Skip to content

Add xcframework code signing #966

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 12 commits into
base: trunk
Choose a base branch
from
Open

Add xcframework code signing #966

wants to merge 12 commits into from
+113 −14

Conversation

@jkmassel
Copy link
Contributor

@jkmassel jkmassel commented Oct 16, 2025

Adds code signing to the release and debug XCFrameworks. This allows consumer projects to ensure the binary dependency hasn't been tampered with.

@jkmassel jkmassel force-pushed the add/xcframework-code-signing branch 2 times, most recently from e70ef6e to 3a46021 Compare October 16, 2025 03:14
@jkmassel jkmassel force-pushed the add/xcframework-code-signing branch from 3a46021 to 2d78421 Compare October 16, 2025 03:32
crazytonyli
crazytonyli reviewed Oct 16, 2025
View reviewed changes
crazytonyli
crazytonyli reviewed Oct 16, 2025
View reviewed changes
@mokagio mokagio mentioned this pull request Nov 5, 2025
Merged
@mokagio
Copy link

mokagio commented Nov 5, 2025

Sorry, I meant to create a dedicated branch for the distribution certificate (tracked in https://linear.app/a8c/issue/AINFRA-1477/make-a-release-mode-code-signing-certificate) but I pushed without realizing I was on this branch...

@mokagio
Copy link

mokagio commented Nov 5, 2025

I know how to fix the build failures caused by the change in the artifact path... but my Docker is bricked and that is blocking my shell from entering into the this repo's folder -.-'

mokagio
mokagio reviewed Nov 5, 2025
View reviewed changes
Makefile
swift package compute-checksum libwordpressFFI.xcframework.zip | tee libwordpressFFI.xcframework.zip.checksum.txt

xcframework-sign:
codesign --timestamp -v --sign "${certificate_name_release}" target/libwordpressFFI.xcframework
Copy link

@mokagio mokagio Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Working good. See https://buildkite.com/automattic/wordpress-rs/builds/4086/steps/canvas?sid=019a538a-c172-4ce7-9a98-a586299292e5#019a538a-c1c1-4c09-9d8d-36437a2435fb/704-2883

image

mokagio
mokagio reviewed Nov 5, 2025
View reviewed changes
.buildkite/download-xcframework.sh
pushd target
buildkite-agent artifact download libwordpressFFI.xcframework.zip . --step "xcframework"
unzip libwordpressFFI.xcframework.zip -d .
rm libwordpressFFI.xcframework.zip
Copy link

@mokagio mokagio Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jkmassel @crazytonyli This PR changed the ZIP destination from target/ to ./ in https://github.com/Automattic/wordpress-rs/pull/966/files#diff-a3991ebf1475eb82acab13946ffc1eca02b43917f6d5bec3898f45c8b0b9bd53L74

I thought it would be enough to update the download call at the start of the script (see above) but there evidently are other parts of the automation that expect the file to be in target/, because to make the build pass I had to add this additional ZIP expansion in the target/ folder.

I'm happy to help tidy this up. Alternatively, we could restore the ZIP-to-target-folder behavior and leave it at that. Up to you.

Copy link
Contributor

@crazytonyli crazytonyli Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like make xcframework-package was introduced to replace the zip command. Maybe we can update xcframework-package to put the zip file at target/, and you don't need the new script here to unzip twice?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crazytonyli crazytonyli crazytonyli left review comments

@mokagio mokagio mokagio left review comments

@oguzkocer oguzkocer Awaiting requested review from oguzkocer

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jkmassel @mokagio @crazytonyli