Skip to content

tools: use OSX Keychain profile to notarize the releases #50715

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

tools: use OSX Keychain profile to notarize the releases #50715

wants to merge 1 commit into from

Conversation

@UlisesGascon
Copy link
Member

@UlisesGascon UlisesGascon commented Nov 13, 2023

Main Changes

Use a OSX Keychain profile to retrieve the secrets in order to do the notarization with Notarytool

cc: @nodejs/build @nodejs/releasers

Context

Notes

You can find more information in this amazing article https://tonygo.ghost.io/notarization-for-macos-app-with-notarytool/ by @tony-go and this comment: #48701 (comment)

Test

This was tested in iojs+release-ulises-experimental pipeline in jenkins ci release.

Full log available here

20:05:51 sh tools/osx-notarize.sh v22.0.0-test202311136410f3bf0d 20:05:51 Notarization process is done with Notarytool. 20:05:51 Submitting node-v22.0.0-test202311136410f3bf0d.pkg for notarization... 20:05:51 Conducting pre-submission checks for node-v22.0.0-test202311136410f3bf0d.pkg and initiating connection to the Apple notary service... 20:05:52 Submission ID received 20:05:52 id: cb5ac9d6-9646-4226-bfa8-23b9c3e0995d 20:06:08 Successfully uploaded file 20:06:08 id: cb5ac9d6-9646-4226-bfa8-23b9c3e0995d 20:06:08 path: /Users/iojs/build/ws/node-v22.0.0-test202311136410f3bf0d.pkg 20:06:08 Waiting for processing to complete. 20:06:14 Current status: In Progress... [...redacted...] Current status: Accepted.............Processing complete 20:07:31 id: cb5ac9d6-9646-4226-bfa8-23b9c3e0995d 20:07:31 status: Accepted 20:07:31 20:07:31 Notarization node-v22.0.0-test202311136410f3bf0d.pkg submitted successfully. 20:07:31 Processing: /Users/iojs/build/ws/node-v22.0.0-test202311136410f3bf0d.pkg 20:07:32 Processing: /Users/iojs/build/ws/node-v22.0.0-test202311136410f3bf0d.pkg 20:07:32 The staple and validate action worked! 20:07:32 Stapler was successful. [...redacted...] 20:09:07 Finished: SUCCESS
@nodejs-github-bot nodejs-github-bot added macos Issues and PRs related to the macOS platform / OSX. tools Issues and PRs related to the tools directory. labels Nov 13, 2023
@UlisesGascon UlisesGascon marked this pull request as ready for review November 13, 2023 19:35
@UlisesGascon UlisesGascon added request-ci Add this label to start a Jenkins CI on a PR. lts-watch-v18.x lts-watch-v20.x PRs that may need to be released in v20.x labels Nov 13, 2023
@UlisesGascon UlisesGascon mentioned this pull request Nov 13, 2023
Merged
3 tasks
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Nov 13, 2023
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Nov 13, 2023

CI: https://ci.nodejs.org/job/node-test-pull-request/55624/
tony-go
tony-go reviewed Nov 14, 2023
View reviewed changes
@github-actions github-actions bot mentioned this pull request Nov 15, 2023
Open
26 tasks
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Nov 19, 2023

CI: https://ci.nodejs.org/job/node-test-pull-request/55768/
@UlisesGascon UlisesGascon mentioned this pull request Nov 19, 2023
Closed
5 tasks
mhdawson
mhdawson approved these changes Nov 20, 2023
View reviewed changes
Copy link
Member

@mhdawson mhdawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Nov 20, 2023

CI: https://ci.nodejs.org/job/node-test-pull-request/55796/
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Nov 21, 2023

CI: https://ci.nodejs.org/job/node-test-pull-request/55810/
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Nov 21, 2023

CI: https://ci.nodejs.org/job/node-test-pull-request/55811/
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Nov 21, 2023

CI: https://ci.nodejs.org/job/node-test-pull-request/55833/
@mhdawson
Copy link
Member

mhdawson commented Nov 22, 2023

Looks the status update failed. The latest ci run shows as all blue - https://ci.nodejs.org/job/node-test-pull-request/55833/

Going to land
mhdawson pushed a commit that referenced this pull request Nov 22, 2023
@UlisesGascon @mhdawson
tools: use macOS keychain to notarize the releases
5f973d1 
PR-URL: #50715 Reviewed-By: Michael Dawson <midawson@redhat.com>
@mhdawson
Copy link
Member

mhdawson commented Nov 22, 2023

Landed in 5f973d1
@mhdawson mhdawson closed this Nov 22, 2023
targos pushed a commit that referenced this pull request Nov 23, 2023
@UlisesGascon @targos
tools: use macOS keychain to notarize the releases
c90160f 
PR-URL: #50715 Reviewed-By: Michael Dawson <midawson@redhat.com>
martenrichter pushed a commit to martenrichter/node that referenced this pull request Nov 26, 2023
@UlisesGascon @martenrichter
tools: use macOS keychain to notarize the releases
b443e4a 
PR-URL: nodejs#50715 Reviewed-By: Michael Dawson <midawson@redhat.com>
lucshi pushed a commit to lucshi/node that referenced this pull request Nov 27, 2023
@UlisesGascon
tools: use macOS keychain to notarize the releases
73e71ed 
PR-URL: nodejs#50715 Reviewed-By: Michael Dawson <midawson@redhat.com>
@RafaelGSS RafaelGSS mentioned this pull request Nov 28, 2023
Merged
RafaelGSS pushed a commit that referenced this pull request Nov 29, 2023
@UlisesGascon @RafaelGSS
tools: use macOS keychain to notarize the releases
a12d9e0 
PR-URL: #50715 Reviewed-By: Michael Dawson <midawson@redhat.com>
RafaelGSS pushed a commit that referenced this pull request Nov 30, 2023
@UlisesGascon @RafaelGSS
tools: use macOS keychain to notarize the releases
3d3cd2a 
PR-URL: #50715 Reviewed-By: Michael Dawson <midawson@redhat.com>
UlisesGascon added a commit that referenced this pull request Dec 11, 2023
@UlisesGascon
tools: use macOS keychain to notarize the releases
341fcfd 
PR-URL: #50715 Reviewed-By: Michael Dawson <midawson@redhat.com>
@UlisesGascon UlisesGascon mentioned this pull request Dec 12, 2023
Merged
UlisesGascon added a commit that referenced this pull request Dec 13, 2023
@UlisesGascon
tools: use macOS keychain to notarize the releases
aa74680 
PR-URL: #50715 Reviewed-By: Michael Dawson <midawson@redhat.com>
UlisesGascon added a commit that referenced this pull request Dec 15, 2023
@UlisesGascon
tools: use macOS keychain to notarize the releases
eec1fd9 
PR-URL: #50715 Reviewed-By: Michael Dawson <midawson@redhat.com>
UlisesGascon added a commit that referenced this pull request Dec 19, 2023
@UlisesGascon
tools: use macOS keychain to notarize the releases
c9bd0b0 
PR-URL: #50715 Reviewed-By: Michael Dawson <midawson@redhat.com>
richardlau pushed a commit that referenced this pull request Jan 16, 2024
@UlisesGascon @richardlau
tools: use macOS keychain to notarize the releases
728c609 
PR-URL: #50715 Reviewed-By: Michael Dawson <midawson@redhat.com>
@richardlau richardlau added backported-to-v18.x backported-to-v20.x PRs backported to the v20.x-staging branch. and removed lts-watch-v18.x lts-watch-v20.x PRs that may need to be released in v20.x labels Jan 16, 2024
RafaelGSS pushed a commit that referenced this pull request Feb 14, 2024
@marco-ippolito @RafaelGSS
2024-02-14, Version 18.19.1 'Hydrogen' (LTS)
2a5a150 
This is a security release. Notable changes: crypto: * update root certificates to NSS 3.95 (Node.js GitHub Bot) #50805 * disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525 deps: * upgrade npm to 10.2.4 (npm team) #50751 * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614 * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com//pull/51614 * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) #51614 http: * add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#520 lib: * update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#536 src: * fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505 test: * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) #49621 tools: * add macOS notarization verification step (Ulises Gascón) #50833 * use macOS keychain to notarize the releases (Ulises Gascón) #50715 * remove unused file (Ulises Gascon) #50622 * add macOS notarization stapler (Ulises Gascón) #50625 * improve macOS notarization process output readability (Ulises Gascón) #50389 * remove unused `version` function (Ulises Gascón) #50390 win,tools: * upgrade Windows signing to smctl (Stefan Stojanovic) #50956 zlib: * pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#542 PR-URL: nodejs-private/node-private#545
@UlisesGascon UlisesGascon deleted the tools/osx-keychain-profile branch February 26, 2024 15:33
rdw-msft pushed a commit to rdw-msft/node that referenced this pull request Mar 20, 2024
@marco-ippolito @rdw-msft
2024-02-14, Version 18.19.1 'Hydrogen' (LTS)
d3b30e1 
This is a security release. Notable changes: crypto: * update root certificates to NSS 3.95 (Node.js GitHub Bot) nodejs#50805 * disable PKCS#1 padding for privateDecrypt (Michael Dawson) https://github.com/nodejs-private/node-private/pull/525 deps: * upgrade npm to 10.2.4 (npm team) nodejs#50751 * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) nodejs#51614 * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com/nodejs/pull/51614 * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) nodejs#51614 http: * add maximum chunk extension size (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/520 lib: * update undici to v5.28.3 (Matteo Collina) https://github.com/nodejs-private/node-private/pull/536 src: * fix HasOnly(capability) in node::credentials (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/505 test: * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) nodejs#49621 tools: * add macOS notarization verification step (Ulises Gascón) nodejs#50833 * use macOS keychain to notarize the releases (Ulises Gascón) nodejs#50715 * remove unused file (Ulises Gascon) nodejs#50622 * add macOS notarization stapler (Ulises Gascón) nodejs#50625 * improve macOS notarization process output readability (Ulises Gascón) nodejs#50389 * remove unused `version` function (Ulises Gascón) nodejs#50390 win,tools: * upgrade Windows signing to smctl (Stefan Stojanovic) nodejs#50956 zlib: * pause stream if outgoing buffer is full (Matteo Collina) https://github.com/nodejs-private/node-private/pull/542 PR-URL: https://github.com/nodejs-private/node-private/pull/545
sercher added a commit to sercher/graaljs that referenced this pull request Apr 25, 2024
@sercher
tools: use macOS keychain to notarize the releases
3e5ca79 
PR-URL: nodejs/node#50715 Reviewed-By: Michael Dawson <midawson@redhat.com>
sercher added a commit to sercher/graaljs that referenced this pull request Apr 25, 2024
@sercher
2024-02-14, Version 18.19.1 'Hydrogen' (LTS)
1ddeb10 
This is a security release. Notable changes: crypto: * update root certificates to NSS 3.95 (Node.js GitHub Bot) nodejs/node#50805 * disable PKCS#1 padding for privateDecrypt (Michael Dawson) https://github.com/nodejs-private/node-private/pull/525 deps: * upgrade npm to 10.2.4 (npm team) nodejs/node#50751 * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) nodejs/node#51614 * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com/nodejs/node/pull/51614 * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) nodejs/node#51614 http: * add maximum chunk extension size (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/520 lib: * update undici to v5.28.3 (Matteo Collina) https://github.com/nodejs-private/node-private/pull/536 src: * fix HasOnly(capability) in node::credentials (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/505 test: * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) nodejs/node#49621 tools: * add macOS notarization verification step (Ulises Gascón) nodejs/node#50833 * use macOS keychain to notarize the releases (Ulises Gascón) nodejs/node#50715 * remove unused file (Ulises Gascon) nodejs/node#50622 * add macOS notarization stapler (Ulises Gascón) nodejs/node#50625 * improve macOS notarization process output readability (Ulises Gascón) nodejs/node#50389 * remove unused `version` function (Ulises Gascón) nodejs/node#50390 win,tools: * upgrade Windows signing to smctl (Stefan Stojanovic) nodejs/node#50956 zlib: * pause stream if outgoing buffer is full (Matteo Collina) https://github.com/nodejs-private/node-private/pull/542 PR-URL: https://github.com/nodejs-private/node-private/pull/545
sercher added a commit to sercher/graaljs that referenced this pull request Apr 25, 2024
@sercher
tools: use macOS keychain to notarize the releases
2fac833 
PR-URL: nodejs/node#50715 Reviewed-By: Michael Dawson <midawson@redhat.com>
sercher added a commit to sercher/graaljs that referenced this pull request Apr 25, 2024
@sercher
2024-02-14, Version 18.19.1 'Hydrogen' (LTS)
d02cd45 
This is a security release. Notable changes: crypto: * update root certificates to NSS 3.95 (Node.js GitHub Bot) nodejs/node#50805 * disable PKCS#1 padding for privateDecrypt (Michael Dawson) https://github.com/nodejs-private/node-private/pull/525 deps: * upgrade npm to 10.2.4 (npm team) nodejs/node#50751 * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) nodejs/node#51614 * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com/nodejs/node/pull/51614 * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) nodejs/node#51614 http: * add maximum chunk extension size (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/520 lib: * update undici to v5.28.3 (Matteo Collina) https://github.com/nodejs-private/node-private/pull/536 src: * fix HasOnly(capability) in node::credentials (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/505 test: * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) nodejs/node#49621 tools: * add macOS notarization verification step (Ulises Gascón) nodejs/node#50833 * use macOS keychain to notarize the releases (Ulises Gascón) nodejs/node#50715 * remove unused file (Ulises Gascon) nodejs/node#50622 * add macOS notarization stapler (Ulises Gascón) nodejs/node#50625 * improve macOS notarization process output readability (Ulises Gascón) nodejs/node#50389 * remove unused `version` function (Ulises Gascón) nodejs/node#50390 win,tools: * upgrade Windows signing to smctl (Stefan Stojanovic) nodejs/node#50956 zlib: * pause stream if outgoing buffer is full (Matteo Collina) https://github.com/nodejs-private/node-private/pull/542 PR-URL: https://github.com/nodejs-private/node-private/pull/545
aduh95 pushed a commit to aduh95/node that referenced this pull request Feb 18, 2025
@UlisesGascon @marco-ippolito
tools: use macOS keychain to notarize the releases
ccc676a 
PR-URL: nodejs#50715 Reviewed-By: Michael Dawson <midawson@redhat.com>
aduh95 pushed a commit to aduh95/node that referenced this pull request Feb 18, 2025
@marco-ippolito @RafaelGSS
2024-02-14, Version 18.19.1 'Hydrogen' (LTS)
6610cc4 
This is a security release. Notable changes: crypto: * update root certificates to NSS 3.95 (Node.js GitHub Bot) nodejs#50805 * disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525 deps: * upgrade npm to 10.2.4 (npm team) nodejs#50751 * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) nodejs#51614 * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com/nodejs/pull/51614 * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) nodejs#51614 http: * add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#520 lib: * update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#536 src: * fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505 test: * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) nodejs#49621 tools: * add macOS notarization verification step (Ulises Gascón) nodejs#50833 * use macOS keychain to notarize the releases (Ulises Gascón) nodejs#50715 * remove unused file (Ulises Gascon) nodejs#50622 * add macOS notarization stapler (Ulises Gascón) nodejs#50625 * improve macOS notarization process output readability (Ulises Gascón) nodejs#50389 * remove unused `version` function (Ulises Gascón) nodejs#50390 win,tools: * upgrade Windows signing to smctl (Stefan Stojanovic) nodejs#50956 zlib: * pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#542 PR-URL: nodejs-private/node-private#545
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backported-to-v20.x PRs backported to the v20.x-staging branch. macos Issues and PRs related to the macOS platform / OSX. tools Issues and PRs related to the tools directory.

5 participants

@UlisesGascon @nodejs-github-bot @mhdawson @tony-go @richardlau