Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CI: Use Python 3.11 to fix macOS signing #743

Merged
merged 1 commit into from
Sep 28, 2023

Conversation

DeeDeeG
Copy link
Member

@DeeDeeG DeeDeeG commented Sep 27, 2023

Background and context for this Pull Request...

It's a long story, click to expand if you want:

Not sure why exactly, but our GitHub Actions workflow is producing signed macOS binaries that pass spctl "acceptance" on the CLI, and various other signing/notarization checks on the CLI, such as stapler, but nevertheless warn they can't be verified when opening the signed Pulsar.app in Finder or using open on the CLI, and so on.

Through investigating what changes we can make to better-match the Cirrus environment, which has been producing signed binaries that open just fine without the warning for months now, we have tried many things.

Eventually, disabling actions/setup-node and actions/setup-python was tried, which incidentally got us Python 3.11 instead of our manually pinned older Python 3.10. That worked, the signed binaries open as they should, sans verification warning.

Further narrowing it down resulted in, any way we get Python other than 3.10 from actions/setup-python seems to be working.

Given that, this commit starts using Python 3.11 in GitHub Actions, to fix the "macOS is signed but is still not making Gatekeeper happy" situation we have been having with GitHub Actions.

Credit where due

By the way, co-credit for this goes to @confused-Techie for the idea to try and replicate our steps for setting up for the build in the Cirrus CI environment, re-creating them here in GitHub Actions. This was the big inspiration for trying to test every possible difference in the things we control that might be different in how the Cirrus and GitHub Actions were set up, and led directly toward the final stretch "process of elimination" testing efforts that culminated in this PR. (See #742 for the first half of these efforts). And for discussing back and forth throughout all this. Felt a lot less daunting tackling this with two+ people working on it.

Also thanks to @meadowsys for helping with the debugging and answering some questions about the signing process, which helped to narrow down where the problem wasn't, so we could focus with more confidence on what else it could be.

Identify the Bug

Well, macOS binaries from GitHub Actions have been signed (as can be verified with spctl or stapler, and so on) but still warning that they can't be verified, just like any not signed binary usually would.

This is since we started building any binaries on GitHub Actions. (#682)

(This is another shot at what #742 was getting at. Hopefully we've got it solved now (see "Verification Process" below).)

Description of the Change

Start using Python 3.11 in GitHub Actions.

Before anyone asks: No, I don't know why this fixes the problem, I don't know why there was a problem in the first place.

Alternate Designs

We could just delete the actions/setup-python step, but then we'd eventually auto-update to Python 3.12 at some point, which I'd like to avoid the surprise of that.

There may be other ways of getting Python (some as elaborate as installing an entire new package manager like Homebrew), but I don't see the point in any alternatives, so long as this works.

(If Python 3.11 from actions/setup-python stops working, then sure we can try either of these alternative options.)

Possible Drawbacks

Should be none, since we should have new enough node-gyp now to handle Python 3.11. Being stuck on old node-gyp was the reason we pinned to Python 3.10 in the first place, not an issue now.

(Fixed in pulsar-edit/ppm#79 and pulsar-edit/ppm#94 in ppm repo, --> #725 at this core editor repo.)

To be clear, this may require the CI environment to have relatively recent npm, which it apparently does, since it worked in a test run of this change in CI already before I opened this PR (see "Verification Process" just below).

Verification Process

  • NOT YET VERIFIED: CI assets for this PR should open without a Gatekeeper warning saying it couldn't be verified (only the usual "this was downloaded from the internet" warning that always shows, even for signed packages, when downloaded from the internet.) (UPDATE: Verified, it works. ✅ )

Release Notes

Fixed signing for intel macOS binaries in GitHub Actions

Background and context for this commit...

Not sure why exactly, but our GitHub Actions workflow is producing
*signed* macOS binaries that pass spctl "acceptance" on the CLI, and
various other signing/notarization checks on the CLI, such as stapler,
but nevertheless warn they can't be verified when opening the signed
Pulsar.app in Finder or using `open` on the CLI, and so on.

Through investigating what changes we can make to better-match the
Cirrus environment, which has producing signed binaries that open just
fine without the warning for months now, we have tried many things.

Eventually, disabling actions/setup-node and actions/setup-python was
tried, which incidentally got us Python 3.11 instead of our manually
pinned older Python 3.10. That worked, the signed binaries open as
they should, sans verification warning.

Further narrowing it down resulted in, any way we get Python other
than 3.10 from actions/setup-python seems to be working.

Given that, this commit starts using Python 3.11 in GitHub Actions,
to fix the "macOS is signed but is still not making Gatekeeper happy"
situation we have been having with GitHub Actions.
@DeeDeeG
Copy link
Member Author

DeeDeeG commented Sep 27, 2023

Tested and working for me!!!

One-character diff fix, let's go!

(No, I still don't know why this fixes it or why there was a problem in the first place! I've decided not to worry about it too much, since I've been working on this for a few days in a row now already!! To be honest!!)

Copy link
Member

@confused-Techie confused-Techie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing work to everyone involved in this mystery issue.

I'm so glad to see that it was able to be resolved, lets get this merged!

@DeeDeeG
Copy link
Member Author

DeeDeeG commented Sep 28, 2023

Thanks for the review, and we have at least two people confirming this works, so I'll go ahead and merge! 👍

@DeeDeeG DeeDeeG merged commit 2696b32 into master Sep 28, 2023
99 checks passed
purocean added a commit to purocean/yn that referenced this pull request Nov 13, 2023
@DeeDeeG DeeDeeG deleted the python-3.11-GitHub-Actions-macOS-signing-fix branch November 16, 2023 03:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants