The source step (install source) always exists.
The `plaformInfo.name` step may not exists
(On mixed target, we build all deps static and the last project dyn)
So the `native_dyn` doesn't exists for `zim-testing-suite`.
Instead of explicitly add the target associated to the toolchain
if we use `build_nodeps` option let add an attribute base ourself on it
to know if we need to add it or not.
This way, we may have other dependency we must not skip.
For the past week, the Release&Nightly workflow failed on macOS native_mixed
(but not on native_dyn) when calling ntp to sync clock before signing.
Calling time.apple.com resulted in a DNS error, leading to an error in ntp call
Why this fails on native_mixed is unknown. Maybe because it's being called twice
from the same (I guess) host in a short interleave?
This attempts to fix this by:
- using google's time server instead of Apple's
- correctly setting the timeout param before the server name (although not relevant
for this dns-based error)
- Ignore failures to sync time. We're doing it to minimize chances of unsynched clocks
to fail the signature but this is not absolutely required all the time.
This adds the notarization (see #469) of the libzim binary for macOS during the build.
It it not dependent on RELEASE so it benefits all builds.
It basically does two things:
- sign the build with our Developer ID certificate from Apple.
- Request notarization from Apple for the binary.
At the moment, it concerns only libzim. Might expand that to libkiwix and the zim/kiwix tools
once we start releasing those.
Github Actions prepare the certificate and environment, and signing+request is done in `notarize_macos_build()` (common.py)
It required the following new secrets:
| secret | value |
|---|---|
| `APPLE_SIGNING_CERTIFICATE` | base64 of the P12 certificate |
| `APPLE_SIGNING_P12_PASSWORD` | password for the P12 certificate (we chose that when exporting to P12. Apple doesnt provide P12) |
| `APPLE_SIGNING_IDENTITY`| Common name of our certificate. Not a private info but seems better suited there than in the CI |
| `APPLE_SIGNING_TEAM`| Apple Developer Team ID (mentionned in the signing identity) |
| `APPLE_SIGNING_ALTOOL_PASSWORD`| app-specific password created to request notarization |
| `APPLE_SIGNING_ALTOOL_USERNAME`| username associated with the app-specific password. Must be an Apple ID with perms on the Certificate. Currently mine. |
This triggers a `workflow_dispatch` event on the `docker.yml` workflow or the matching
repository for both `zim-tools` and `kiwix-tools` targets that supports it.
Matthieu Gautier
Kelson
renaud gaudin
Veloman Yunkan
ChrisLi