Enable macos notarization

polldo · polldo · commit 02895b7bacff · 2021-09-28T19:22:45.000+02:00
diff --git a/.github/workflows/release-go-task.yml b/.github/workflows/release-go-task.yml
@@ -69,7 +69,7 @@ jobs:
           INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12"
           KEYCHAIN_PASSWORD: keychainpassword # Arbitrary password for a keychain that exists only for the duration of the job, so not secret
         run: |
-          echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}"
+          echo "${{ secrets.MACOS_SIGN_CERTIFICATE_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}"
           security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
           security default-keychain -s "${{ env.KEYCHAIN }}"
           security unlock-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
@@ -79,7 +79,7 @@ jobs:
             -f pkcs12 \
             -A \
             -T "/usr/bin/codesign" \
-            -P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}"
+            -P "${{ secrets.MACOS_SIGN_CERTIFICATE_PASSWORD }}"
           security set-key-partition-list \
             -S apple-tool:,apple: \
             -s \
diff --git a/.gon.hcl b/.gon.hcl
diff --git a/gon.config.hcl b/gon.config.hcl
@@ -0,0 +1,14 @@
+# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/general/gon.config.hcl
+# See: https://github.com/mitchellh/gon#configuration-file
+source = ["dist/arduino-cloud-cli_osx_darwin_amd64/arduino-cloud-cli"]
+bundle_id = "cc.arduino.arduino-cloud-cli"
+
+sign {
+  application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)"
+}
+
+# Ask Gon for zip output to force notarization process to take place.
+# The CI will ignore the zip output, using the signed binary only.
+zip {
+  output_path = "unused.zip"
+}
