← Back to context

Comment by embedding-shape

1 day ago

Recently got a Mac Mini for local CI purposes (together with Forgejo Actions), took a broad look at the ecosystem and decided to just roll with "build on host" instead. Setting up signing/notarization just looked like an insurmountably task together with isolating it from the host, even with agents. At least the macOS builds are really fast now and the signing/notarization just ~200 lines of Bash...

6 comments

embedding-shape

Reply
latexr  1 day ago

> the signing/notarization just ~200 lines of Bash

200 lines?! That’s two orders of magnitude too many. What exactly are you doing that you need so such code for signing and notarisation?

  • embedding-shape  1 day ago

    From the top of my head, unlocking the keychain, finding the right identity, notarizing two parts, the binary itself and the .dmg that the .app ships in and some other stuff I'm sure. Can do a deeper look in a bit when I can. Most of the hassle is because it's 100% unattended and I had to do stuff to avoid GUI-prompts for passwords/unlocks, and that the Forgejo Runner has a different security context.

    • latexr  7 hours ago

      > unlocking the keychain, finding the right identity

      You don’t need to do that, you can give options to the CLI to define what profile to use.

      > Most of the hassle is because it's 100% unattended and I had to do stuff to avoid GUI-prompts for passwords/unlocks

      I have a shell function to which I point my code and it compiles, signs, and notarises it without any more intervention, GUI or password prompts, and I’m pretty sure signing and notarising are literally two lines.

      Unfortunately I’m not at my computer now or I’d paste them, but from your description that script is definitely too long.

      1 reply →

    • hamandcheese  1 day ago

      This matches my experience. Keychain + fully unattended increases the complexity and adds a bunch of landmines that need to be dodged (e.g. GUI prompts like you mentioned).