-
Notifications
You must be signed in to change notification settings - Fork 4
/
job-sign-macos-api-key.yml
80 lines (72 loc) · 2.97 KB
/
job-sign-macos-api-key.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# Version 1.0
# Maintainer: Kamil Piotrowski
# Description: This template can sign macOS binary and publish it as an artifact.
# Output artifact contains all files form the input one together with the signing result.
# It requires Apple Developer ID Application certificate added to ADO secure files.
# Both source binary and GON configuration files must be in the input artifacts.
# It assumes that API KEY is used for authentication. Username and password is not supported due to security reasons.
# It uses the Nordcloud forked version of GON tool (we added support for the API keys authorization)
# Requirements:
# vmImage: macOS-10.15
# Xcode version: >= 11.0
# Parameters:
# cert_file_name [required] - is the P12 certificate file name stored in ADO secured files
# cert_file_passwd [required] - P12 certificate password
# input_artifact_name [required] - Input artifact name containing binary to sign and config file
# output_artifact_name [required] - Output artifact name. Signed file will be saved in this artifact.
# sign_config_file_name [optional] (def: sign-config.json) - Configuration file name.
# api_key_file_name [required] - is the P8 Apple API Key used for authentication.
parameters:
go_version: "1.13.5"
cert_file_name: ""
cert_file_passwd: ""
input_artifact_name: ""
output_artifact_name: ""
sign_config_file_name: "sign-config.json"
api_key_file_name: ""
jobs:
- job: SignMacOSBinary
pool:
vmImage: 'macOS-latest'
steps:
- task: GoTool@0
inputs:
version: "${{ parameters.go_version }}"
- task: InstallAppleCertificate@2
inputs:
certSecureFile: "${{ parameters.cert_file_name }}"
certPwd: "${{ parameters.cert_file_passwd }}"
keychain: "temp"
- task: DownloadSecureFile@1
name: appleApiKey
displayName: 'Download Apple API key'
inputs:
secureFile: '${{ parameters.api_key_file_name }}'
- task: DownloadPipelineArtifact@2
inputs:
artifact: "${{ parameters.input_artifact_name }}"
path: $(Build.SourcesDirectory)/bin
- script: |
git clone https://github.com/nordcloud/gon.git
cd gon
mkdir -p dist
GOOS=darwin GOARCH=amd64 go build -o ./dist/gon ./cmd/gon
cp ./dist/gon ../bin/gon
displayName: InstallGON
workingDirectory: $(Build.SourcesDirectory)
- script: |
mkdir -p ~/.appstoreconnect/private_keys
chmod a+x $(appleApiKey.secureFilePath)
cp $(appleApiKey.secureFilePath) ~/.appstoreconnect/private_keys/
./gon -log-level=info ${{ parameters.sign_config_file_name }}
displayName: SignMac OS binary
workingDirectory: $(Build.SourcesDirectory)/bin
- script: |
rm -rf private_keys
rm gon
displayName: CleanGON
workingDirectory: $(Build.SourcesDirectory)/bin
- task: PublishPipelineArtifact@1
inputs:
artifactName: "${{ parameters.output_artifact_name }}"
targetPath: $(Build.SourcesDirectory)/bin