semver:patch Use on pull requests to describe the release version increment

Projects

None yet

Milestone

v3.4.0

Development

Successfully merging this pull request may close these issues.

3 participants

@zimeg @mwbrooks