diff --git a/.github/workflows/depsreview.yaml b/.github/workflows/depsreview.yaml index 19845cb4d..e39d9213c 100644 --- a/.github/workflows/depsreview.yaml +++ b/.github/workflows/depsreview.yaml @@ -11,4 +11,4 @@ jobs: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3 - uses: actions/dependency-review-action@v4 with: - allow-licenses: BSD-2-Clause, BSD-3-Clause, MIT, Apache-2.0, MPL-2.0 + allow-licenses: BSD-2-Clause, BSD-3-Clause, MIT, Apache-2.0, MPL-2.0, ISC diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f3da00b4c..ea853e2cb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -135,4 +135,9 @@ jobs: DISCORD_WEBHOOK_ID: ${{ secrets.DISCORD_WEBHOOK_ID }} DISCORD_WEBHOOK_TOKEN: ${{ secrets.DISCORD_WEBHOOK_TOKEN }} AUR_KEY: ${{ secrets.AUR_KEY }} + MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }} + MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }} + MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }} + MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }} + MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }} run: task goreleaser diff --git a/.goreleaser.yaml b/.goreleaser.yaml index c8c6644fd..d67190127 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -53,6 +53,17 @@ builds: universal_binaries: - replace: false +notarize: + macos: + - enabled: '{{ isEnvSet "MACOS_SIGN_P12" }}' + sign: + certificate: "{{.Env.MACOS_SIGN_P12}}" + password: "{{.Env.MACOS_SIGN_PASSWORD}}" + notarize: + issuer_id: "{{.Env.MACOS_NOTARY_ISSUER_ID}}" + key_id: "{{.Env.MACOS_NOTARY_KEY_ID}}" + key: "{{.Env.MACOS_NOTARY_KEY}}" + # temporarely disables until we add better filters for platforms et al, and test more. # upx: # - enabled: true diff --git a/go.mod b/go.mod index 5841844a8..4d357442a 100644 --- a/go.mod +++ b/go.mod @@ -6,6 +6,7 @@ require ( code.gitea.io/sdk/gitea v0.18.0 dario.cat/mergo v1.0.0 github.com/Masterminds/semver/v3 v3.2.1 + github.com/anchore/quill v0.4.1 github.com/atc0005/go-teams-notify/v2 v2.10.0 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 github.com/caarlos0/ctrlc v1.2.0 @@ -53,28 +54,6 @@ require ( gopkg.in/yaml.v3 v3.0.1 ) -require ( - github.com/cyphar/filepath-securejoin v0.2.4 // indirect - github.com/distribution/reference v0.5.0 // indirect - github.com/dustin/go-humanize v1.0.1 // indirect - github.com/felixge/httpsnoop v1.0.4 // indirect - github.com/go-logr/logr v1.4.1 // indirect - github.com/go-logr/stdr v1.2.2 // indirect - github.com/golang-jwt/jwt/v5 v5.2.1 // indirect - github.com/onsi/gomega v1.29.0 // indirect - github.com/sagikazarmark/locafero v0.4.0 // indirect - github.com/sagikazarmark/slog-shim v0.1.0 // indirect - github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect - github.com/sourcegraph/conc v0.3.0 // indirect - go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect - go.opentelemetry.io/otel v1.24.0 // indirect - go.opentelemetry.io/otel/metric v1.24.0 // indirect - go.opentelemetry.io/otel/trace v1.24.0 // indirect - go.uber.org/multierr v1.11.0 // indirect - gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect -) - require ( cloud.google.com/go v0.112.1 // indirect cloud.google.com/go/compute v1.25.0 // indirect @@ -108,6 +87,9 @@ require ( github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect github.com/ProtonMail/go-crypto v1.0.0 // indirect github.com/alessio/shellescape v1.4.1 // indirect + github.com/anchore/bubbly v0.0.0-20230518153401-87b6af8ccf22 // indirect + github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a // indirect + github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/aws/aws-sdk-go v1.51.6 github.com/aws/aws-sdk-go-v2 v1.26.0 // indirect @@ -135,19 +117,25 @@ require ( github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect github.com/bahlo/generic-list-go v0.2.0 // indirect github.com/beorn7/perks v1.0.1 // indirect + github.com/blacktop/go-dwarf v1.0.9 // indirect + github.com/blacktop/go-macho v1.1.162 // indirect github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb // indirect github.com/buger/jsonparser v1.1.1 // indirect github.com/cavaliergopher/cpio v1.0.1 // indirect github.com/cenkalti/backoff/v4 v4.2.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect + github.com/charmbracelet/bubbletea v0.22.1 // indirect github.com/cloudflare/circl v1.3.7 // indirect + github.com/containerd/console v1.0.3 // indirect github.com/containerd/continuity v0.3.0 // indirect github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect + github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/davidmz/go-pageant v1.0.2 // indirect github.com/dghubble/sling v1.4.0 // indirect github.com/dimchansky/utfbom v1.1.1 // indirect + github.com/distribution/reference v0.5.0 // indirect github.com/docker/cli v25.0.4+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect github.com/docker/docker v25.0.5+incompatible // indirect @@ -155,14 +143,20 @@ require ( github.com/docker/go-connections v0.4.0 // indirect github.com/docker/go-metrics v0.0.1 // indirect github.com/docker/go-units v0.5.0 + github.com/dustin/go-humanize v1.0.1 // indirect github.com/elliotchance/orderedmap/v2 v2.2.0 // indirect github.com/emirpasic/gods v1.18.1 // indirect github.com/evanphx/json-patch/v5 v5.6.0 // indirect + github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/gabriel-vasile/mimetype v1.4.2 // indirect + github.com/github/smimesign v0.2.0 // indirect github.com/go-fed/httpsig v1.1.0 // indirect github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect github.com/go-git/go-billy/v5 v5.5.0 // indirect github.com/go-git/go-git/v5 v5.11.0 // indirect + github.com/go-logr/logr v1.4.1 // indirect + github.com/go-logr/stdr v1.2.2 // indirect github.com/go-openapi/analysis v0.23.0 // indirect github.com/go-openapi/errors v0.22.0 // indirect github.com/go-openapi/jsonpointer v0.21.0 // indirect @@ -173,9 +167,11 @@ require ( github.com/go-openapi/strfmt v0.23.0 // indirect github.com/go-openapi/swag v0.23.0 // indirect github.com/go-openapi/validate v0.24.0 // indirect + github.com/go-restruct/restruct v1.2.0-alpha // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect + github.com/golang-jwt/jwt/v5 v5.2.1 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.4 // indirect github.com/google/go-querystring v1.1.0 // indirect @@ -208,15 +204,19 @@ require ( github.com/magiconair/properties v1.8.7 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-isatty v0.0.20 // indirect + github.com/mattn/go-localereader v0.0.1 // indirect github.com/mattn/go-runewidth v0.0.15 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/moby/term v0.5.0 // indirect + github.com/muesli/ansi v0.0.0-20211031195517-c9f0611b6c70 // indirect + github.com/muesli/cancelreader v0.2.2 // indirect github.com/muesli/mango v0.1.0 // indirect github.com/muesli/mango-pflag v0.1.0 // indirect github.com/muesli/reflow v0.3.0 // indirect github.com/oklog/ulid v1.3.1 // indirect + github.com/onsi/gomega v1.29.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0 // indirect github.com/opencontainers/runc v1.1.12 // indirect @@ -232,6 +232,10 @@ require ( github.com/prometheus/procfs v0.12.0 // indirect github.com/rivo/uniseg v0.4.7 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect + github.com/sagikazarmark/locafero v0.4.0 // indirect + github.com/sagikazarmark/slog-shim v0.1.0 // indirect + github.com/scylladb/go-set v1.0.2 // indirect + github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect github.com/sergi/go-diff v1.2.0 // indirect github.com/shopspring/decimal v1.2.0 // indirect github.com/sigstore/cosign/v2 v2.2.4 // indirect @@ -239,6 +243,7 @@ require ( github.com/sigstore/sigstore v1.8.3 // indirect github.com/sirupsen/logrus v1.9.3 // indirect github.com/skeema/knownhosts v1.2.1 // indirect + github.com/sourcegraph/conc v0.3.0 // indirect github.com/spf13/afero v1.11.0 // indirect github.com/spf13/cast v1.6.0 // indirect github.com/spf13/pflag v1.0.5 // indirect @@ -248,6 +253,8 @@ require ( github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/tomnomnom/linkheader v0.0.0-20180905144013-02ca5825eb80 // indirect github.com/vbatts/tar-split v0.11.5 // indirect + github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651 // indirect + github.com/wagoodman/go-progress v0.0.0-20220614130704-4b1c25a33c7c // indirect github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect github.com/xanzy/ssh-agent v0.3.3 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect @@ -256,7 +263,13 @@ require ( gitlab.com/digitalxero/go-conventional-commit v1.0.7 // indirect go.mongodb.org/mongo-driver v1.14.0 // indirect go.opencensus.io v0.24.0 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect + go.opentelemetry.io/otel v1.24.0 // indirect + go.opentelemetry.io/otel/metric v1.24.0 // indirect + go.opentelemetry.io/otel/trace v1.24.0 // indirect go.uber.org/automaxprocs v1.5.3 + go.uber.org/multierr v1.11.0 // indirect golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb golang.org/x/mod v0.17.0 // indirect golang.org/x/net v0.24.0 // indirect @@ -271,9 +284,11 @@ require ( google.golang.org/grpc v1.62.1 // indirect google.golang.org/protobuf v1.33.0 // indirect gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect + gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect sigs.k8s.io/kind v0.22.0 // indirect sigs.k8s.io/yaml v1.4.0 // indirect + software.sslmate.com/src/go-pkcs12 v0.4.0 // indirect ) diff --git a/go.sum b/go.sum index 7cdbab81f..bf0a30181 100644 --- a/go.sum +++ b/go.sum @@ -86,10 +86,21 @@ github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f h1:tCbYj7/299ek github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f/go.mod h1:gcr0kNtGBqin9zDW9GOHcVntrwnjrK+qdJ06mWYBybw= github.com/ProtonMail/gopenpgp/v2 v2.7.1 h1:Awsg7MPc2gD3I7IFac2qE3Gdls0lZW8SzrFZ3k1oz0s= github.com/ProtonMail/gopenpgp/v2 v2.7.1/go.mod h1:/BU5gfAVwqyd8EfC3Eu7zmuhwYQpKs+cGD8M//iiaxs= +github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d h1:licZJFw2RwpHMqeKTCYkitsPqHNxTmd4SNR5r94FGM8= +github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d/go.mod h1:asat636LX7Bqt5lYEZ27JNDcqxfjdBQuJ/MM4CN/Lzo= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0= github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30= +github.com/anchore/bubbly v0.0.0-20230518153401-87b6af8ccf22 h1:5NFK6VGgqBUOAX2SYyzFYvNdOiYDxzim8jga386FlZY= +github.com/anchore/bubbly v0.0.0-20230518153401-87b6af8ccf22/go.mod h1:Kv+Mm9CdtnV8iem48iEPIwy7/N4Wmk0hpxYNH5gTwKQ= +github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a h1:nJ2G8zWKASyVClGVgG7sfM5mwoZlZ2zYpIzN2OhjWkw= +github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a/go.mod h1:ubLFmlsv8/DFUQrZwY5syT5/8Er3ugSr4rDFwHsE3hg= +github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb h1:iDMnx6LIjtjZ46C0akqveX83WFzhpTD3eqOthawb5vU= +github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb/go.mod h1:DmTY2Mfcv38hsHbG78xMiTDdxFtkHpgYNVDPsF2TgHk= +github.com/anchore/quill v0.4.1 h1:mffDnvnER3ZgPjN5hexc3nr/4Y1dtKdDB6td5K8uInk= +github.com/anchore/quill v0.4.1/go.mod h1:t6hOPYDohN8wn2SRWQdNkJBkhmK8s3gzuHzzgcEvzQU= +github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= @@ -158,6 +169,10 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/blacktop/go-dwarf v1.0.9 h1:eT/L7gt0gllvvgnRXY0MFKjNB6+jtOY5DTm2ynVX2dY= +github.com/blacktop/go-dwarf v1.0.9/go.mod h1:4W2FKgSFYcZLDwnR7k+apv5i3nrau4NGl9N6VQ9DSTo= +github.com/blacktop/go-macho v1.1.162 h1:FjM3XAsJTAOGZ1eppRSX9ZBX3Bk11JMTC1amsZAOA5I= +github.com/blacktop/go-macho v1.1.162/go.mod h1:f2X4noFBob4G5bWUrzvPBKDVcFWZgDCM7rIn7ygTID0= github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb h1:m935MPodAbYS46DG4pJSv7WO+VECIWUQ7OJYSoTrMh4= github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI= github.com/buger/jsonparser v1.1.1 h1:2PnMjfWD7wBILjqQbt530v576A/cAbQvEW9gGIpYMUs= @@ -185,8 +200,11 @@ github.com/cenkalti/backoff/v4 v4.1.2/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInq github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/certifi/gocertifi v0.0.0-20180118203423-deb3ae2ef261/go.mod h1:GJKEexRPVJrBSOjoqN5VNOIKJ5Q3RViH6eu3puDRwx4= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/charmbracelet/bubbletea v0.22.1 h1:z66q0LWdJNOWEH9zadiAIXp2GN1AWrwNXU8obVY9X24= +github.com/charmbracelet/bubbletea v0.22.1/go.mod h1:8/7hVvbPN6ZZPkczLiB8YpLkLJ0n7DMho5Wvfd2X1C0= github.com/charmbracelet/keygen v0.5.0 h1:XY0fsoYiCSM9axkrU+2ziE6u6YjJulo/b9Dghnw6MZc= github.com/charmbracelet/keygen v0.5.0/go.mod h1:DfvCgLHxZ9rJxdK0DGw3C/LkV4SgdGbnliHcObV3L+8= github.com/charmbracelet/lipgloss v0.10.0 h1:KWeXFSexGcfahHX+54URiZGkBFazf70JNMtwg/AFW3s= @@ -200,6 +218,8 @@ github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUK github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU= github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/containerd/console v1.0.3 h1:lIr7SlA5PxZyMV30bDW0MGbiOPXwc63yRuCP0ARubLw= +github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U= github.com/containerd/continuity v0.3.0 h1:nisirsYROK15TAMVukJOUyGJjz4BNQJBVsNvAXZJ/eg= github.com/containerd/continuity v0.3.0/go.mod h1:wJEAIwKOm/pBZuBd0JmeTvnLquTB1Ag8espWhkykbPM= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= @@ -263,12 +283,18 @@ github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJ github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs= github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw= +github.com/fatih/set v0.2.1 h1:nn2CaJyknWE/6txyUDGwysr3G5QC6xWB/PtVjPBbeaA= +github.com/fatih/set v0.2.1/go.mod h1:+RKtMCH+favT2+3YecHGxcc0b4KyVWA1QWWJUs4E0CI= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/gabriel-vasile/mimetype v1.4.2 h1:w5qFW6JKBz9Y393Y4q372O9A7cUSequkh1Q7OhCmWKU= +github.com/gabriel-vasile/mimetype v1.4.2/go.mod h1:zApsH/mKG4w07erKIaJPFiX0Tsq9BFQgN3qGY5GnNgA= +github.com/github/smimesign v0.2.0 h1:Hho4YcX5N1I9XNqhq0fNx0Sts8MhLonHd+HRXVGNjvk= +github.com/github/smimesign v0.2.0/go.mod h1:iZiiwNT4HbtGRVqCQu7uJPEZCuEE5sfSSttcnePkDl4= github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY= github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4= github.com/go-fed/httpsig v1.1.0 h1:9M+hb0jkEICD8/cAiNqEB66R87tTINszBRTjwjQzWcI= @@ -309,6 +335,8 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58= github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ= +github.com/go-restruct/restruct v1.2.0-alpha h1:2Lp474S/9660+SJjpVxoKuWX09JsXHSrdV7Nv3/gkvc= +github.com/go-restruct/restruct v1.2.0-alpha/go.mod h1:KqrpKpn4M8OLznErihXTGLlsXFGeLxHUrLRRI/1YjGk= github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y= github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= @@ -391,6 +419,7 @@ github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfF github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= github.com/googleapis/gax-go/v2 v2.12.3 h1:5/zPPDvw8Q1SuXjrqrZslrqT7dL/uJT2CQii/cLCKqA= github.com/googleapis/gax-go/v2 v2.12.3/go.mod h1:AKloxT6GtNbaLm8QTNSidHUVsHYcBHwWRvkNFJUQcS4= +github.com/gookit/color v1.2.5/go.mod h1:AhIE+pS6D4Ql0SQWbBeXPHw7gY0/sjHoA4s/n1KB7xg= github.com/gopherjs/gopherjs v1.17.2 h1:fQnZVsXk8uxXIStYb0N4bGk7jeyTalG/wsZjQ25dO0g= github.com/gopherjs/gopherjs v1.17.2/go.mod h1:pRRIvn/QzFLrKfvEz3qUuEhtE/zLCWfreZ6J5gM2i+k= github.com/goreleaser/chglog v0.5.0 h1:Sk6BMIpx8+vpAf8KyPit34OgWui8c7nKTMHhYx88jJ4= @@ -415,6 +444,7 @@ github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/S github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c= github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/hashicorp/go-retryablehttp v0.7.5 h1:bJj+Pj19UZMIweq/iie+1u5YCdGrnxCT9yvm0e+Nd5M= @@ -485,16 +515,22 @@ github.com/matryer/is v1.4.0/go.mod h1:8I/i5uYgLzgsgEloJE1U6xx5HkBQpAZvepWuujKwM github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= +github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2JC/oIi4= +github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88= github.com/mattn/go-mastodon v0.0.6 h1:lqU1sOeeIapaDsDUL6udDZIzMb2Wqapo347VZlaOzf0= github.com/mattn/go-mastodon v0.0.6/go.mod h1:cg7RFk2pcUfHZw/IvKe1FUzmlq5KnLFqs7eV2PHplV8= github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk= +github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U= github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/maxatome/go-testdeep v1.12.0 h1:Ql7Go8Tg0C1D/uMMX59LAoYK7LffeJQ6X2T04nTH68g= github.com/maxatome/go-testdeep v1.12.0/go.mod h1:lPZc/HAcJMP92l7yI6TRz1aZN5URwUBUAfUNvrclaNM= +github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI= +github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE= github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= @@ -513,6 +549,11 @@ github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lN github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= +github.com/muesli/ansi v0.0.0-20211018074035-2e021307bc4b/go.mod h1:fQuZ0gauxyBcmsdE3ZT4NasjaRdxmbCS0jRHsrWu3Ho= +github.com/muesli/ansi v0.0.0-20211031195517-c9f0611b6c70 h1:kMlmsLSbjkikxQJ1IPwaM+7LJ9ltFu/fi8CRzvSnQmA= +github.com/muesli/ansi v0.0.0-20211031195517-c9f0611b6c70/go.mod h1:fQuZ0gauxyBcmsdE3ZT4NasjaRdxmbCS0jRHsrWu3Ho= +github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA= +github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo= github.com/muesli/mango v0.1.0 h1:DZQK45d2gGbql1arsYA4vfg4d7I9Hfx5rX/GCmzsAvI= github.com/muesli/mango v0.1.0/go.mod h1:5XFpbC8jY5UUv89YQciiXNlbi+iJgt29VDC5xbzrLL4= github.com/muesli/mango-cobra v1.2.0 h1:DQvjzAM0PMZr85Iv9LIMaYISpTOliMEg+uMFtNbYvWg= @@ -523,6 +564,7 @@ github.com/muesli/reflow v0.3.0 h1:IFsN6K9NfGtjeggFP+68I4chLZV2yIKsXJFNZ+eWh6s= github.com/muesli/reflow v0.3.0/go.mod h1:pbwTDkVPibjO2kyvBQRBxTWEEGDGq0FlB1BIKtnHY/8= github.com/muesli/roff v0.1.0 h1:YD0lalCotmYuF5HhZliKWlIx7IEhiXeSfq7hNjFqGF8= github.com/muesli/roff v0.1.0/go.mod h1:pjAHQM9hdUUwm/krAfrLGgJkXJ+YuhtsfZ42kieB2Ig= +github.com/muesli/termenv v0.11.1-0.20220212125758-44cd13922739/go.mod h1:Bd5NYQ7pd+SrtBSrSNoBBmXlcY8+Xj4BMJgh8qcZrvs= github.com/muesli/termenv v0.15.2 h1:GohcuySI0QmI3wN8Ok9PtKGkgkFIk7y6Vpb5PvrY+Wo= github.com/muesli/termenv v0.15.2/go.mod h1:Epx+iuz8sNs7mNKhxzH4fWXGNpZwUaJKRS1noLXviQ8= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= @@ -539,6 +581,7 @@ github.com/opencontainers/runc v1.1.12 h1:BOIssBaW1La0/qbNZHXOOa71dZfZEQOzW7dqQf github.com/opencontainers/runc v1.1.12/go.mod h1:S+lQwSfncpBha7XTy/5lBwWgm5+y5Ma/O44Ekby9FK8= github.com/ory/dockertest/v3 v3.10.0 h1:4K3z2VMe8Woe++invjaTB7VRyQXQy5UY+loujO4aNE4= github.com/ory/dockertest/v3 v3.10.0/go.mod h1:nr57ZbRWMqfsdGdFNLHz5jjNdDb7VVFnzAeW1n5N1Lg= +github.com/pborman/getopt v0.0.0-20180811024354-2b5b3bfb099b/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o= github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8= github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= @@ -588,8 +631,11 @@ github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6ke github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4= github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE= github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ= +github.com/scylladb/go-set v1.0.2 h1:SkvlMCKhP0wyyct6j+0IHJkBkSZL+TDzZ4E7f7BCcRE= +github.com/scylladb/go-set v1.0.2/go.mod h1:DkpGd78rljTxKAnTDPFqXSGxvETQnJyuSOQwsHycqfs= github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbmfHkLguCE9laoZCUzEEpIZXA= github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU= +github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ= github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ= @@ -654,6 +700,10 @@ github.com/ulikunitz/xz v0.5.12 h1:37Nm15o69RwBkXM0J6A5OlE67RZTfzUxTj8fB3dfcsc= github.com/ulikunitz/xz v0.5.12/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts= github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk= +github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651 h1:jIVmlAFIqV3d+DOxazTR9v+zgj8+VYuQBzPgBZvWBHA= +github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651/go.mod h1:b26F2tHLqaoRQf8DywqzVaV1MQ9yvjb0OMcNl7Nxu20= +github.com/wagoodman/go-progress v0.0.0-20220614130704-4b1c25a33c7c h1:gFwUKtkv6QzQsFdIjvPqd0Qdw42DHUEbbUdiUTI1uco= +github.com/wagoodman/go-progress v0.0.0-20220614130704-4b1c25a33c7c/go.mod h1:jLXFoL31zFaHKAAyZUh+sxiTDFe1L1ZHrcK2T1itVKA= github.com/wk8/go-ordered-map/v2 v2.1.8 h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/fJgbpc= github.com/wk8/go-ordered-map/v2 v2.1.8/go.mod h1:5nJHM5DyteebpVlHnWMV0rPz6Zp7+xBAnxjb1X5vnTw= github.com/xanzy/go-gitlab v0.103.0 h1:J9pTQoq0GsEFqzd6srCM1QfdfKAxSNz6mT6ntrpNF2w= @@ -704,6 +754,7 @@ gocloud.dev v0.37.0 h1:XF1rN6R0qZI/9DYjN16Uy0durAmSlf58DHOcb28GPro= gocloud.dev v0.37.0/go.mod h1:7/O4kqdInCNsc6LqgmuFnS0GRew4XNNYWpA44yQnwco= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8= @@ -784,9 +835,11 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220204135822-1c1b9b1eba6a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -906,3 +959,5 @@ sigs.k8s.io/kind v0.22.0/go.mod h1:aBlbxg08cauDgZ612shr017/rZwqd7AS563FvpWKPVs= sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= +software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k= +software.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI= diff --git a/internal/pipe/notary/macos.go b/internal/pipe/notary/macos.go new file mode 100644 index 000000000..6caa8ffdc --- /dev/null +++ b/internal/pipe/notary/macos.go @@ -0,0 +1,142 @@ +package notary + +import ( + "fmt" + "strings" + "time" + + "github.com/anchore/quill/quill" + "github.com/anchore/quill/quill/notary" + "github.com/anchore/quill/quill/pki/load" + "github.com/caarlos0/log" + "github.com/goreleaser/goreleaser/internal/artifact" + "github.com/goreleaser/goreleaser/internal/pipe" + "github.com/goreleaser/goreleaser/internal/semerrgroup" + "github.com/goreleaser/goreleaser/internal/skips" + "github.com/goreleaser/goreleaser/internal/tmpl" + "github.com/goreleaser/goreleaser/pkg/config" + "github.com/goreleaser/goreleaser/pkg/context" +) + +type MacOS struct{} + +func (MacOS) String() string { return "sign & notarize macOS binaries" } + +func (MacOS) Skip(ctx *context.Context) bool { + return skips.Any(ctx, skips.Notarize) || len(ctx.Config.Notarize.MacOS) == 0 +} + +func (MacOS) Default(ctx *context.Context) error { + for i := range ctx.Config.Notarize.MacOS { + n := &ctx.Config.Notarize.MacOS[i] + if n.Notarize.Timeout == 0 { + n.Notarize.Timeout = 10 * time.Minute + } + if len(n.IDs) == 0 { + n.IDs = []string{ctx.Config.ProjectName} + } + } + return nil +} + +func (MacOS) Run(ctx *context.Context) error { + g := semerrgroup.NewSkipAware(semerrgroup.New(ctx.Parallelism)) + for _, cfg := range ctx.Config.Notarize.MacOS { + g.Go(func() error { + return signAndNotarize(ctx, cfg) + }) + } + return g.Wait() +} + +func signAndNotarize(ctx *context.Context, cfg config.MacOSSignNotarize) error { + ok, err := tmpl.New(ctx).Bool(cfg.Enabled) + if err != nil { + return fmt.Errorf("notarize: macos: %w", err) + } + if !ok { + return pipe.Skip("disabled") + } + + if err := tmpl.New(ctx).ApplyAll( + &cfg.Sign.Certificate, + &cfg.Sign.Password, + &cfg.Notarize.Key, + &cfg.Notarize.KeyID, + &cfg.Notarize.IssuerID, + ); err != nil { + return fmt.Errorf("notarize: macos: %w", err) + } + + p12, err := load.P12(cfg.Sign.Certificate, cfg.Sign.Password) + if err != nil { + return fmt.Errorf("notarize: macos: %w", err) + } + + filters := []artifact.Filter{ + artifact.ByGoos("darwin"), + artifact.Or( + artifact.ByType(artifact.Binary), + artifact.ByType(artifact.UniversalBinary), + ), + } + if len(cfg.IDs) > 0 { + filters = append(filters, artifact.ByIDs(cfg.IDs...)) + } + binaries := ctx.Artifacts.Filter(artifact.And(filters...)) + if len(binaries.List()) == 0 { + return pipe.Skipf("no darwin binaries found with ids: %s", strings.Join(cfg.IDs, ", ")) + } + + for _, bin := range binaries.List() { + signCfg, err := quill.NewSigningConfigFromP12(bin.Path, *p12, true) + if err != nil { + return fmt.Errorf("notarize: macos: %s: %w", bin.Path, err) + } + signCfg = signCfg.WithTimestampServer("http://timestamp.apple.com/ts01") + + log.WithField("binary", bin.Path).Info("signing") + if err := quill.Sign(*signCfg); err != nil { + return fmt.Errorf("notarize: macos: %s: %w", bin.Path, err) + } + + notarizeCfg := quill.NewNotarizeConfig( + cfg.Notarize.IssuerID, + cfg.Notarize.KeyID, + cfg.Notarize.Key, + ).WithStatusConfig(notary.StatusConfig{ + Timeout: cfg.Notarize.Timeout, + Poll: 10, + Wait: cfg.Notarize.Wait, + }) + + if cfg.Notarize.Wait { + log.WithField("binary", bin.Path).Info("notarizing and waiting - this might take a while") + } else { + log.WithField("binary", bin.Path).Info("sending notarize request") + } + status, err := quill.Notarize(bin.Path, *notarizeCfg) + if err != nil { + return fmt.Errorf("notarize: macos: %s: %w", bin.Path, err) + } + + switch status { + case notary.AcceptedStatus: + log.WithField("binary", bin.Path).Info("notarized") + case notary.InvalidStatus: + return fmt.Errorf("notarize: macos: %s: invalid", bin.Path) + case notary.RejectedStatus: + return fmt.Errorf("notarize: macos: %s: rejected", bin.Path) + case notary.TimeoutStatus: + log.WithField("binary", bin.Path).Info("notarize timeout") + default: + log.WithField("binary", bin.Path).Info("notarize still pending") + } + + } + + if err := binaries.Refresh(); err != nil { + return fmt.Errorf("notarize: macos: refresh artifacts: %w", err) + } + return nil +} diff --git a/internal/pipe/notary/macos_test.go b/internal/pipe/notary/macos_test.go new file mode 100644 index 000000000..593ec2c35 --- /dev/null +++ b/internal/pipe/notary/macos_test.go @@ -0,0 +1,162 @@ +package notary + +import ( + "testing" + "time" + + "github.com/goreleaser/goreleaser/internal/skips" + "github.com/goreleaser/goreleaser/internal/testctx" + "github.com/goreleaser/goreleaser/internal/testlib" + "github.com/goreleaser/goreleaser/pkg/config" + "github.com/goreleaser/goreleaser/pkg/context" + "github.com/stretchr/testify/require" +) + +func TestMacOSString(t *testing.T) { + require.NotEmpty(t, MacOS{}.String()) +} + +func TestMacOSSkip(t *testing.T) { + p := MacOS{} + t.Run("skip notarize", func(t *testing.T) { + require.True(t, + p.Skip(testctx.NewWithCfg(config.Project{ + Notarize: config.Notarize{ + MacOS: []config.MacOSSignNotarize{ + {}, + }, + }, + }, testctx.Skip(skips.Notarize)))) + }) + t.Run("skip no configs", func(t *testing.T) { + require.True(t, + p.Skip(testctx.NewWithCfg(config.Project{}))) + }) + t.Run("dont skip", func(t *testing.T) { + require.False(t, + p.Skip(testctx.NewWithCfg(config.Project{ + Notarize: config.Notarize{ + MacOS: []config.MacOSSignNotarize{ + {}, + }, + }, + }))) + }) +} + +func TestMacOSDefault(t *testing.T) { + ctx := testctx.NewWithCfg(config.Project{ + ProjectName: "foo", + Notarize: config.Notarize{ + MacOS: []config.MacOSSignNotarize{ + {}, + { + Notarize: config.MacOSNotarize{ + Timeout: time.Second, + }, + }, + { + IDs: []string{"hi"}, + }, + }, + }, + }) + require.NoError(t, MacOS{}.Default(ctx)) + require.Equal(t, []config.MacOSSignNotarize{ + { + IDs: []string{"foo"}, + Notarize: config.MacOSNotarize{ + Timeout: 10 * time.Minute, + }, + }, + { + IDs: []string{"foo"}, + Notarize: config.MacOSNotarize{ + Timeout: time.Second, + }, + }, + { + IDs: []string{"hi"}, + Notarize: config.MacOSNotarize{ + Timeout: 10 * time.Minute, + }, + }, + }, ctx.Config.Notarize.MacOS) +} + +func TestMacOSRun(t *testing.T) { + t.Run("bad tmpl", func(t *testing.T) { + for name, fn := range map[string]func(ctx *context.Context){ + "enabled": func(ctx *context.Context) { + ctx.Config.Notarize.MacOS = append(ctx.Config.Notarize.MacOS, config.MacOSSignNotarize{ + Enabled: "{{.Nope}}", + }) + }, + "certificate": func(ctx *context.Context) { + ctx.Config.Notarize.MacOS = append(ctx.Config.Notarize.MacOS, config.MacOSSignNotarize{ + Enabled: "true", + Sign: config.MacOSSign{ + Certificate: "{{.Nope}}", + }, + }) + }, + "password": func(ctx *context.Context) { + ctx.Config.Notarize.MacOS = append(ctx.Config.Notarize.MacOS, config.MacOSSignNotarize{ + Enabled: "true", + Sign: config.MacOSSign{ + Password: "{{.Nope}}", + }, + }) + }, + "key": func(ctx *context.Context) { + ctx.Config.Notarize.MacOS = append(ctx.Config.Notarize.MacOS, config.MacOSSignNotarize{ + Enabled: "true", + Notarize: config.MacOSNotarize{ + Key: "{{.Nope}}", + }, + }) + }, + "keyid": func(ctx *context.Context) { + ctx.Config.Notarize.MacOS = append(ctx.Config.Notarize.MacOS, config.MacOSSignNotarize{ + Enabled: "true", + Notarize: config.MacOSNotarize{ + KeyID: "{{.Nope}}", + }, + }) + }, + "issuerid": func(ctx *context.Context) { + ctx.Config.Notarize.MacOS = append(ctx.Config.Notarize.MacOS, config.MacOSSignNotarize{ + Enabled: "true", + Notarize: config.MacOSNotarize{ + IssuerID: "{{.Nope}}", + }, + }) + }, + } { + t.Run(name, func(t *testing.T) { + ctx := testctx.NewWithCfg(config.Project{ + Notarize: config.Notarize{ + MacOS: []config.MacOSSignNotarize{ + {}, + }, + }, + }) + fn(ctx) + testlib.RequireTemplateError(t, MacOS{}.Run(ctx)) + }) + } + }) + t.Run("skip", func(t *testing.T) { + ctx := testctx.NewWithCfg(config.Project{ + Notarize: config.Notarize{ + MacOS: []config.MacOSSignNotarize{ + {}, + { + Enabled: "{{.Env.SKIP}}", + }, + }, + }, + }, testctx.WithEnv(map[string]string{"SKIP": "false"})) + testlib.AssertSkipped(t, MacOS{}.Run(ctx)) + }) +} diff --git a/internal/pipe/notary/notary.go b/internal/pipe/notary/notary.go new file mode 100644 index 000000000..02cc9f5d8 --- /dev/null +++ b/internal/pipe/notary/notary.go @@ -0,0 +1,2 @@ +// Package notary provides the goreleaser notarization pipes. +package notary diff --git a/internal/pipeline/pipeline.go b/internal/pipeline/pipeline.go index 782934ab5..1039d4f27 100644 --- a/internal/pipeline/pipeline.go +++ b/internal/pipeline/pipeline.go @@ -24,6 +24,7 @@ import ( "github.com/goreleaser/goreleaser/internal/pipe/metadata" "github.com/goreleaser/goreleaser/internal/pipe/nfpm" "github.com/goreleaser/goreleaser/internal/pipe/nix" + "github.com/goreleaser/goreleaser/internal/pipe/notary" "github.com/goreleaser/goreleaser/internal/pipe/partial" "github.com/goreleaser/goreleaser/internal/pipe/prebuild" "github.com/goreleaser/goreleaser/internal/pipe/publish" @@ -86,6 +87,8 @@ var BuildPipeline = []Piper{ build.Pipe{}, // universal binary handling universalbinary.Pipe{}, + // notarize macos apps + notary.MacOS{}, // upx upx.Pipe{}, } diff --git a/internal/skips/skips.go b/internal/skips/skips.go index 5135af7c3..8c726f37b 100644 --- a/internal/skips/skips.go +++ b/internal/skips/skips.go @@ -31,6 +31,7 @@ const ( AUR Key = "aur" NFPM Key = "nfpm" Chocolatey Key = "chocolatey" + Notarize Key = "notarize" ) func String(ctx *context.Context) string { @@ -114,6 +115,7 @@ var Release = Keys{ AUR, NFPM, Before, + Notarize, } var Build = Keys{ diff --git a/pkg/config/config.go b/pkg/config/config.go index 418bfb193..f5b6aad96 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -956,6 +956,30 @@ type Sign struct { Output bool `yaml:"output,omitempty" json:"output,omitempty"` } +type Notarize struct { + MacOS []MacOSSignNotarize `yaml:"macos" json:"macos"` +} + +type MacOSSignNotarize struct { + IDs []string `yaml:"ids,omitempty" json:"ids,omitempty"` + Enabled string `yaml:"enabled,omitempty" json:"enabled,omitempty" jsonschema:"oneof_type=string;boolean"` + Sign MacOSSign `yaml:"sign" json:"sign"` + Notarize MacOSNotarize `yaml:"notarize" json:"notarize"` +} + +type MacOSNotarize struct { + IssuerID string `yaml:"issuer_id" json:"issuer_id"` + Key string `yaml:"key" json:"key"` + KeyID string `yaml:"key_id" json:"key_id"` + Timeout time.Duration `yaml:"timeout,omitempty" json:"timeout,omitempty"` + Wait bool `yaml:"wait,omitempty" json:"wait,omitempty"` +} + +type MacOSSign struct { + Certificate string `yaml:"certificate" json:"certificate"` + Password string `yaml:"password" json:"password"` +} + // SnapcraftAppMetadata for the binaries that will be in the snap package. type SnapcraftAppMetadata struct { Command string `yaml:"command" json:"command"` @@ -1217,6 +1241,7 @@ type Project struct { Changelog Changelog `yaml:"changelog,omitempty" json:"changelog,omitempty"` Dist string `yaml:"dist,omitempty" json:"dist,omitempty"` Signs []Sign `yaml:"signs,omitempty" json:"signs,omitempty"` + Notarize Notarize `yaml:"notarize,omitempty" json:"notarize,omitempty"` DockerSigns []Sign `yaml:"docker_signs,omitempty" json:"docker_signs,omitempty"` EnvFiles EnvFiles `yaml:"env_files,omitempty" json:"env_files,omitempty"` Before Before `yaml:"before,omitempty" json:"before,omitempty"` diff --git a/pkg/defaults/defaults.go b/pkg/defaults/defaults.go index 2359e54d9..8da02f425 100644 --- a/pkg/defaults/defaults.go +++ b/pkg/defaults/defaults.go @@ -24,6 +24,7 @@ import ( "github.com/goreleaser/goreleaser/internal/pipe/milestone" "github.com/goreleaser/goreleaser/internal/pipe/nfpm" "github.com/goreleaser/goreleaser/internal/pipe/nix" + "github.com/goreleaser/goreleaser/internal/pipe/notary" "github.com/goreleaser/goreleaser/internal/pipe/opencollective" "github.com/goreleaser/goreleaser/internal/pipe/project" "github.com/goreleaser/goreleaser/internal/pipe/reddit" @@ -65,6 +66,7 @@ var Defaulters = []Defaulter{ gomod.Pipe{}, build.Pipe{}, universalbinary.Pipe{}, + notary.MacOS{}, upx.Pipe{}, sourcearchive.Pipe{}, archive.Pipe{}, diff --git a/www/docs/customization/msi.md b/www/docs/customization/msi.md index 770709835..1c42b333e 100644 --- a/www/docs/customization/msi.md +++ b/www/docs/customization/msi.md @@ -1,6 +1,6 @@ # MSI -> Since: v1.24 pro +> Since: v1.24 (pro) !!! success "GoReleaser Pro" diff --git a/www/docs/customization/notarize.md b/www/docs/customization/notarize.md new file mode 100644 index 000000000..e83f9a958 --- /dev/null +++ b/www/docs/customization/notarize.md @@ -0,0 +1,92 @@ +# Notarize macOS binaries + +> Since v1.26 + +GoReleaser can sign & notarize macOS binaries +(and [Universal Binaries][unibin]) using [anchore/quill][quill]. + +To use it, you'll need: + +- An [Apple Developer Account](https://developer.apple.com/) ($99/year). +- A [certificate](https://developer.apple.com/account/resources/certificates/add) + from said account. It should be of "Developer ID Installer" type. + This will give you a `.cer` file. You'll need to import it into KeyChain.app, + and then export it as a `.p12` file. It'll will have a password. +- An App Store Connect + [API key](https://appstoreconnect.apple.com/access/integrations/api/new). + This will give you a `.p8` file. + +So you should end up with: + +1. a `Certificates.p12` file and the password to open it +1. a `ApiKey_AAABBBCCC.p8` file + +Read the commented configuration excerpt below to learn how to use these files. + +```yaml +# .goreleaser.yaml +notarize: + macos: + - # Whether this configuration is enabled or not. + # + # Default: false + # Templates: allowed + enabled: '{{ isEnvSet "MACOS_SIGN_P12 }}' + + # IDs to use to filter the built binaries. + # + # Default: Project Name + ids: + - build1 + - build2 + + # Before notarizing, we need to sign the binary. + # This blocks defines the configuration for doing so. + sign: + # The .p12 certificate file path or its base64'd contents. + certificate: "{{.Env.MACOS_SIGN_P12}}" + + # The password to be used to open the certificate. + password: "{{.Env.MACOS_SIGN_PASSWORD}}" + + # Then, we notarize the binaries. + notarize: + # The issuer ID. + # Its the UUID you see when creating the App Store Connect key. + issuer_id: "{{.Env.MACOS_NOTARY_ISSUER_ID}}" + + # Key ID. + # You can see it in the list of App Store Connect Keys. + # It will also be in the ApiKey filename. + key_id: "{{.Env.MACOS_NOTARY_KEY_ID}}" + + # The .p8 key file path or its base64'd contents. + key: "{{.Env.MACOS_NOTARY_KEY}}" + + # Whether to wait for the notarization to finish. + # Not recommended, as it could take a really long time. + wait: true + + # Timeout for the notarization. + # Beware of the overall `--timeout` time. + # This only has any effect if `wait` is true. + # + # Default: 10m + timeout: 20m +``` + +!!! tip + + Learn more about the [name template engine](/customization/templates/). + +!!! tip "base64" + + To base64 a file, you run this: + + ```bash + base64 -w0 < ./Certificates.p12 + base64 -w0 < ./ApiKey_AAABBBCCC.p8 + ``` + +[unibin]: ./universalbinaries.md +[quill]: https://github.com/anchore/quill diff --git a/www/mkdocs.yml b/www/mkdocs.yml index 8f88af823..8ff6de618 100644 --- a/www/mkdocs.yml +++ b/www/mkdocs.yml @@ -121,9 +121,10 @@ nav: - customization/sbom.md - customization/reportsizes.md - customization/metadata.md - - Signing: + - Signing & Notarizing: - Checksums and artifacts: customization/sign.md - Docker Images and Manifests: customization/docker_sign.md + - customization/notarize.md - Publish: - customization/release.md - customization/snapshots.md