Complete Gon/goreleaser workflow for signing and notarizing

[dekimsey]

I was trying to use gon and goreleaser together and couldn't find decent example of how to make them play together especially with any name template usage. It's messy.

I think the crux of the issue is that gon and goreleaser have differing workflows. We have somewhat conflicting interests. For instance:

• goreleaser builds the binary
• goreleaser wants to archive the binary
• But gon needs to sign the binary first, in goreleaser's workflow this happens last
• gon also is config driven
• user needs to notarize the package (dmg, zip)
• but notarize requires signed binaries in the archive
• gon will archive if you give it the binaries

Etc.

The docs on either side (goreleaser's or gon's) are incomplete in how to wire up a complete solution (sign & notarize) or when they do, they gloss over the unsupported hard-coded naming behavior.

Here is an end-to-end example I was able to make work (required acquiring the Developer ID (for signing) and an Installer ID (for notarizing) cert as documented in hon). Having to generate the gon.hcl on the fly makes it pretty clunky. Ideally, I think instead of trying to shell-out to gon, gorealeaer integrates it as a library and triggers the requisite steps (sign binary after build, perform notarize after archive) correctly.

I'm sharing this in hopes that it might motivate creating a better workflow or integration.

Thank you!

complete goreleaser.yml config

# .goreleaser.yml
project_name: myapp
before:
  hooks:
    - go mod tidy
    - go mod download

env:
  - CGO_ENABLED=0
  # Signing parameters. Check gon's documentation on what the appropriate values should be.
  - BUNDLE_ID=com.example.myapp
  - APPLE_ID_USERNAME=dekimsey@example.com
  - APPLE_ID_PASSWORD=@keychain:m1-gon
  - "APPLE_APPLICATION_IDENTITY=Developer ID Application: Daniel Kimsey"

builds:
  - id: default
    goos: [linux, windows]
    goarch: [arm64, amd64]
    flags:
      - -trimpath
    ldflags:
      - -s -w -X main.version={{.Version}}
    ignore:
      - goos: darwin
      - goarch: arm
        goos: windows
      - goarch: arm64
        goos: windows
    mod_timestamp: "{{ .CommitTimestamp }}"
# The mac builds need to be separate because we have to sign the binaries themselves. Ideally,
# we'd do this at the sign step. But we are notarizing during the sign step. And notarizing requires
# signed binaries, but all we get from goreleaser is the archive.
  - id: macos
    goos: [darwin]
    goarch: [arm64, amd64]
    flags:
      - -trimpath
    ldflags:
      - -s -w -X main.version={{.Version}}
    mod_timestamp: "{{ .CommitTimestamp }}"
    hooks:
      post:
        - |
          sh -c '
          fn=dist/macos_{{.Target}}/gon.hcl
          cat >"$fn" <<EOF
          bundle_id = "{{.Env.BUNDLE_ID}}"
          apple_id {
            username = "{{.Env.APPLE_ID_USERNAME}}"
            password = "{{.Env.APPLE_ID_PASSWORD}}"
          }
          source = ["dist/macos_{{.Target}}/{{.Name}}"]
          sign {
            application_identity = "{{.Env.APPLE_APPLICATION_IDENTITY}}"
          }
          EOF
          '
        - "gon 'dist/macos_{{.Target}}/gon.hcl'"

archives:
  - format: zip
    builds: [default]
    name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
    format_overrides:
      - goos: linux
        format: tar.gz
# We want a separate archive ID, so we can make sure to Release the correct artifact.
  - id: macos
    builds: [macos]
# Important: zip/dmg is required for notarization. 
    format: zip
    name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"

signs:
# Here we do a specific notarize step _replacing_ the original artifact in-place. One could generate
# a separate archive, just be sure not to Release it.
  - id: mac-notarize
    artifacts: archive
    ids: [macos]
    signature: "${artifact}"
    output: true
    cmd: sh
    args:
      - "-c"
      - |-
        cat >"dist/gon.notarize.hcl" <<EOF
        apple_id {
          username = "{{.Env.APPLE_ID_USERNAME}}"
          password = "{{.Env.APPLE_ID_PASSWORD}}"
        }
        notarize {
          path = "${artifact}"
          bundle_id = "{{.Env.BUNDLE_ID}}"
        }
        EOF
        gon "dist/gon.notarize.hcl"

release:
  ids:
# The default artifacts for the other OS's and our notarized artifacts for OSX.
# If we don't specify this, goreleaser will double-count the artifacts from previous steps (artifacts, sign) during the Release step.
# That will fail, since our sign step replaced the originals. So we explictly inform goreleaser which artifacts to upload.
    - default
    - mac-notarize

For those that don't want to use gon to notarize, the notarize bits above could be replaced with:

notarize with notarytool

Note: notarytool will need a keychain profile pre-created to store the credentials. Run xcrun notarytool store-credentials --apple-id "name@example.com" --team-id "DEADBEEF" to generate profile, substituting the correct values for your Developer ID as needed.

    cmd: xcrun
    args:
      - "notarytool"
      - "submit"
      - "--verbose"
      - "--wait"
      - "--progress"
      - "--keychain-profile"
      - "...my-profile-name-from-the-store-credentials-line...."
      - "${artifact}"

Regardless, a distribution then looks like:

run log

goreleaser release --rm-dist --skip-publish --skip-validate

  • starting release...
  • loading config file                              file=.goreleaser.yml
  • loading environment variables
  • getting and validating git state
    • building...                                    commit=e18db40ee723b883a8c4068a3c387a92323bfc1b latest tag=v0.2.0
    • pipe skipped                                   reason=validation is disabled
  • parsing tag
  • setting defaults
  • running before hooks
    • running                                        hook=go mod tidy
    • running                                        hook=go mod download
  • checking distribution directory
    • --rm-dist is set, cleaning it up
  • loading go mod information
  • build prerequisites
  • writing effective config file
    • writing                                        config=dist/config.yaml
  • generating changelog
    • writing                                        changelog=dist/CHANGELOG.md
  • building binaries
    • building                                       binary=dist/macos_darwin_amd64_v1/myapp
    • building                                       binary=dist/myapp_linux_amd64_v1/myapp
    • building                                       binary=dist/myapp_linux_arm64/myapp
    • building                                       binary=dist/macos_darwin_arm64/myapp
    • building                                       binary=dist/myapp_windows_amd64_v1/myapp.exe
    • running hook                                   hook=sh -c '
fn=dist/macos_darwin_amd64_v1/gon.hcl
cat >"$fn" <<EOF
source = ["dist/macos_darwin_amd64_v1/myapp"]
bundle_id = "com.example.myapp"
apple_id {
  username = "dekimsey@example.com"
  password = "@keychain:m1-gon"
}
sign {
  application_identity = "Developer ID Application: Daniel Kimsey"
}
EOF
'

    • running hook                                   hook=gon "dist/macos_darwin_amd64_v1/gon.hcl"
    • running hook                                   hook=sh -c '
fn=dist/macos_darwin_arm64/gon.hcl
cat >"$fn" <<EOF
source = ["dist/macos_darwin_arm64/myapp"]
bundle_id = "com.example.myapp"
apple_id {
  username = "dekimsey@example.com"
  password = "@keychain:m1-gon"
}
sign {
  application_identity = "Developer ID Application: Daniel Kimsey"
}
EOF
'

    • running hook                                   hook=gon "dist/macos_darwin_arm64/gon.hcl"
    • took: 3s
  • archives
    • creating                                       archive=dist/myapp_0.2.0_darwin_arm64.zip
    • creating                                       archive=dist/myapp_0.2.0_darwin_amd64.zip
    • took: 4s
  • calculating checksums
  • signing artifacts
    • signing                                        artifact=myapp_0.2.0_darwin_arm64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_arm64.zip
    • ==> 🍎  Notarizing...                           artifact=myapp_0.2.0_darwin_arm64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_arm64.zip
    •     Path: dist/myapp_0.2.0_darwin_arm64.zip  artifact=myapp_0.2.0_darwin_arm64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_arm64.zip
    •     Submitting file for notarization...        artifact=myapp_0.2.0_darwin_arm64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_arm64.zip
    •     Submitted. Request UUID: deadbeef-uuid-here-1 artifact=myapp_0.2.0_darwin_arm64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_arm64.zip
    •     Waiting for results from Apple. This can take minutes to hours. artifact=myapp_0.2.0_darwin_arm64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_arm64.zip
    •     Status: in progress                        artifact=myapp_0.2.0_darwin_arm64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_arm64.zip
    •     Status: success                            artifact=myapp_0.2.0_darwin_arm64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_arm64.zip
    •     File notarized!                            artifact=myapp_0.2.0_darwin_arm64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_arm64.zip
    •                                                artifact=myapp_0.2.0_darwin_arm64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_arm64.zip
    • Notarization complete! Notarized files:        artifact=myapp_0.2.0_darwin_arm64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_arm64.zip
    •   - dist/myapp_0.2.0_darwin_arm64.zip (notarized) artifact=myapp_0.2.0_darwin_arm64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_arm64.zip
    • signing                                        artifact=myapp_0.2.0_darwin_amd64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_amd64.zip
    • ==> 🍎  Notarizing...                           artifact=myapp_0.2.0_darwin_amd64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_amd64.zip
    •     Path: dist/myapp_0.2.0_darwin_amd64.zip  artifact=myapp_0.2.0_darwin_amd64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_amd64.zip
    •     Submitting file for notarization...        artifact=myapp_0.2.0_darwin_amd64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_amd64.zip
    •     Submitted. Request UUID: deadbeef-uuid-here-2 artifact=myapp_0.2.0_darwin_amd64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_amd64.zip
    •     Waiting for results from Apple. This can take minutes to hours. artifact=myapp_0.2.0_darwin_amd64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_amd64.zip
    •     Status: in progress                        artifact=myapp_0.2.0_darwin_amd64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_amd64.zip
    •     Status: success                            artifact=myapp_0.2.0_darwin_amd64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_amd64.zip
    •     File notarized!                            artifact=myapp_0.2.0_darwin_amd64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_amd64.zip
    •                                                artifact=myapp_0.2.0_darwin_amd64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_amd64.zip
    • Notarization complete! Notarized files:        artifact=myapp_0.2.0_darwin_amd64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_amd64.zip
    •   - dist/myapp_0.2.0_darwin_amd64.zip (notarized) artifact=myapp_0.2.0_darwin_amd64.zip cmd=sh signature=dist/myapp_0.2.0_darwin_amd64.zip
    • refreshing checksums                           file=myapp_0.2.0_SHA256SUMS
    • took: 3m15s
  • storing release metadata
    • writing                                        file=dist/artifacts.json
    • writing                                        file=dist/metadata.json
  • release succeeded after 3m21s

References:

• https://scriptingosx.com/2021/07/notarize-a-command-line-tool-with-notarytool/
• https://github.com/junegunn/fzf/blob/master/.goreleaser.yml#L17
• OS X notarize and GitHub release #2102
• https://github.com/mitchellh/gon#usage-with-goreleaser
• https://medium.com/anchore-engineering/developers-need-to-handle-macos-binary-signing-how-we-automated-the-solution-part-2-ad1e08caff0f

[dekimsey]

I don't 100% trust that I'm notarizing the archive correctly. Everything says it works, but when I try verifying my zip it fails. The Apple docs on this aren't particularly clear on how to verify zip archives.

codesign --verify --deep --strict --verbose=2 dist/macos_darwin_arm64/myapp

dist/macos_darwin_arm64/myapp: valid on disk
dist/macos_darwin_arm64/myapp: satisfies its Designated Requirement

spctl --assess -vv dist/myapp_0.2.0_darwin_arm64.zip

dist/myapp_0.2.0_darwin_arm64.zip: rejected
source=no usable signature

TBh, shrug at this point.

[caarlos0]

The main reason I haven't tried to improve this yet is that I also don't have a macos developer account, and there are other things I want to improve first, but this is, in fact, in my todo list of things to take care of. I just can't promise any dates...

FWIW, gon itself is released with goreleaser and notarized with gon, so maybe there's something to look into there.

[dekimsey]

I will definitely take a look at that!

[ChrisWiegman]

I would love to hear if y'all find an answer for this. I've gotten as far as getting emails back from Apple after signing in a GitHub action but, in the end, it can never verify the sig when I download the artifact. After a few days of this I'm really at the end of my rope.

[ChrisWiegman]

Oh great! Would love to see it. I got super close, but I just couldn't get it all to work.

[caarlos0]

would be great if you feel like writing a quick doc about it, can be unformatted/raw here and I format it, or if you want to pr it directly thats amazing as well

[dekimsey]

@ChrisWiegman I updated the post with a copy of my .goreleaser config.

I don't have access to an OSX CI runner, so I release from my laptop. However, I think it has everything one needs to make it work. You'll need to tweak the env variables at the top as appropriate.

FYI: I recall reading an issue with GitLab CI & OSX runners with builds. In short, the GitLab CI will start the job with a default keychain on the box, but won't tell you the password. Since gon needs it to sign, you are stuck. I believe the work-around was to simply create a keychain at build time, load your key pair, and then configure gon to use that keychain instead of the default one. Unfortunately, I failed to take note of the write-up and I'm not finding it right now. But I expect you'll have some trouble there.

GIve it a try and see if that can get it working for you. I'd be interested to hear what happens.

edit: Okay, found it. The discussion by anchore's engineering team (see section titled "Setting up the keychain") and the CI script generating an ephemeral keychain. I hope this helps!

[ChrisWiegman]

Thank you. I'm running from GitHub Actions and was able to get as far as getting the email notifications back from Apple saying that a given file was signed with my ID but then the downloads still never worked. Hopefully this will fix that.

[dekimsey]

@caarlos0 Cookbook as requested, see #3388. Thank you!

[ChrisWiegman]

OK, I've got a test app just for this. I've got the notarization emails from Apple but the Gatekeeper still balks (see attachment for binary check)

This is all done on a test app I have at https://github.com/ChrisWiegman/hiroy and will delete when I can get this working. Feel free to check the config, PR, etc. Note it's using GitHub Actions but I don't think that should matter.

[caarlos0]

that looks sweet @bep, will look into integrating it into GoReleaser as well :)

[ChrisWiegman]

Oh nice! Thanks for sharing. I've starred that one and will take a fresh look when I get a chance!

[bep]

Oh, well, Apple has done an incredible job making this a lot harder than it should be ... I installed Docker's MacOs client the other day, and even that billion dollar company didn't bother to notarize their isntaller.

[caarlos0]

yes, most of the dev tools I use are not notarized... I think most providers just don't care.

also, having to pay to be able to notarize does not help 😂

[bep]

I meant to write "Dropbox's MacOs Client" above, but it's still a billion dollar company.

[caarlos0]

BTW, new kid in town: https://github.com/anchore/quill

[cfabianski]

We have done something for curio if you want to have a look.