Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add macos codesigning of opm binary for apple silicon #1491

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

grokspawn
Copy link
Contributor

@grokspawn grokspawn commented Nov 12, 2024

Due to apple's requirement that all apple silicon apps must be signed, the app make targets here will not be able to be executed unless they are signed in macos sequoia and later.

For example, if this generates the opm binary at $HOME/devel/operator-registry/bin/opm and we invoke it, without being signed the result will be Killed: 9 messages for each attempted invocation of the compiled unsigned app, for e.g.:

╰$ ./bin/opm --help
[1]    14243 killed     ./bin/opm --help

This is a completely naive approach to rectifying this, and we probably need some more thought on the subject, but this approach at least lets me execute locally-built binaries to examine catalog content.

Description of the change:

Motivation for the change:

Reviewer Checklist

  • Implementation matches the proposed design, or proposal is updated to match implementation
  • Sufficient unit test coverage
  • Sufficient end-to-end test coverage
  • Docs updated or added to /docs
  • Commit messages sensible and descriptive

Copy link
Contributor

openshift-ci bot commented Nov 12, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: grokspawn

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 12, 2024
@grokspawn grokspawn marked this pull request as draft November 12, 2024 13:45
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 12, 2024
Copy link

codecov bot commented Nov 12, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 46.80%. Comparing base (dc23843) to head (f2b1a80).
Report is 10 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff             @@
##           master    #1491      +/-   ##
==========================================
- Coverage   48.61%   46.80%   -1.81%     
==========================================
  Files         135      135              
  Lines       12793    15760    +2967     
==========================================
+ Hits         6219     7377    +1158     
- Misses       5533     7342    +1809     
  Partials     1041     1041              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@@ -55,6 +55,10 @@ $(CMDS):
$(OPM): opm_version_flags=-ldflags "-X '$(PKG)/cmd/opm/version.gitCommit=$(GIT_COMMIT)' -X '$(PKG)/cmd/opm/version.opmVersion=$(OPM_VERSION)' -X '$(PKG)/cmd/opm/version.buildDate=$(BUILD_DATE)'"
$(OPM):
$(extra_env) $(GO) build $(opm_version_flags) $(extra_flags) $(TAGS) -o $@ ./cmd/$(notdir $@)
ifeq ($(shell go env GOARCH),arm64)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will also hit Raspberry Pi, and miss those older Intel models that can run Sequoia. Did you want to check explicitly for macOS?

Suggested change
ifeq ($(shell go env GOARCH),arm64)
ifeq ($(shell go env GOOS),darwin)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't want to test GOOS, because intel-based darwin doesn't have this requirement. I couldn't figure out how to do a double conditional well to select only the darwin+arm64 set of targets.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants