auto sign binaries (macos) (#391)

* Use find tool to find binaries that need signing * Check if binary is indeed signed before
GovTechSG · Aug 13, 2024 · 11b6c52 · 11b6c52
1 parent 2eddcdf
commit 11b6c52
Showing 1 changed file with 24 additions and 1 deletion.
diff --git a/.github/workflows/image.yml b/.github/workflows/image.yml
@@ -69,7 +69,30 @@ jobs:
       - name: Install Purple dependencies for MacOS
         run: |
           ./install_purple_dependencies.command
-        
+
+      - name: Sign required binaries for MacOS
+        run: |
+          # Find a valid signing certificate in your keychain
+          CERTIFICATE=$(security find-identity -v -p codesigning -s - | tail -n +2 | grep -o '"[^"]*"' | sed 's/"//g')
+          
+          # Paths to the binaries you want to sign
+          BINARIES=($(find . -type f -perm +111 ! -path "*.framework/*" ! -path "*.dSYM/*"))
+      
+          # Loop through the binary paths and sign each one with a secure timestamp
+          for binary in "${BINARIES[@]}"; do
+            # Check if the binary is already signed
+            if codesign -v "$binary" &>/dev/null; then
+              echo "Already signed: $binary"
+            else
+              codesign --timestamp -s "$CERTIFICATE" "$binary"
+              if [ $? -eq 0 ]; then
+                echo "Successfully signed (with secure timestamp): $binary"
+              else
+                echo "Failed to sign: $binary"
+              fi
+            fi
+          done
+
       - name: Zip entire Purple folder (Mac)
         run: |
           zip purple-a11y-portable-mac.zip -y -r ./