'Azure Devops - Sign Mac OS .app and publish Artifact
I am trying to automate the process of signing a .app Binary file using Azure Devops CI pipelines. The current CI performs the following tasks:
- CI builds a "setup" container containing the files to compile and pushes to our container registry
- Runs a script against an Azure VM to pull this image down and compile against in an Ubuntu VM
- The Ubuntu VM is required because the compiling process uses a GUI and a display on xhost is required for it to run.
- Once it is done compiling we then zip the binary's and publish it to Azure Devops Artifacts.
What I wanted to do here is pull down the binary and then sign it and push it back up, but the pipeline just hangs indefinitely until it times out. My assumption is that it is waiting for some kind of prompt, and I have no idea how to pass it
name: $(Date:yyyyMMdd)$(Rev:.r)
trigger: none
pr: none
variables:
- group: MacOS
jobs:
- job: POC_Pipeline
pool:
vmImage: 'macOS-latest'
steps:
# - task: InstallAppleCertificate@2
# inputs:
# certSecureFile: '$(p12FileName)'
# certPwd: '$(p12Password)'
# keychain: 'temp'
# deleteCert: true
- task: DownloadSecureFile@1
name: AppleCertificate
displayName: 'Download Apple Certificate'
inputs:
secureFile: '$(p12FileName)'
- task: DownloadPackage@1
inputs:
packageType: 'upack'
feed: 'myfeed'
definition: 'mybinary'
version: '*' # Pulls latest
downloadPath: '$(System.ArtifactsDirectory)'
- script: 'security create-keychain -p password temp.keychain'
workingDirectory: '$(System.ArtifactsDirectory)'
displayName: 'Create Keychain'
failOnStderr: true
- script: 'security unlock-keychain -p password temp.keychain'
workingDirectory: '$(System.ArtifactsDirectory)'
displayName: 'Unlock Keychain'
failOnStderr: true
- script: 'security import $(AppleCertificate.secureFilePath) -k temp.keychain -P $(p12Password) -T /usr/bin/codesign'
workingDirectory: '$(System.ArtifactsDirectory)'
displayName: 'Install Apple Certificate'
failOnStderr: true
- script: 'security find-certificate temp.keychain'
workingDirectory: '$(System.ArtifactsDirectory)'
displayName: 'Find Certificate'
failOnStderr: true
- script: 'security find-identity -p codesigning -v keychain temp.keychain'
workingDirectory: '$(System.ArtifactsDirectory)'
displayName: 'Find Identity'
failOnStderr: true
- script: 'security default-keychain -s "/Users/runner/Library/Keychains/temp.keychain-db"'
workingDirectory: '$(System.ArtifactsDirectory)'
displayName: 'Set Default Keychain'
failOnStderr: true
- script: 'unzip -q myBinary.app.zip'
workingDirectory: '$(System.ArtifactsDirectory)'
displayName: 'Unzip myBinary'
failOnStderr: true
- script: 'xattr -rc myBinary.app'
workingDirectory: '$(System.ArtifactsDirectory)'
displayName: 'Extended Attributes'
failOnStderr: true
- script: 'sudo codesign -s Anasazi -f --deep myDinary.app'
workingDirectory: '$(System.ArtifactsDirectory)'
displayName: 'Codesign Dragon.app'
failOnStderr: true
- script: 'codesign -dv myBinary.app'
workingDirectory: '$(System.ArtifactsDirectory)'
displayName: 'Verify Codesign myBinary.app'
failOnStderr: true
Any assistance or recommendations how we can sign the .app file in the CI would be appreciated.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|