Skip to content

tools: use OSX Keychain profile to notarize the releases #50715

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

tools: use OSX Keychain profile to notarize the releases #50715

wants to merge 1 commit into from

Conversation

UlisesGascon
Copy link
Member

Main Changes

Use a OSX Keychain profile to retrieve the secrets in order to do the notarization with Notarytool

cc: @nodejs/build @nodejs/releasers

Context

Notes

You can find more information in this amazing article https://tonygo.ghost.io/notarization-for-macos-app-with-notarytool/ by @tony-go and this comment: #48701 (comment)

Test

This was tested in iojs+release-ulises-experimental pipeline in jenkins ci release.

Full log available here

20:05:51 sh tools/osx-notarize.sh v22.0.0-test202311136410f3bf0d
20:05:51 Notarization process is done with Notarytool.
20:05:51 Submitting node-v22.0.0-test202311136410f3bf0d.pkg for notarization...
20:05:51 Conducting pre-submission checks for node-v22.0.0-test202311136410f3bf0d.pkg and initiating connection to the Apple notary service...
20:05:52 Submission ID received
20:05:52   id: cb5ac9d6-9646-4226-bfa8-23b9c3e0995d
20:06:08 Successfully uploaded file
20:06:08   id: cb5ac9d6-9646-4226-bfa8-23b9c3e0995d
20:06:08   path: /Users/iojs/build/ws/node-v22.0.0-test202311136410f3bf0d.pkg
20:06:08 Waiting for processing to complete.
20:06:14 
Current status: In Progress...
[...redacted...]
Current status: Accepted.............Processing complete
20:07:31   id: cb5ac9d6-9646-4226-bfa8-23b9c3e0995d
20:07:31   status: Accepted
20:07:31 
20:07:31 Notarization node-v22.0.0-test202311136410f3bf0d.pkg submitted successfully.
20:07:31 Processing: /Users/iojs/build/ws/node-v22.0.0-test202311136410f3bf0d.pkg
20:07:32 Processing: /Users/iojs/build/ws/node-v22.0.0-test202311136410f3bf0d.pkg
20:07:32 The staple and validate action worked!
20:07:32 Stapler was successful.
[...redacted...]
20:09:07 Finished: SUCCESS

@nodejs-github-bot nodejs-github-bot added macos Issues and PRs related to the macOS platform / OSX. tools Issues and PRs related to the tools directory. labels Nov 13, 2023
@UlisesGascon UlisesGascon marked this pull request as ready for review November 13, 2023 19:35
@UlisesGascon UlisesGascon added request-ci Add this label to start a Jenkins CI on a PR. lts-watch-v18.x lts-watch-v20.x PRs that may need to be released in v20.x labels Nov 13, 2023
@UlisesGascon UlisesGascon mentioned this pull request Nov 13, 2023
Merged
3 tasks
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Nov 13, 2023
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/55624/

tony-go
tony-go reviewed Nov 14, 2023
View reviewed changes
@github-actions github-actions bot mentioned this pull request Nov 15, 2023
Open
26 tasks
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/55768/

@UlisesGascon UlisesGascon mentioned this pull request Nov 19, 2023
Closed
5 tasks
mhdawson
mhdawson approved these changes Nov 20, 2023
View reviewed changes
Copy link
Member

@mhdawson mhdawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/55796/

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/55810/

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/55811/

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/55833/

@mhdawson
Copy link
Member

Looks the status update failed. The latest ci run shows as all blue - https://ci.nodejs.org/job/node-test-pull-request/55833/

Going to land

mhdawson pushed a commit that referenced this pull request Nov 22, 2023
@UlisesGascon @mhdawson
tools: use macOS keychain to notarize the releases
5f973d1 
PR-URL: #50715
Reviewed-By: Michael Dawson <[email protected]>
@mhdawson
Copy link
Member

Landed in 5f973d1

@mhdawson mhdawson closed this Nov 22, 2023
targos pushed a commit that referenced this pull request Nov 23, 2023
@UlisesGascon @targos
tools: use macOS keychain to notarize the releases
c90160f 
PR-URL: #50715
Reviewed-By: Michael Dawson <[email protected]>
martenrichter pushed a commit to martenrichter/node that referenced this pull request Nov 26, 2023
@UlisesGascon @martenrichter
tools: use macOS keychain to notarize the releases
b443e4a 
PR-URL: nodejs#50715
Reviewed-By: Michael Dawson <[email protected]>
lucshi pushed a commit to lucshi/node that referenced this pull request Nov 27, 2023
@UlisesGascon
tools: use macOS keychain to notarize the releases
73e71ed 
PR-URL: nodejs#50715
Reviewed-By: Michael Dawson <[email protected]>
@RafaelGSS RafaelGSS mentioned this pull request Nov 28, 2023
Merged
RafaelGSS pushed a commit that referenced this pull request Nov 29, 2023
@UlisesGascon @RafaelGSS
tools: use macOS keychain to notarize the releases
a12d9e0 
PR-URL: #50715
Reviewed-By: Michael Dawson <[email protected]>
RafaelGSS pushed a commit that referenced this pull request Nov 30, 2023
@UlisesGascon @RafaelGSS
tools: use macOS keychain to notarize the releases
3d3cd2a 
PR-URL: #50715
Reviewed-By: Michael Dawson <[email protected]>
UlisesGascon added a commit that referenced this pull request Dec 11, 2023
@UlisesGascon
tools: use macOS keychain to notarize the releases
341fcfd 
PR-URL: #50715
Reviewed-By: Michael Dawson <[email protected]>
@UlisesGascon UlisesGascon mentioned this pull request Dec 12, 2023
Merged
UlisesGascon added a commit that referenced this pull request Dec 13, 2023
@UlisesGascon
tools: use macOS keychain to notarize the releases
aa74680 
PR-URL: #50715
Reviewed-By: Michael Dawson <[email protected]>
UlisesGascon added a commit that referenced this pull request Dec 15, 2023
@UlisesGascon
tools: use macOS keychain to notarize the releases
eec1fd9 
PR-URL: #50715
Reviewed-By: Michael Dawson <[email protected]>
UlisesGascon added a commit that referenced this pull request Dec 19, 2023
@UlisesGascon
tools: use macOS keychain to notarize the releases
c9bd0b0 
PR-URL: #50715
Reviewed-By: Michael Dawson <[email protected]>
richardlau pushed a commit that referenced this pull request Jan 16, 2024
@UlisesGascon @richardlau
tools: use macOS keychain to notarize the releases
728c609 
PR-URL: #50715
Reviewed-By: Michael Dawson <[email protected]>
@richardlau richardlau added backported-to-v18.x backported-to-v20.x PRs backported to the v20.x-staging branch. and removed lts-watch-v18.x lts-watch-v20.x PRs that may need to be released in v20.x labels Jan 16, 2024
RafaelGSS pushed a commit that referenced this pull request Feb 14, 2024
@marco-ippolito @RafaelGSS
2024-02-14, Version 18.19.1 'Hydrogen' (LTS)
2a5a150 
This is a security release.

Notable changes:

crypto:
  * update root certificates to NSS 3.95 (Node.js GitHub Bot) #50805
  * disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525
deps:
  * upgrade npm to 10.2.4 (npm team) #50751
  * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614
  * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com//pull/51614
  * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) #51614
http:
  * add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#520
lib:
  * update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#536
src:
  * fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505
test:
  * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) #49621
tools:
  * add macOS notarization verification step (Ulises Gascón) #50833
  * use macOS keychain to notarize the releases (Ulises Gascón) #50715
  * remove unused file (Ulises Gascon) #50622
  * add macOS notarization stapler (Ulises Gascón) #50625
  * improve macOS notarization process output readability (Ulises Gascón) #50389
  * remove unused `version` function (Ulises Gascón) #50390
win,tools:
  * upgrade Windows signing to smctl (Stefan Stojanovic) #50956
zlib:
  * pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#542

PR-URL: nodejs-private/node-private#545
@UlisesGascon UlisesGascon deleted the tools/osx-keychain-profile branch February 26, 2024 15:33
rdw-msft pushed a commit to rdw-msft/node that referenced this pull request Mar 20, 2024
@marco-ippolito @rdw-msft
2024-02-14, Version 18.19.1 'Hydrogen' (LTS)
d3b30e1 
This is a security release.

Notable changes:

crypto:
  * update root certificates to NSS 3.95 (Node.js GitHub Bot) nodejs#50805
  * disable PKCS#1 padding for privateDecrypt (Michael Dawson) https://github.com/nodejs-private/node-private/pull/525
deps:
  * upgrade npm to 10.2.4 (npm team) nodejs#50751
  * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) nodejs#51614
  * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com/nodejs/pull/51614
  * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) nodejs#51614
http:
  * add maximum chunk extension size (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/520
lib:
  * update undici to v5.28.3 (Matteo Collina) https://github.com/nodejs-private/node-private/pull/536
src:
  * fix HasOnly(capability) in node::credentials (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/505
test:
  * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) nodejs#49621
tools:
  * add macOS notarization verification step (Ulises Gascón) nodejs#50833
  * use macOS keychain to notarize the releases (Ulises Gascón) nodejs#50715
  * remove unused file (Ulises Gascon) nodejs#50622
  * add macOS notarization stapler (Ulises Gascón) nodejs#50625
  * improve macOS notarization process output readability (Ulises Gascón) nodejs#50389
  * remove unused `version` function (Ulises Gascón) nodejs#50390
win,tools:
  * upgrade Windows signing to smctl (Stefan Stojanovic) nodejs#50956
zlib:
  * pause stream if outgoing buffer is full (Matteo Collina) https://github.com/nodejs-private/node-private/pull/542

PR-URL: https://github.com/nodejs-private/node-private/pull/545
sercher added a commit to sercher/graaljs that referenced this pull request Apr 25, 2024
@sercher
tools: use macOS keychain to notarize the releases
3e5ca79 
PR-URL: nodejs/node#50715
Reviewed-By: Michael Dawson <[email protected]>
sercher added a commit to sercher/graaljs that referenced this pull request Apr 25, 2024
@sercher
2024-02-14, Version 18.19.1 'Hydrogen' (LTS)
1ddeb10 
This is a security release.

Notable changes:

crypto:
  * update root certificates to NSS 3.95 (Node.js GitHub Bot) nodejs/node#50805
  * disable PKCS#1 padding for privateDecrypt (Michael Dawson) https://github.com/nodejs-private/node-private/pull/525
deps:
  * upgrade npm to 10.2.4 (npm team) nodejs/node#50751
  * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) nodejs/node#51614
  * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com/nodejs/node/pull/51614
  * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) nodejs/node#51614
http:
  * add maximum chunk extension size (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/520
lib:
  * update undici to v5.28.3 (Matteo Collina) https://github.com/nodejs-private/node-private/pull/536
src:
  * fix HasOnly(capability) in node::credentials (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/505
test:
  * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) nodejs/node#49621
tools:
  * add macOS notarization verification step (Ulises Gascón) nodejs/node#50833
  * use macOS keychain to notarize the releases (Ulises Gascón) nodejs/node#50715
  * remove unused file (Ulises Gascon) nodejs/node#50622
  * add macOS notarization stapler (Ulises Gascón) nodejs/node#50625
  * improve macOS notarization process output readability (Ulises Gascón) nodejs/node#50389
  * remove unused `version` function (Ulises Gascón) nodejs/node#50390
win,tools:
  * upgrade Windows signing to smctl (Stefan Stojanovic) nodejs/node#50956
zlib:
  * pause stream if outgoing buffer is full (Matteo Collina) https://github.com/nodejs-private/node-private/pull/542

PR-URL: https://github.com/nodejs-private/node-private/pull/545
sercher added a commit to sercher/graaljs that referenced this pull request Apr 25, 2024
@sercher
tools: use macOS keychain to notarize the releases
2fac833 
PR-URL: nodejs/node#50715
Reviewed-By: Michael Dawson <[email protected]>
sercher added a commit to sercher/graaljs that referenced this pull request Apr 25, 2024
@sercher
2024-02-14, Version 18.19.1 'Hydrogen' (LTS)
d02cd45 
This is a security release.

Notable changes:

crypto:
  * update root certificates to NSS 3.95 (Node.js GitHub Bot) nodejs/node#50805
  * disable PKCS#1 padding for privateDecrypt (Michael Dawson) https://github.com/nodejs-private/node-private/pull/525
deps:
  * upgrade npm to 10.2.4 (npm team) nodejs/node#50751
  * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) nodejs/node#51614
  * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com/nodejs/node/pull/51614
  * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) nodejs/node#51614
http:
  * add maximum chunk extension size (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/520
lib:
  * update undici to v5.28.3 (Matteo Collina) https://github.com/nodejs-private/node-private/pull/536
src:
  * fix HasOnly(capability) in node::credentials (Tobias Nießen) https://github.com/nodejs-private/node-private/pull/505
test:
  * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) nodejs/node#49621
tools:
  * add macOS notarization verification step (Ulises Gascón) nodejs/node#50833
  * use macOS keychain to notarize the releases (Ulises Gascón) nodejs/node#50715
  * remove unused file (Ulises Gascon) nodejs/node#50622
  * add macOS notarization stapler (Ulises Gascón) nodejs/node#50625
  * improve macOS notarization process output readability (Ulises Gascón) nodejs/node#50389
  * remove unused `version` function (Ulises Gascón) nodejs/node#50390
win,tools:
  * upgrade Windows signing to smctl (Stefan Stojanovic) nodejs/node#50956
zlib:
  * pause stream if outgoing buffer is full (Matteo Collina) https://github.com/nodejs-private/node-private/pull/542

PR-URL: https://github.com/nodejs-private/node-private/pull/545
aduh95 pushed a commit to aduh95/node that referenced this pull request Feb 18, 2025
@UlisesGascon @marco-ippolito
tools: use macOS keychain to notarize the releases
ccc676a 
PR-URL: nodejs#50715
Reviewed-By: Michael Dawson <[email protected]>
aduh95 pushed a commit to aduh95/node that referenced this pull request Feb 18, 2025
@marco-ippolito @RafaelGSS
2024-02-14, Version 18.19.1 'Hydrogen' (LTS)
6610cc4 
This is a security release.

Notable changes:

crypto:
  * update root certificates to NSS 3.95 (Node.js GitHub Bot) nodejs#50805
  * disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525
deps:
  * upgrade npm to 10.2.4 (npm team) nodejs#50751
  * update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) nodejs#51614
  * upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) ://github.com/nodejs/pull/51614
  * fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) nodejs#51614
http:
  * add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#520
lib:
  * update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#536
src:
  * fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505
test:
  * skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) nodejs#49621
tools:
  * add macOS notarization verification step (Ulises Gascón) nodejs#50833
  * use macOS keychain to notarize the releases (Ulises Gascón) nodejs#50715
  * remove unused file (Ulises Gascon) nodejs#50622
  * add macOS notarization stapler (Ulises Gascón) nodejs#50625
  * improve macOS notarization process output readability (Ulises Gascón) nodejs#50389
  * remove unused `version` function (Ulises Gascón) nodejs#50390
win,tools:
  * upgrade Windows signing to smctl (Stefan Stojanovic) nodejs#50956
zlib:
  * pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#542

PR-URL: nodejs-private/node-private#545
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mhdawson mhdawson mhdawson approved these changes

+1 more reviewer

@tony-go tony-go tony-go approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
backported-to-v20.x PRs backported to the v20.x-staging branch. macos Issues and PRs related to the macOS platform / OSX. tools Issues and PRs related to the tools directory.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add --keychain-profile to notarytool
5 participants
@UlisesGascon @nodejs-github-bot @mhdawson @tony-go @richardlau