cli/pkg/build/signing/codesign.go

package signing

import (
	"context"
	"fmt"
	"os/exec"
	"runtime"

	"github.com/host-uk/core/pkg/io"
)

// MacOSSigner signs binaries using macOS codesign.
type MacOSSigner struct {
	config MacOSConfig
}

// Compile-time interface check.
var _ Signer = (*MacOSSigner)(nil)

// NewMacOSSigner creates a new macOS signer.
func NewMacOSSigner(cfg MacOSConfig) *MacOSSigner {
	return &MacOSSigner{config: cfg}
}

// Name returns "codesign".
func (s *MacOSSigner) Name() string {
	return "codesign"
}

// Available checks if running on macOS with codesign and identity configured.
func (s *MacOSSigner) Available() bool {
	if runtime.GOOS != "darwin" {
		return false
	}
	if s.config.Identity == "" {
		return false
	}
	_, err := exec.LookPath("codesign")
	return err == nil
}

// Sign codesigns a binary with hardened runtime.
func (s *MacOSSigner) Sign(ctx context.Context, fs io.Medium, binary string) error {
	if !s.Available() {
		return fmt.Errorf("codesign.Sign: codesign not available")
	}

	cmd := exec.CommandContext(ctx, "codesign",
		"--sign", s.config.Identity,
		"--timestamp",
		"--options", "runtime", // Hardened runtime for notarization
		"--force",
		binary,
	)

	output, err := cmd.CombinedOutput()
	if err != nil {
		return fmt.Errorf("codesign.Sign: %w\nOutput: %s", err, string(output))
	}

	return nil
}

// Notarize submits binary to Apple for notarization and staples the ticket.
// This blocks until Apple responds (typically 1-5 minutes).
func (s *MacOSSigner) Notarize(ctx context.Context, fs io.Medium, binary string) error {
	if s.config.AppleID == "" || s.config.TeamID == "" || s.config.AppPassword == "" {
		return fmt.Errorf("codesign.Notarize: missing Apple credentials (apple_id, team_id, app_password)")
	}

	// Create ZIP for submission
	zipPath := binary + ".zip"
	zipCmd := exec.CommandContext(ctx, "zip", "-j", zipPath, binary)
	if output, err := zipCmd.CombinedOutput(); err != nil {
		return fmt.Errorf("codesign.Notarize: failed to create zip: %w\nOutput: %s", err, string(output))
	}
	defer func() { _ = fs.Delete(zipPath) }()

	// Submit to Apple and wait
	submitCmd := exec.CommandContext(ctx, "xcrun", "notarytool", "submit",
		zipPath,
		"--apple-id", s.config.AppleID,
		"--team-id", s.config.TeamID,
		"--password", s.config.AppPassword,
		"--wait",
	)
	if output, err := submitCmd.CombinedOutput(); err != nil {
		return fmt.Errorf("codesign.Notarize: notarization failed: %w\nOutput: %s", err, string(output))
	}

	// Staple the ticket
	stapleCmd := exec.CommandContext(ctx, "xcrun", "stapler", "staple", binary)
	if output, err := stapleCmd.CombinedOutput(); err != nil {
		return fmt.Errorf("codesign.Notarize: failed to staple: %w\nOutput: %s", err, string(output))
	}

	return nil
}

// ShouldNotarize returns true if notarization is enabled.
func (s *MacOSSigner) ShouldNotarize() bool {
	return s.config.Notarize
}
feat(signing): add macOS codesign + notarization Signs binaries with Developer ID and hardened runtime. Notarization submits to Apple and staples ticket. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-29 02:48:54 +00:00			`package signing`

			`import (`
			`"context"`
			`"fmt"`
			`"os/exec"`
			`"runtime"`
Migrate pkg/build to io.Medium abstraction (#287) * chore(io): Migrate pkg/build to Medium abstraction - Updated io.Medium interface with Open() and Create() methods to support streaming. - Migrated pkg/build, pkg/build/builders, and pkg/build/signing to use io.Medium. - Added FS field to build.Config and updated build.Builder interface. - Refactored checksum and archive logic to use io.Medium streaming. - Updated pkg/release and pkg/build/buildcmd to use io.Local. - Updated unit tests to match new signatures. * chore(io): Migrate pkg/build to Medium abstraction (fix CI) - Fixed formatting in pkg/build/builders/wails.go. - Fixed TestLoadConfig_Testdata and TestDiscover_Testdata to use absolute paths with io.Local to ensure compatibility with GitHub CI. - Verified that all build and release tests pass. * chore(io): Migrate pkg/build to Medium abstraction (fix CI paths) - Ensured that outputDir and configPath are absolute in runProjectBuild. - Fixed TestLoadConfig_Testdata and TestDiscover_Testdata to use absolute paths correctly. - Verified that all build and release tests pass locally. * chore(io): Migrate pkg/build to Medium abstraction (final fix) - Improved io.Local to handle relative paths relative to CWD when rooted at "/". - This makes io.Local a drop-in replacement for the 'os' package for most use cases. - Ensured absolute paths are used in build logic and tests where appropriate. - Fixed formatting and cleaned up debug prints. * chore(io): address code review and fix CI - Fix MockFile.Read to return io.EOF - Use filepath.Match in TaskfileBuilder for precise globbing - Stream xz data in createTarXzArchive to avoid in-memory string conversion - Fix TestPath_RootFilesystem in local medium tests - Fix formatting in pkg/build/buildcmd/cmd_project.go * chore(io): resolve merge conflicts and final migration of pkg/build - Resolved merge conflicts in pkg/io/io.go, pkg/io/local/client.go, and pkg/release/release.go. - Reconciled io.Medium interface with upstream changes (unifying to fs.File for Open). - Integrated upstream validatePath logic into the local medium. - Completed migration of pkg/build and related packages to io.Medium. - Addressed previous code review feedback on MockMedium and TaskfileBuilder. * chore(io): resolve merge conflicts and finalize migration - Resolved merge conflicts with dev branch. - Unified io.Medium interface (Open returns fs.File, Create returns io.WriteCloser). - Integrated upstream validatePath logic. - Ensured all tests pass across pkg/io, pkg/build, and pkg/release. --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-04 17:59:10 +00:00
			`"github.com/host-uk/core/pkg/io"`
feat(signing): add macOS codesign + notarization Signs binaries with Developer ID and hardened runtime. Notarization submits to Apple and staples ticket. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-29 02:48:54 +00:00			`)`

			`// MacOSSigner signs binaries using macOS codesign.`
			`type MacOSSigner struct {`
			`config MacOSConfig`
			`}`

			`// Compile-time interface check.`
			`var _ Signer = (*MacOSSigner)(nil)`

			`// NewMacOSSigner creates a new macOS signer.`
			`func NewMacOSSigner(cfg MacOSConfig) *MacOSSigner {`
			`return &MacOSSigner{config: cfg}`
			`}`

			`// Name returns "codesign".`
			`func (s *MacOSSigner) Name() string {`
			`return "codesign"`
			`}`

			`// Available checks if running on macOS with codesign and identity configured.`
			`func (s *MacOSSigner) Available() bool {`
			`if runtime.GOOS != "darwin" {`
			`return false`
			`}`
			`if s.config.Identity == "" {`
			`return false`
			`}`
			`_, err := exec.LookPath("codesign")`
			`return err == nil`
			`}`

			`// Sign codesigns a binary with hardened runtime.`
Migrate pkg/build to io.Medium abstraction (#287) * chore(io): Migrate pkg/build to Medium abstraction - Updated io.Medium interface with Open() and Create() methods to support streaming. - Migrated pkg/build, pkg/build/builders, and pkg/build/signing to use io.Medium. - Added FS field to build.Config and updated build.Builder interface. - Refactored checksum and archive logic to use io.Medium streaming. - Updated pkg/release and pkg/build/buildcmd to use io.Local. - Updated unit tests to match new signatures. * chore(io): Migrate pkg/build to Medium abstraction (fix CI) - Fixed formatting in pkg/build/builders/wails.go. - Fixed TestLoadConfig_Testdata and TestDiscover_Testdata to use absolute paths with io.Local to ensure compatibility with GitHub CI. - Verified that all build and release tests pass. * chore(io): Migrate pkg/build to Medium abstraction (fix CI paths) - Ensured that outputDir and configPath are absolute in runProjectBuild. - Fixed TestLoadConfig_Testdata and TestDiscover_Testdata to use absolute paths correctly. - Verified that all build and release tests pass locally. * chore(io): Migrate pkg/build to Medium abstraction (final fix) - Improved io.Local to handle relative paths relative to CWD when rooted at "/". - This makes io.Local a drop-in replacement for the 'os' package for most use cases. - Ensured absolute paths are used in build logic and tests where appropriate. - Fixed formatting and cleaned up debug prints. * chore(io): address code review and fix CI - Fix MockFile.Read to return io.EOF - Use filepath.Match in TaskfileBuilder for precise globbing - Stream xz data in createTarXzArchive to avoid in-memory string conversion - Fix TestPath_RootFilesystem in local medium tests - Fix formatting in pkg/build/buildcmd/cmd_project.go * chore(io): resolve merge conflicts and final migration of pkg/build - Resolved merge conflicts in pkg/io/io.go, pkg/io/local/client.go, and pkg/release/release.go. - Reconciled io.Medium interface with upstream changes (unifying to fs.File for Open). - Integrated upstream validatePath logic into the local medium. - Completed migration of pkg/build and related packages to io.Medium. - Addressed previous code review feedback on MockMedium and TaskfileBuilder. * chore(io): resolve merge conflicts and finalize migration - Resolved merge conflicts with dev branch. - Unified io.Medium interface (Open returns fs.File, Create returns io.WriteCloser). - Integrated upstream validatePath logic. - Ensured all tests pass across pkg/io, pkg/build, and pkg/release. --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-04 17:59:10 +00:00			`func (s *MacOSSigner) Sign(ctx context.Context, fs io.Medium, binary string) error {`
feat(signing): add macOS codesign + notarization Signs binaries with Developer ID and hardened runtime. Notarization submits to Apple and staples ticket. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-29 02:48:54 +00:00			`if !s.Available() {`
			`return fmt.Errorf("codesign.Sign: codesign not available")`
			`}`

			`cmd := exec.CommandContext(ctx, "codesign",`
			`"--sign", s.config.Identity,`
			`"--timestamp",`
			`"--options", "runtime", // Hardened runtime for notarization`
			`"--force",`
			`binary,`
			`)`

			`output, err := cmd.CombinedOutput()`
			`if err != nil {`
			`return fmt.Errorf("codesign.Sign: %w\nOutput: %s", err, string(output))`
			`}`

			`return nil`
			`}`

			`// Notarize submits binary to Apple for notarization and staples the ticket.`
			`// This blocks until Apple responds (typically 1-5 minutes).`
Migrate pkg/build to io.Medium abstraction (#287) * chore(io): Migrate pkg/build to Medium abstraction - Updated io.Medium interface with Open() and Create() methods to support streaming. - Migrated pkg/build, pkg/build/builders, and pkg/build/signing to use io.Medium. - Added FS field to build.Config and updated build.Builder interface. - Refactored checksum and archive logic to use io.Medium streaming. - Updated pkg/release and pkg/build/buildcmd to use io.Local. - Updated unit tests to match new signatures. * chore(io): Migrate pkg/build to Medium abstraction (fix CI) - Fixed formatting in pkg/build/builders/wails.go. - Fixed TestLoadConfig_Testdata and TestDiscover_Testdata to use absolute paths with io.Local to ensure compatibility with GitHub CI. - Verified that all build and release tests pass. * chore(io): Migrate pkg/build to Medium abstraction (fix CI paths) - Ensured that outputDir and configPath are absolute in runProjectBuild. - Fixed TestLoadConfig_Testdata and TestDiscover_Testdata to use absolute paths correctly. - Verified that all build and release tests pass locally. * chore(io): Migrate pkg/build to Medium abstraction (final fix) - Improved io.Local to handle relative paths relative to CWD when rooted at "/". - This makes io.Local a drop-in replacement for the 'os' package for most use cases. - Ensured absolute paths are used in build logic and tests where appropriate. - Fixed formatting and cleaned up debug prints. * chore(io): address code review and fix CI - Fix MockFile.Read to return io.EOF - Use filepath.Match in TaskfileBuilder for precise globbing - Stream xz data in createTarXzArchive to avoid in-memory string conversion - Fix TestPath_RootFilesystem in local medium tests - Fix formatting in pkg/build/buildcmd/cmd_project.go * chore(io): resolve merge conflicts and final migration of pkg/build - Resolved merge conflicts in pkg/io/io.go, pkg/io/local/client.go, and pkg/release/release.go. - Reconciled io.Medium interface with upstream changes (unifying to fs.File for Open). - Integrated upstream validatePath logic into the local medium. - Completed migration of pkg/build and related packages to io.Medium. - Addressed previous code review feedback on MockMedium and TaskfileBuilder. * chore(io): resolve merge conflicts and finalize migration - Resolved merge conflicts with dev branch. - Unified io.Medium interface (Open returns fs.File, Create returns io.WriteCloser). - Integrated upstream validatePath logic. - Ensured all tests pass across pkg/io, pkg/build, and pkg/release. --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-04 17:59:10 +00:00			`func (s *MacOSSigner) Notarize(ctx context.Context, fs io.Medium, binary string) error {`
feat(signing): add macOS codesign + notarization Signs binaries with Developer ID and hardened runtime. Notarization submits to Apple and staples ticket. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-29 02:48:54 +00:00			`if s.config.AppleID == "" \|\| s.config.TeamID == "" \|\| s.config.AppPassword == "" {`
			`return fmt.Errorf("codesign.Notarize: missing Apple credentials (apple_id, team_id, app_password)")`
			`}`

			`// Create ZIP for submission`
			`zipPath := binary + ".zip"`
			`zipCmd := exec.CommandContext(ctx, "zip", "-j", zipPath, binary)`
			`if output, err := zipCmd.CombinedOutput(); err != nil {`
			`return fmt.Errorf("codesign.Notarize: failed to create zip: %w\nOutput: %s", err, string(output))`
			`}`
Migrate pkg/build to io.Medium abstraction (#287) * chore(io): Migrate pkg/build to Medium abstraction - Updated io.Medium interface with Open() and Create() methods to support streaming. - Migrated pkg/build, pkg/build/builders, and pkg/build/signing to use io.Medium. - Added FS field to build.Config and updated build.Builder interface. - Refactored checksum and archive logic to use io.Medium streaming. - Updated pkg/release and pkg/build/buildcmd to use io.Local. - Updated unit tests to match new signatures. * chore(io): Migrate pkg/build to Medium abstraction (fix CI) - Fixed formatting in pkg/build/builders/wails.go. - Fixed TestLoadConfig_Testdata and TestDiscover_Testdata to use absolute paths with io.Local to ensure compatibility with GitHub CI. - Verified that all build and release tests pass. * chore(io): Migrate pkg/build to Medium abstraction (fix CI paths) - Ensured that outputDir and configPath are absolute in runProjectBuild. - Fixed TestLoadConfig_Testdata and TestDiscover_Testdata to use absolute paths correctly. - Verified that all build and release tests pass locally. * chore(io): Migrate pkg/build to Medium abstraction (final fix) - Improved io.Local to handle relative paths relative to CWD when rooted at "/". - This makes io.Local a drop-in replacement for the 'os' package for most use cases. - Ensured absolute paths are used in build logic and tests where appropriate. - Fixed formatting and cleaned up debug prints. * chore(io): address code review and fix CI - Fix MockFile.Read to return io.EOF - Use filepath.Match in TaskfileBuilder for precise globbing - Stream xz data in createTarXzArchive to avoid in-memory string conversion - Fix TestPath_RootFilesystem in local medium tests - Fix formatting in pkg/build/buildcmd/cmd_project.go * chore(io): resolve merge conflicts and final migration of pkg/build - Resolved merge conflicts in pkg/io/io.go, pkg/io/local/client.go, and pkg/release/release.go. - Reconciled io.Medium interface with upstream changes (unifying to fs.File for Open). - Integrated upstream validatePath logic into the local medium. - Completed migration of pkg/build and related packages to io.Medium. - Addressed previous code review feedback on MockMedium and TaskfileBuilder. * chore(io): resolve merge conflicts and finalize migration - Resolved merge conflicts with dev branch. - Unified io.Medium interface (Open returns fs.File, Create returns io.WriteCloser). - Integrated upstream validatePath logic. - Ensured all tests pass across pkg/io, pkg/build, and pkg/release. --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-04 17:59:10 +00:00			`defer func() { _ = fs.Delete(zipPath) }()`
feat(signing): add macOS codesign + notarization Signs binaries with Developer ID and hardened runtime. Notarization submits to Apple and staples ticket. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-29 02:48:54 +00:00
			`// Submit to Apple and wait`
			`submitCmd := exec.CommandContext(ctx, "xcrun", "notarytool", "submit",`
			`zipPath,`
			`"--apple-id", s.config.AppleID,`
			`"--team-id", s.config.TeamID,`
			`"--password", s.config.AppPassword,`
			`"--wait",`
			`)`
			`if output, err := submitCmd.CombinedOutput(); err != nil {`
			`return fmt.Errorf("codesign.Notarize: notarization failed: %w\nOutput: %s", err, string(output))`
			`}`

			`// Staple the ticket`
			`stapleCmd := exec.CommandContext(ctx, "xcrun", "stapler", "staple", binary)`
			`if output, err := stapleCmd.CombinedOutput(); err != nil {`
			`return fmt.Errorf("codesign.Notarize: failed to staple: %w\nOutput: %s", err, string(output))`
			`}`

			`return nil`
			`}`

			`// ShouldNotarize returns true if notarization is enabled.`
			`func (s *MacOSSigner) ShouldNotarize() bool {`
			`return s.config.Notarize`
			`}`