Page MenuHome

Code sign macOS build on buildbot
Open, NormalPublic

Description

We want to sign builds on the buildbot so users can easily run them, and to catch potential bugs in bundling and code signing earlier.

  • Figure out: do issues in the daily builds risk affecting the release build? Do we use a separate certificate?
  • Configure buildbot virtual machine to have certificate, and check security implications of that.
  • Update buildbot scripts to include bundling step and to support .dmg files.
  • Customize daily build bundle to indicate it's not a release build. Custom background image?
  • Notarization can take up to 30-60min, not much we can do about this most likely.

Details

Type
To Do

Event Timeline

Figure out: do issues in the daily builds risk affecting the release build? Do we use a separate certificate?

This is just political thing usually.

Configure buildbot virtual machine to have certificate, and check security implications of that.

There shouldn't be any security issues when using macOS keychain as stated on bundling docs. Stapling returns JSON, so that might be good to suppress from logs that buildbot returns to web.

Customize daily build bundle to indicate it's not a release build. Custom background image?

This would be the best thing. If user downloads file that is blender-(ver)-(hash)-macOS.dmg and background image states it being daily build before copying .app, it should be enough.