From 0d2f3549f82674783a0a1e69539575841451f2f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaime=20Rodr=C3=ADguez-Guerra?= Date: Mon, 5 Dec 2022 20:43:56 +0100 Subject: [PATCH 1/8] Rebuild installers From 21a380680e1131b2ef4ff5156744438094474046 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaime=20Rodr=C3=ADguez-Guerra?= Date: Tue, 6 Dec 2022 12:00:15 +0100 Subject: [PATCH 2/8] disable path filtering for now --- .github/workflows/make_bundle_conda.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/make_bundle_conda.yml b/.github/workflows/make_bundle_conda.yml index 061da6b2..2b8c239b 100644 --- a/.github/workflows/make_bundle_conda.yml +++ b/.github/workflows/make_bundle_conda.yml @@ -4,8 +4,8 @@ on: pull_request: branches: - main - paths: - - 'build_installers.py' + # paths: + # - 'build_installers.py' workflow_call: inputs: event_name: From 11fbb71c58926cb2ee0f7c23c08eab762d842050 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaime=20Rodr=C3=ADguez-Guerra?= Date: Tue, 6 Dec 2022 16:04:38 +0100 Subject: [PATCH 3/8] rephrase conditionals --- .github/workflows/make_bundle_conda.yml | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/.github/workflows/make_bundle_conda.yml b/.github/workflows/make_bundle_conda.yml index 2b8c239b..42ec932e 100644 --- a/.github/workflows/make_bundle_conda.yml +++ b/.github/workflows/make_bundle_conda.yml @@ -339,7 +339,10 @@ jobs: - name: Load signing certificate (MacOS) shell: bash -el {0} # We only sign pushes to main, nightlies, RCs and final releases - if: runner.os == 'macOS' && env.SIGNING_SECRETS_AVAILABLE && (inputs.event_name == 'schedule' || inputs.event_name == 'push') + if: > + runner.os == 'macOS' + && env.SIGNING_SECRETS_AVAILABLE + && (inputs.event_name == 'schedule' || inputs.event_name == 'push') run: | # create variables INSTALLER_CERTIFICATE_PATH="$RUNNER_TEMP/installer_developer_cert.p12" @@ -376,7 +379,10 @@ jobs: - name: Load signing certificate (Windows) # We only sign pushes to main, nightlies, RCs and final releases - if: runner.os == 'Windows' && env.SIGNING_SECRETS_AVAILABLE && (inputs.event_name == 'schedule' || inputs.event_name == 'push') + if: > + runner.os == 'Windows' + && env.SIGNING_SECRETS_AVAILABLE + && (inputs.event_name == 'schedule' || inputs.event_name == 'push') # We are signing with Apple's certificate to provide _something_ # This is not trusted by Windows so the warnings are still there, but curious users # will be able to check it's actually us if necessary @@ -428,9 +434,9 @@ jobs: - name: Notarize Bundle (macOS) # We only sign pushes to main, nightlies, RCs and final releases if: > - runner.os == 'macOS' && - env.SIGNING_SECRETS_AVAILABLE && - (inputs.event_name == 'schedule' || inputs.event_name == 'push') + runner.os == 'macOS' + && env.SIGNING_SECRETS_AVAILABLE + && (inputs.event_name == 'schedule' || inputs.event_name == 'push') uses: devbotsxyz/xcode-notarize@v1 with: product-path: ${{ github.workspace }}/napari-packaging/_work/napari-${{ env.version }}-${{ runner.os }}-${{ env.arch-suffix }}.${{ env.extension }} @@ -442,9 +448,9 @@ jobs: - name: Staple Bundle (macOS) # We only sign pushes to main, nightlies, RCs and final releases if: > - runner.os == 'macOS' && - env.SIGNING_SECRETS_AVAILABLE && - (inputs.event_name == 'schedule' || inputs.event_name == 'push') + runner.os == 'macOS' + && env.SIGNING_SECRETS_AVAILABLE + && (inputs.event_name == 'schedule' || inputs.event_name == 'push') uses: devbotsxyz/xcode-staple@v1 with: product-path: ${{ github.workspace }}/napari-packaging/_work/napari-${{ env.version }}-${{ runner.os }}-${{ env.arch-suffix }}.${{ env.extension }} From 958f19fc42ababd3069151a00753095a3314725f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaime=20Rodr=C3=ADguez-Guerra?= Date: Thu, 8 Dec 2022 14:32:04 +0100 Subject: [PATCH 4/8] pre-commit fixes --- .github/workflows/make_bundle_conda.yml | 10 +++++----- build_installers.py | 4 +++- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/make_bundle_conda.yml b/.github/workflows/make_bundle_conda.yml index 42ec932e..fe295845 100644 --- a/.github/workflows/make_bundle_conda.yml +++ b/.github/workflows/make_bundle_conda.yml @@ -340,8 +340,8 @@ jobs: shell: bash -el {0} # We only sign pushes to main, nightlies, RCs and final releases if: > - runner.os == 'macOS' - && env.SIGNING_SECRETS_AVAILABLE + runner.os == 'macOS' + && env.SIGNING_SECRETS_AVAILABLE && (inputs.event_name == 'schedule' || inputs.event_name == 'push') run: | # create variables @@ -380,8 +380,8 @@ jobs: - name: Load signing certificate (Windows) # We only sign pushes to main, nightlies, RCs and final releases if: > - runner.os == 'Windows' - && env.SIGNING_SECRETS_AVAILABLE + runner.os == 'Windows' + && env.SIGNING_SECRETS_AVAILABLE && (inputs.event_name == 'schedule' || inputs.event_name == 'push') # We are signing with Apple's certificate to provide _something_ # This is not trusted by Windows so the warnings are still there, but curious users @@ -434,7 +434,7 @@ jobs: - name: Notarize Bundle (macOS) # We only sign pushes to main, nightlies, RCs and final releases if: > - runner.os == 'macOS' + runner.os == 'macOS' && env.SIGNING_SECRETS_AVAILABLE && (inputs.event_name == 'schedule' || inputs.event_name == 'push') uses: devbotsxyz/xcode-notarize@v1 diff --git a/build_installers.py b/build_installers.py index ba91b6c9..6956e8d2 100644 --- a/build_installers.py +++ b/build_installers.py @@ -120,6 +120,7 @@ def _version(): "CONSTRUCTOR_INSTALLER_DEFAULT_PATH_STEM", f"{APP}-{_version()}" ) + def _generate_background_images(installer_type, outpath="./", napari_repo=HERE): """Requires pillow""" if installer_type == "sh": @@ -235,6 +236,7 @@ def _definitions(version=_version(), extra_specs=None, napari_repo=HERE): empty_file = NamedTemporaryFile(delete=False) condarc = _get_condarc() env_state = _get_conda_meta_state() + env_state_path = os.path.join("envs", napari_env["name"], "conda-meta", "state") definitions = { "name": APP, "company": "Napari", @@ -258,7 +260,7 @@ def _definitions(version=_version(), extra_specs=None, napari_repo=HERE): {os.path.join(resources, "bundle_readme.md"): "README.txt"}, {empty_file.name: ".napari_is_bundled_constructor"}, {condarc: ".condarc"}, - {env_state: os.path.join("envs", napari_env["name"], "conda-meta", "state")}, + {env_state: env_state_path}, ], } if _use_local(): From 9423fd513412b8c487a64b31b22880e9efaaf863 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaime=20Rodr=C3=ADguez-Guerra?= Date: Thu, 8 Dec 2022 17:36:03 +0100 Subject: [PATCH 5/8] restore triggers --- .github/workflows/make_bundle_conda.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/make_bundle_conda.yml b/.github/workflows/make_bundle_conda.yml index fe295845..8924ec4a 100644 --- a/.github/workflows/make_bundle_conda.yml +++ b/.github/workflows/make_bundle_conda.yml @@ -4,8 +4,9 @@ on: pull_request: branches: - main - # paths: - # - 'build_installers.py' + paths: + - 'build_installers.py' + - 'conda-recipe/*' workflow_call: inputs: event_name: @@ -424,7 +425,6 @@ jobs: # echo "LICENSES_ARTIFACT_NAME=$(basename ${licenses_zip_path})" >> $GITHUB_ENV # echo "licenses_artifact=${licenses_zip_path}" >> $GITHUB_OUTPUT - # - name: Upload License Artifact # uses: actions/upload-artifact@v2 # with: @@ -458,7 +458,7 @@ jobs: - name: Upload Artifact uses: actions/upload-artifact@v2 # CI artifact uploads only on manual runs - # if: inputs.event_name == 'workflow_dispatch' + if: inputs.event_name == 'workflow_dispatch' with: name: napari-${{ env.version }}-${{ runner.os }}-${{ env.arch-suffix }}.${{ env.extension }} path: ${{ github.workspace }}/napari-packaging/_work/napari-${{ env.version }}-${{ runner.os }}-${{ env.arch-suffix }}.${{ env.extension }} From 42dbf929ad6a004d249bb3fddca5fff2585d8421 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaime=20Rodr=C3=ADguez-Guerra?= Date: Mon, 12 Dec 2022 13:41:13 +0100 Subject: [PATCH 6/8] Switch to notarytool for notarization and stapling altool is deprecated and the actions we were using are archived now --- .github/workflows/make_bundle_conda.yml | 36 ++++++++++++------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/make_bundle_conda.yml b/.github/workflows/make_bundle_conda.yml index 8924ec4a..978e51dc 100644 --- a/.github/workflows/make_bundle_conda.yml +++ b/.github/workflows/make_bundle_conda.yml @@ -431,29 +431,29 @@ jobs: # path: ${{ env.LICENSES_ARTIFACT_PATH }} # name: ${{ env.LICENSES_ARTIFACT_NAME }} - - name: Notarize Bundle (macOS) + - name: Notarize & staple PKG Installer (macOS) # We only sign pushes to main, nightlies, RCs and final releases if: > runner.os == 'macOS' && env.SIGNING_SECRETS_AVAILABLE - && (inputs.event_name == 'schedule' || inputs.event_name == 'push') - uses: devbotsxyz/xcode-notarize@v1 - with: - product-path: ${{ github.workspace }}/napari-packaging/_work/napari-${{ env.version }}-${{ runner.os }}-${{ env.arch-suffix }}.${{ env.extension }} - appstore-connect-username: ${{ secrets.APPLE_NOTARIZATION_USERNAME }} - appstore-connect-password: ${{ secrets.APPLE_NOTARIZATION_PASSWORD }} - primary-bundle-id: org.napari.pkg - verbose: true + && (inputs.event_name == 'schedule' || inputs.event_name == 'push') + env: + INSTALLER_PATH: ${{ github.workspace }}/napari-packaging/_work/napari-${{ env.version }}-${{ runner.os }}-${{ env.arch-suffix }}.${{ env.extension }} + APPLE_NOTARIZATION_USERNAME: ${{ secrets.APPLE_NOTARIZATION_USERNAME }} + # This needs to be an application-specific password + APPLE_NOTARIZATION_PASSWORD: ${{ secrets.APPLE_NOTARIZATION_PASSWORD }} + run: | + # Check signatures. If this fails, there's no point. + pkgutil --check-signature "$INSTALLER_PATH" - - name: Staple Bundle (macOS) - # We only sign pushes to main, nightlies, RCs and final releases - if: > - runner.os == 'macOS' - && env.SIGNING_SECRETS_AVAILABLE - && (inputs.event_name == 'schedule' || inputs.event_name == 'push') - uses: devbotsxyz/xcode-staple@v1 - with: - product-path: ${{ github.workspace }}/napari-packaging/_work/napari-${{ env.version }}-${{ runner.os }}-${{ env.arch-suffix }}.${{ env.extension }} + # Submit for notarization to Apple servers + xcrun notarytool submit "$INSTALLER_PATH" \ + -u "$APPLE_NOTARIZATION_USERNAME" \ + -p "$APPLE_NOTARIZATION_PASSWORD" \ + --wait + + # Staple + xcrun stapler staple --verbose "$INSTALLER_PATH" - name: Upload Artifact uses: actions/upload-artifact@v2 From be4505f3d81ae66452a5380da2e6d84b9a813694 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaime=20Rodr=C3=ADguez-Guerra?= Date: Mon, 12 Dec 2022 14:20:22 +0100 Subject: [PATCH 7/8] debug if failures --- .github/workflows/make_bundle_conda.yml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/.github/workflows/make_bundle_conda.yml b/.github/workflows/make_bundle_conda.yml index 978e51dc..02ab59c2 100644 --- a/.github/workflows/make_bundle_conda.yml +++ b/.github/workflows/make_bundle_conda.yml @@ -436,21 +436,34 @@ jobs: if: > runner.os == 'macOS' && env.SIGNING_SECRETS_AVAILABLE - && (inputs.event_name == 'schedule' || inputs.event_name == 'push') + && (inputs.event_name == 'schedule' || inputs.event_name == 'push') env: INSTALLER_PATH: ${{ github.workspace }}/napari-packaging/_work/napari-${{ env.version }}-${{ runner.os }}-${{ env.arch-suffix }}.${{ env.extension }} APPLE_NOTARIZATION_USERNAME: ${{ secrets.APPLE_NOTARIZATION_USERNAME }} # This needs to be an application-specific password APPLE_NOTARIZATION_PASSWORD: ${{ secrets.APPLE_NOTARIZATION_PASSWORD }} run: | + set -euxo pipefail + # Check signatures. If this fails, there's no point. pkgutil --check-signature "$INSTALLER_PATH" # Submit for notarization to Apple servers + json_output_file="$RUNNER_TEMP/$(basename "$INSTALLER_PATH").notarization.json" + set +e xcrun notarytool submit "$INSTALLER_PATH" \ -u "$APPLE_NOTARIZATION_USERNAME" \ -p "$APPLE_NOTARIZATION_PASSWORD" \ - --wait + --output-format json \ + --wait \ + | tee "$json_output_file" + set -e + if [[ $? != 0 ]]; then + submission_id=$(jq -r '.id' "$json_output_file") + xcrun notarytool log "$submission_id" \ + -u "$APPLE_NOTARIZATION_USERNAME" \ + -p "$APPLE_NOTARIZATION_PASSWORD" + fi # Staple xcrun stapler staple --verbose "$INSTALLER_PATH" From 2475825429fc10eb3341e38787f05af96c652d3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaime=20Rodr=C3=ADguez-Guerra?= Date: Mon, 12 Dec 2022 14:36:08 +0100 Subject: [PATCH 8/8] add spctl check --- .github/workflows/make_bundle_conda.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/make_bundle_conda.yml b/.github/workflows/make_bundle_conda.yml index 02ab59c2..a859e5c6 100644 --- a/.github/workflows/make_bundle_conda.yml +++ b/.github/workflows/make_bundle_conda.yml @@ -468,6 +468,9 @@ jobs: # Staple xcrun stapler staple --verbose "$INSTALLER_PATH" + # Check notarization status + spctl --assess -vv --type install "$INSTALLER_PATH" 2>&1 | tee /dev/stderr | grep accepted + - name: Upload Artifact uses: actions/upload-artifact@v2 # CI artifact uploads only on manual runs