Skip to content

Sign release build with distribution certificate #150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Nov 5, 2025
Merged

Sign release build with distribution certificate #150

merged 13 commits into from
Nov 5, 2025

Conversation

@mokagio
Copy link
Contributor

@mokagio mokagio commented Nov 5, 2025
edited
Loading

Automattic/wordpress-rs#966 reminded us that hostmgr has always been signed only with the development certificate.

Evidently, this is not an issue for using the tool, but I've always felt it would have been more appropriate to use the distribution certificate for a release-level build. This PR does that.

CI runs make verify-signing, which validates the change.

I also verified make build, which now uses the distribution certificate, locally:

image

I also verified make build-debug locally, to make sure the interpolation of the old certificate is valid. This failed for me because I have two certificates in my machine and somehow I can't delete either from the keychain:

image

The fact we have two development certificates is not okay, even though it doesn't seem to be a problem for any of our apps. I logged https://linear.app/a8c/issue/AINFRA-1500/only-have-one-development-certificate-in-the-automattic-developer for this.

@mokagio mokagio marked this pull request as ready for review November 5, 2025 04:00
@AliSoftware
Copy link
Contributor

AliSoftware commented Nov 5, 2025

If I run make build-debug I get a different error on my end, one that says that the binary is already signed:

✓ $ make build-debug                                               
--- Building and Signing for Local Development
swift build
Building for debugging...
[4/4] Applying hostmgr
Build complete! (0.70s)
codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "Apple Development: Created via API (886NX39KP6)" .build/arm64-apple-macosx/debug/hostmgr --verbose
.build/arm64-apple-macosx/debug/hostmgr: is already signed
make: *** [build-debug] Error 1

The signature used seems to be an adhoc one:

✘ $ codesign --display -vvv .build/arm64-apple-macosx/debug/hostmgr
Executable=/Users/olivierhalligon/Documents/Dev/tools/hostmgr/.build/arm64-apple-macosx/debug/hostmgr
Identifier=hostmgr-5555494483e0192a536036ce9ccaee28173e35eb
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=65257 flags=0x2(adhoc) hashes=2028+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=3bdf9078e5bce447a333621992c3b8a121249bef
CandidateCDHashFull sha256=3bdf9078e5bce447a333621992c3b8a121249beff9a18f6c2649710b7b194797
Hash choices=sha256
CMSDigest=3bdf9078e5bce447a333621992c3b8a121249beff9a18f6c2649710b7b194797
CMSDigestType=2
CDHash=3bdf9078e5bce447a333621992c3b8a121249bef
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=0 size=12

Though I remember that it's not the first time I encounter this error, in fact I had a git stash in this repo to add --force to the Make commands for debug to fix it, that I never commited because I wasn't sure why I had that error and others didn't…
Anyway, if I add --force in the Makefile it works though:

✓ $ rm .build/arm64-apple-macosx/debug/hostmgr                     

✓ $ make build-debug                                               
--- Building and Signing for Local Development
swift build
Building for debugging...
[4/4] Applying hostmgr
Build complete! (0.72s)
codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "Apple Development: Created via API (886NX39KP6)" .build/arm64-apple-macosx/debug/hostmgr --force --verbose
.build/arm64-apple-macosx/debug/hostmgr: replacing existing signature
.build/arm64-apple-macosx/debug/hostmgr: signed Mach-O thin (arm64) [hostmgr]

And checking the signature confirms it uses the expected one:

✓ $ codesign --display -vvv .build/arm64-apple-macosx/debug/hostmgr
Executable=/Users/olivierhalligon/Documents/Dev/tools/hostmgr/.build/arm64-apple-macosx/debug/hostmgr
Identifier=hostmgr
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=65227 flags=0x0(none) hashes=2028+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=b6083791681e3963e1ece4c1068d7199b14f39cd
CandidateCDHashFull sha256=b6083791681e3963e1ece4c1068d7199b14f39cd244fe96c7deb97bdc5092536
Hash choices=sha256
CMSDigest=b6083791681e3963e1ece4c1068d7199b14f39cd244fe96c7deb97bdc5092536
CMSDigestType=2
CDHash=b6083791681e3963e1ece4c1068d7199b14f39cd
Signature size=4788
Authority=Apple Development: Created via API (886NX39KP6)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=5 Nov 2025 at 13:38:26
Info.plist=not bound
TeamIdentifier=PZYM8XX95Q
Sealed Resources=none
Internal requirements count=1 size=172

So

@AliSoftware
Add --force to codesign for debug too
4d09be6
@AliSoftware
Remove useless Make target
5d8e249 
The name of that target was not super clear, and looking at the implementation we can see it has some `xcode-143` hardcoded value not up-to-date and confusing (as it will not match what's in the VM at the end of this command nowadays…).

Given this feels like a target that is a bit too-specific (i.e. if we go that route why wouldn't we create Make targets for every single `hostmgr` command to test too?) and in practice it's easier to just run `make build-debug` then run the command we want to test manually afterwards so we can adjust it to what we want to test, it made more sense to me to remove it to avoid adding confusion in the Makefile.
@AliSoftware
Fix set_up_certificate_in_keychain
3bbeea2 
To not require the ASC API Key when in `readonly` mode
@AliSoftware
Add fetch-codesigning* recipes to Makefile
daecdaa 
Those only call the corresponding fastlane lanes and nothing esle; but it helps discoverability

Note that I deliberately didn't add those recipes as dependency to the `build:`/`build-debug:`/`build-helper-debug:` recipes, despite those recipes indeed needing the code signing identities to have been fetched and be present in the keychain for `codesign` to work as expected.

This is because those fastlane lanes require the `MATCH_S3_ACCESS_KEY` and `MATCH_S3_SECRET_ACCESS_KEY` env vars to be declared locally for them to run, but we don't usually have those set in all our shell sessions unless we `export` them explicitly first. Conversely, we usually already have the necessary certificates in our keychain already when we're working on `hostmgr` so there's no need to re-fetch them systematically from S3 every single time we want to `build` or `build-debug`.
@AliSoftware
Make Rubocop more lenient on method length
6441b37
@AliSoftware
Copy link
Contributor

AliSoftware commented Nov 5, 2025
edited
Loading

@mokagio I took the liberty to push a couple of commits to fix some nitpicks:

  • 4d09be6 Adds --force to fix the issue I had and described in my comment above
  • 5d8e249 removed create-vm-debug from Makefile, as I found it confusing, obsolete and useless.
  • 3bbeea2 makes it so the fastlane lanes using match/sync_code_signing don't require the ASC credentials and API key when they're running in readonly:true mode.
  • daecdaa adds recipes in the Makefile to call the code-signing lanes. This just calls bundle exec fastlane set_up_signing and nothing else so one could argue that this is redundant to add it to the Makefile, but I think it helps discoverability.

PS: When calling make fetch-codesigning (or the corresponding lane), I got this deprecation warning in the logs:

#################### DEPRECATION WARNING ####################
Called deprecated method `download_file` of Aws::S3::Object. Use `Aws::S3::TransferManager#download_file` instead.
Method `download_file` will be removed in next major version.
#############################################################
/Users/olivierhalligon/Documents/Dev/tools/hostmgr/vendor/bundle/ruby/3.2.0/gems/aws-sdk-s3-1.202.0/lib/aws-sdk-s3/customizations/object_summary.rb:80:in `download_file'
…
/Users/olivierhalligon/.rbenv/versions/3.2.2/bin/bundle:25:in `<main>'

This is a known issue in fastlane, and in fact I opened a PR a while ago in the fastlane repo to fix it (still pending review though). Despite the scary stacktrace being printed in the logs, this is only a warning and doesn't prevent the lane from running and working.

AliSoftware
AliSoftware approved these changes Nov 5, 2025
View reviewed changes
Copy link
Contributor

@AliSoftware AliSoftware left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After applying my changes and pushing a couple of commits (see previous comment), I tested the following:

  • Ran make fetch-codesigning (after exporting both MATCH_S3_ACCESS_KEY and MATCH_S3_SECRET_ACCESS_KEY in my env first) and validated it fetched the latest certs
  • Ran make clean build and validated via codesign -d -vv … that both hostmgr and hostmgr-helper were signed correctly with release cert
  • Ran make clean build-debug build-helper-debug
    • At first I ran into the same issue as you with ambiguous error during codesign. Indeed, after I checked in my Keychain, I had 2 of those certificates there (one expiring in… April 2026 I think? And the other expiring in May).
    • So I deleted the older one to only keep the one expiring in May 2026, then retried, and this time it passed.
    • Then I validated via codesign -d -vv … that both hostmgr and hostmgr-helper were signed correctly with dev cert

mokagio
mokagio commented Nov 5, 2025
View reviewed changes
Makefile Outdated
@echo "--- Building and Signing hostmgr for Local Development"
swift build
codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "${CERTIFICATE_NAME_DEBUG}" .build/arm64-apple-macosx/debug/hostmgr -v
codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "${CERTIFICATE_NAME_DEBUG}" .build/arm64-apple-macosx/debug/hostmgr --force --verbose
Copy link
Contributor Author

@mokagio mokagio Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also +1 on using the verbose flag name instead of the short, much clearer when reading the code.

@mokagio
Copy link
Contributor Author

mokagio commented Nov 5, 2025

Thanks for the enhancements and fixes @AliSoftware

@mokagio mokagio merged commit f6a9b1e into trunk Nov 5, 2025
6 checks passed
@mokagio mokagio deleted the mokagio/ainfra-1477 branch November 5, 2025 22:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AliSoftware AliSoftware AliSoftware approved these changes

@twstokes twstokes Awaiting requested review from twstokes

@iangmaia iangmaia Awaiting requested review from iangmaia

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mokagio @AliSoftware