continuous MXE build for Windows
Lubomir I. Ivanov
neolit123 at gmail.com
Sat Nov 11 17:24:06 PST 2017
On 12 November 2017 at 02:02, Dirk Hohndel <dirk at hohndel.org> wrote:
>
>> On Nov 11, 2017, at 3:49 PM, Lubomir I. Ivanov <neolit123 at gmail.com> wrote:
>>>
>>> Thank you. This was harder than I expected it to be - but I hope that the reward
>>> will be worth it.
>>>
>>> Now, of course, I have smelled blood and want to automate a Mac build, too.
>>>
>>> Because I have nothing else to waste my time on, right?
>>>
>>
>> but all builds will be automated after that? so, worthy time investment?
>
> So right now we have AppImage and Windows installer automated. Both for
> each PR / merge and by extension for each release.
> We don't have the submissions to OBS and Launchpad automized, nor do
> we have Mac builds automized. One challenge with the Mac builds (besides
> getting them working in the first place) is that they need to be signed in order
> to actually work for our users - and I won't upload my signing key to GitHub
> or Travis, for obvious reasons. So this will still require either some manual
> effort or some more investigation how I could script that :-)
>
> But yes. MORE automation.
>
maybe Travis can create a unsigned OSX app builds at least.
but yeah, the signing will be a challenge without uploading a signing key.
the way people do it, seems to be to upload an encrypted key and
password protect it, where the password is encrypted in the yml.
i did some investigation and this is one way of doing it without
uploading the key:
we can install a github-hook on the repository that sends a "releaseevent"
https://developer.github.com/v3/activity/events/types/#releaseevent
so when a release happens:
- the repo has a webhook to notify a server about a release using a
secure payload:
https://developer.github.com/webhooks/securing/
then the server:
- receives a JSON payload (releaseevent)
- checks the JSON if this is an unsigned OSX release and not some other release
- pulls the unsigned app DMG
- signs the DMG with "codesign"
- creates a new signed OSX release with this tool:
https://github.com/aktau/github-release
which can also upload files - the DMG.
this way the signing key stays on the server.
lubomir
--
More information about the subsurface
mailing list