Add package signing configuration for GitHub Actions

Co-authored-by: Mike McQuaid <mike@mikemcquaid.com> Co-authored-by: Carlo Cabrera <30379873+carlocab@users.noreply.github.com>
2025-07-14 16:09:03 +08:00 · 2023-07-24 17:10:31 +01:00 · 2023-07-24 17:10:31 +01:00 · 051d7ec4f7
commit 051d7ec4f7
parent 62e54c3387
1 changed files with 51 additions and 16 deletions
--- a/.github/workflows/build-pkg.yml
+++ b/.github/workflows/build-pkg.yml
@ -1,4 +1,4 @@
-name: Build Homebrew package
+name: Build Homebrew installer pkg
 on:
  push:
    paths:
@ -13,28 +13,63 @@ jobs:
    if: github.repository_owner == 'Homebrew'
    runs-on: macos-13
    env:
-      IDENTIFIER: sh.brew.Homebrew
-      TMP_PATH: /tmp/brew
-      MIN_OS: '11.0'
+      TEMPORARY_CERTIFICATE_FILE: 'homebrew_developer_id_installer_certificate.p12'
+      TEMPORARY_KEYCHAIN_FILE: 'homebrew_installer_signing.keychain-db'
+      MIN_MACOS_VERSION: '11.0'
    steps:
      - uses: actions/checkout@v3
        with:
          path: brew
          fetch-depth: 0
-      - name: Version name
+
+      - name: Get Homebrew version from Git
        id: print-version
+        run: echo "version=$(git -C brew describe --tags --always)" >> "${GITHUB_OUTPUT}"
+
+      - name: Create and unlock temporary macOS keychain
+        env:
+          PKG_KEYCHAIN_PASSWORD: ${{ secrets.PKG_KEYCHAIN_PASSWORD }}
        run: |
-          echo "version=$(git -C brew describe --tags --always)" >> "$GITHUB_OUTPUT"
-      - name: Build package
-        run: |
-         pkgbuild --root brew \
-                  --scripts brew/package/scripts \
-                  --install-location "$TMP_PATH" \
-                  --identifier "$IDENTIFIER" \
-                  --min-os-version "$MIN_OS" \
-                  --filter .DS_Store \
-                  --version ${{ steps.print-version.outputs.version }} \
-                  Homebrew-${{ steps.print-version.outputs.version }}.pkg
+          TEMPORARY_KEYCHAIN_PATH="${RUNNER_TEMP}/${TEMPORARY_KEYCHAIN_FILE}"
+          security create-keychain -p "${PKG_KEYCHAIN_PASSWORD}" "${TEMPORARY_KEYCHAIN_PATH}"
+          security set-keychain-settings -l -u -t 21600 "${TEMPORARY_KEYCHAIN_PATH}"
+          security unlock-keychain -p "${PKG_KEYCHAIN_PASSWORD}" "${TEMPORARY_KEYCHAIN_PATH}"
+
+      - name: Create temporary certificate file
+        env:
+          PKG_APPLE_SIGNING_CERTIFICATE_BASE64: ${{ secrets.PKG_APPLE_SIGNING_CERTIFICATE_BASE64 }}
+        run: echo -n "${PKG_APPLE_SIGNING_CERTIFICATE_BASE64}" | base64 --decode --output="${RUNNER_TEMP}/${TEMPORARY_CERTIFICATE_FILE}"
+
+      - name: Import certificate file into macOS keychain
+        env:
+          PKG_APPLE_SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.PKG_APPLE_SIGNING_CERTIFICATE_PASSWORD }}
+        run: security import "${RUNNER_TEMP}/${TEMPORARY_CERTIFICATE_FILE}" -k "${RUNNER_TEMP}/${TEMPORARY_KEYCHAIN_FILE}" -t cert -f pkcs12 -P "${PKG_APPLE_SIGNING_CERTIFICATE_PASSWORD}" -A
+
+      - name: Clean up temporary certificate file
+        if: ${{ always() }}
+        run: rm -f "${RUNNER_TEMP}/${TEMPORARY_CERTIFICATE_FILE}"
+
+      - name: Open macOS keychain
+        run: security list-keychain -d user -s "${RUNNER_TEMP}/${TEMPORARY_KEYCHAIN_FILE}"
+
+      - name: Build Homebrew installer package
+        env:
+          PKG_APPLE_DEVELOPER_TEAM_ID: ${{ secrets.PKG_APPLE_DEVELOPER_TEAM_ID }}
+        # Note: `Library/Homebrew/test/support/fixtures/` contains unsigned
+        # binaries so it needs to be excluded from notarization.
+        run: pkgbuild --root brew --scripts brew/package/scripts --identifier "sh.brew.homebrew" --version ${{ steps.print-version.outputs.version }} --install-location "/tmp/brew" --filter .DS_Store --filter "(.*)/Library/Homebrew/test/support/fixtures/" --min-os-version "${MIN_MACOS_VERSION}" --sign "${PKG_APPLE_DEVELOPER_TEAM_ID}" Homebrew-${{ steps.print-version.outputs.version }}.pkg
+
+      - name: Notarize Homebrew installer package
+        env:
+          PKG_APPLE_DEVELOPER_TEAM_ID: ${{ secrets.PKG_APPLE_DEVELOPER_TEAM_ID }}
+          PKG_APPLE_ID_USERNAME: ${{ secrets.PKG_APPLE_ID_USERNAME }}
+          PKG_APPLE_ID_APP_SPECIFIC_PASSWORD: ${{ secrets.PKG_APPLE_ID_APP_SPECIFIC_PASSWORD }}
+        run: xcrun notarytool submit Homebrew-${{ steps.print-version.outputs.version }}.pkg --team-id  "${PKG_APPLE_DEVELOPER_TEAM_ID}" --apple-id "${PKG_APPLE_ID_USERNAME}" --password "${PKG_APPLE_ID_APP_SPECIFIC_PASSWORD}" --wait
+
+      - name: Clean up temporary macOS keychain
+        if: ${{ always() }}
+        run: test -f "${RUNNER_TEMP}/${TEMPORARY_KEYCHAIN_FILE}" && security delete-keychain "${RUNNER_TEMP}/${TEMPORARY_KEYCHAIN_FILE}"
+
      - uses: actions/upload-artifact@v3
        with:
          name: Homebrew ${{ steps.print-version.outputs.version }}