profile
viewpoint
Mitchell Hashimoto mitchellh HashiCorp Los Angeles, CA http://mitchellh.com

hashicorp/vagrant 19477

Vagrant is a tool for building and distributing development environments.

hashicorp/packer 9804

Packer is a tool for creating identical machine images for multiple platforms from a single source configuration.

joefitzgerald/packer-windows 1533

Windows Packer Templates

armon/bloomd 1147

C network daemon for bloom filters

mitchellh/cli 1086

A Go library for implementing command-line interfaces.

armon/go-radix 511

Golang implementation of Radix trees

mitchellh/boot2docker-vagrant-box 425

Packer scripts to build a Vagrant-compatible boot2docker box.

deislabs/smi-spec 415

Service Mesh Interface

hashicorp/hil 332

HIL is a small embedded language for string interpolations.

mitchellh/colorstring 233

Go (golang) library for colorizing strings for terminal output.

created tagmitchellh/go-ps

tagv1.0.0

Find, list, and inspect processes from Go (golang).

created time in 16 days

pull request commentmitchellh/go-ps

Avoid heavy calls when reading /proc

This looks good thank you!

a-palchikov

comment created time in 16 days

PR merged mitchellh/go-ps

Avoid heavy calls when reading /proc

On systems with SELinux in enforcing mode, this will unnecessarily require broader access to the whole of /proc (newfstatat or lstat which translated to SELinux getattr permission as opposed to a simple getdents64 syscall which is less pervasive). Reading just the names is enough though to determine whether an entry looks like a pid directory.

+2 -8

0 comment

1 changed file

a-palchikov

pr closed time in 16 days

push eventmitchellh/go-ps

dmitri

commit sha 79a12729eb74ef3af12c8493176467be77a20204

It is not mandatory to verify whether the file in /proc is a directory - simple numeric name check should suffice. Otherwise, it is pretty problematic to query processes on systems with SELinux in enforcing mode as it is complicated to open access to _all_ files inside proc. The reason this catch-all access is required is that with os.Readdir it needs to lstat each entry to return os.FileInfo and this requires additional permissions on each disperate file type inside /proc which is not easy to catch with an attribute (as it is with processes).

view details

a-palchikov

commit sha e4db5bf9c2843548a77769573f0d723fa1a56f33

Merge pull request #1 from gravitational/dmitri/proc-selinux Update process fetcher to support SELinux-enabled systems.

view details

Mitchell Hashimoto

commit sha d0e03acbeea005fde120012386fca1b35253c794

Merge branch 'master' of https://github.com/gravitational/go-ps into gravitational-master

view details

Mitchell Hashimoto

commit sha 147ff83818ae939913b2e20b91ae3cd6c391771c

Merge branch 'gravitational-master'

view details

push time in 16 days

push eventmitchellh/go-ps

Mitchell Hashimoto

commit sha 91629f07a773bde3581a3e817e3a5ff9f4216a5e

add go.mod

view details

push time in 16 days

push eventmitchellh/protoc-gen-go-json

zak

commit sha 497f0b59bb2260707a9cc6689d419e737a0b2806

Add allow_unknown flag to allow unmarshaling unknown fields

view details

Mitchell Hashimoto

commit sha fd297ce346f121efbef64457c9e1b6e8d10ab4cb

Merge pull request #3 from zknill/master Add allow_unknown flag to allow unmarshaling unknown fields

view details

push time in a month

PR merged mitchellh/protoc-gen-go-json

Add allow_unknown flag to allow unmarshaling unknown fields

This PR updates the json.Unmarshaler interface implementations to respect toggle AllowUnknownFields.

Add a flag allow_unknown that toggles the jsonpb unmarshaler to allow unknown fields. Run make to update the e2e.

Fixes #2

+51 -85

1 comment

5 changed files

zknill

pr closed time in a month

pull request commentmitchellh/protoc-gen-go-json

Add allow_unknown flag to allow unmarshaling unknown fields

Looks good thanks.

zknill

comment created time in a month

push eventmitchellh/gon

Vincent Rischmann

commit sha 8fd67c663c53c0763b27eb9169ab3f5324cfcb75

notarize: use the provider when calling xcrun

view details

Mitchell Hashimoto

commit sha 16606cb4e05be09453906bf9f0169396472766d5

Merge pull request #13 from vrischmann/asc-provider notarize: use the provider when calling xcrun

view details

push time in a month

PR merged mitchellh/gon

notarize: use the provider when calling xcrun

Even though the provider field was set, the call to xcrun altool didn't use it.

This PR fixes this by adding --asc-provider.

+10 -1

1 comment

1 changed file

vrischmann

pr closed time in a month

pull request commentmitchellh/gon

notarize: use the provider when calling xcrun

Whoops sorry! Thank you.

vrischmann

comment created time in a month

push eventmitchellh/go-z3

Yasuhiro Matsumoto

commit sha 857a8e15565d758058cea1628ddfcb3a9c6e0580

Fix build

view details

Mitchell Hashimoto

commit sha 4cbedeba863fd231d38eb2d5fc42c368d597fa79

Merge pull request #4 from mattn/fix-build Fix build

view details

push time in 2 months

PR merged mitchellh/go-z3

Fix build

Can not build with latest z3

+11 -5

1 comment

4 changed files

mattn

pr closed time in 2 months

pull request commentmitchellh/go-z3

Fix build

Thank you! :)

mattn

comment created time in 2 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha 49818e9291000d508d6fecb6024ba36f225ca02c

Update README

view details

push time in 2 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha e0bf558d5f925d742b32a0c045eb485c8c4b5b3c

Update README with GoReleaser docs

view details

push time in 2 months

pull request commentgoreleaser/goreleaser

docs: signing with mitchellh/gon

This is awesome thank you! I'll add this to the gon README as well!

caarlos0

comment created time in 2 months

pull request commentmitchellh/go-mruby

Support mruby 2.1.0

oh, to clarify, I think dropping 1.10, and 1.11 support is probably worth it if it causes you to write unnecessary workarounds or other complexity.

@mitchellh I think I'm making a safe judgment call, but please shout out if you disagree.

Totally safe. I think generally N, and N-1 are the versions you want to support which gives you 1 year of backwards support (Go is on 6mo cycles). Go 1.13 in particular was a rough version for a lot of projects to upgrade to due to major changes in Go modules behavior (we struggled at HashiCorp).

This is awesome though. Thanks @take-cheeze and @erikh!

take-cheeze

comment created time in 2 months

Pull request review commenthashicorp/logutils

level: Support multi-line log writes

 func (f *LevelFilter) Check(line []byte) bool { 	return !ok } +// Write is a specialized implementation of io.Writer suitable for being+// the output of a logger from the "log" package.+//+// This Writer implementation assumes that it will only recieve byte slices+// containing one or more entire lines of log output, each one terminated by+// a newline. This is compatible with the behavior of the "log" package+// directly, and is also tolerant of intermediaries that might buffer multiple+// separate writes together, as long as no individual log line is ever+// split into multiple slices.+//+// Behavior is undefined if any log line is split across multiple writes or+// written without a trailing '\n' delimiter. func (f *LevelFilter) Write(p []byte) (n int, err error) {-	// Note in general that io.Writer can receive any byte sequence-	// to write, but the "log" package always guarantees that we only-	// get a single line. We use that as a slight optimization within-	// this method, assuming we're dealing with a single, complete line-	// of log data.--	if !f.Check(p) {-		return len(p), nil+	for len(p) > 0 {+		// Split at the first \n, inclusive+		idx := bytes.IndexByte(p, '\n')

Yikes, that's right. I forgot that's a thing (newlines in the log messages).

apparentlymart

comment created time in 3 months

issue commentmitchellh/gon

Suggestion: allow passing extra flags to create-dmg

My hesitation with this is that it forces us to use create-dmg forever. I don't have any plans not to but say a Go-native way to create DMGs existed (it doesn't, it probably won't), we couldn't switch because we hard depend on create-dmg. However, create-dmg is also a very active and full featured project so would we ever realistically switch? Maybe not.

So, if we went with this, my recommendation would be to make extra_args a list of strings so we don't have to deal with shell parsing or anything and we can pass as-is to fork/exec.

andreparames

comment created time in 3 months

issue commentanasinnyk/terraform-provider-1password

Running on MacOS Catalina

I thought files downloaded directly like this don't set the com.apple.quarantine extended attribute and sneakily bypass gatekeeper. This is why you can curl unsigned/unnotarized binaries and run them but you can't download them via browsers, Mail.app, etc.

If not, then hopefully upstreams start notarizing soon! 😄

ollystephens

comment created time in 3 months

created tagmitchellh/gon

tagv0.2.2

Sign, notarize, and package macOS CLI tools and applications written in any language. Available as both a CLI and a Go library.

created time in 3 months

release mitchellh/gon

v0.2.2

released time in 3 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha 5d2789ca2842510801de9af7f5f650b1a17d6fc3

v0.2.2

view details

push time in 3 months

create barnchmitchellh/gon

branch : f-check

created branch time in 3 months

pull request commentmitchellh/gon

Add support for zipping multiple source files (or a root directory)

Thank you!

I made one additional commit (on top of yours) to not expose Root right now as a public API. That is something we probably want to support in the Go-library API of gon but I think we want to think through the impacts of that plus Files more. In your form, it was either Root or Files but not both. That's certainly sensible but I don't want to commit to that yet in a public API.

Instead, I changed it so that we always create a temporary root from Files and use that.

maxfierke

comment created time in 3 months

PR merged mitchellh/gon

Add support for zipping multiple source files (or a root directory)

If multiple files are specified in source, currently the zip step does not work, as ditto does not support archiving multiple files at once. Instead, this refactors the zip step a bit to first copy all the source files into a temporary directory, and then archive the directory.

I'm not really a Go developer, so let me know if I've strayed from any idioms!

+84 -13

0 comment

1 changed file

maxfierke

pr closed time in 3 months

push eventmitchellh/gon

Max Fierke

commit sha d7e9acf5175e3bb2c9636225d10335660d6ad4ff

Add support for zipping multiple source files (or a root directory)

view details

Mitchell Hashimoto

commit sha 18c7163e8835d88e721f4274c5313b904b0dfa7e

Merge branch 'mf-zip_multiple' of https://github.com/maxfierke/gon into maxfierke-mf-zip_multiple

view details

Mitchell Hashimoto

commit sha e99228c5b79fb2a08e64c5d5d33c672143771933

package/zip: don't export Root right now as a public API

view details

push time in 3 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha 604c8194e63ffb4c923a4357820104b6d1304ba9

cmd/gon: change if structure to avoid an else case

view details

Mitchell Hashimoto

commit sha 5aa618755f4eb65592d7e8e892ad6b5fc30c59f2

update README

view details

push time in 3 months

push eventmitchellh/gon

Max Fierke

commit sha 87980d8194884ba5eb40507f9ac9ce5e25b1e13b

Fallback to environment if values not specified for AppleId If any values are not specified in the config file for `AppleId` we can fallback to pulling them from `AC_USERNAME`, `AC_PASSWORD`, and `AC_PROVIDER`. `AC_PASSWORD` will still be passed into `altool` using the `@env:` prefix as supported by `altool` to avoid printing sensitive information but all others will be read from the environment and passed by value to `altool`.

view details

Mitchell Hashimoto

commit sha 3278d6292802db5a448a94b278c9ecf5af715bb7

Merge pull request #10 from maxfierke/mf-env_username Fallback to environment if values not specified for AppleId

view details

push time in 3 months

PR merged mitchellh/gon

Fallback to environment if values not specified for AppleId

If any values are not specified in the config file for AppleId we can fallback to pulling them from AC_USERNAME, AC_PASSWORD, and AC_PROVIDER.

AC_PASSWORD will still be passed into altool using the @env: prefix as supported by altool to avoid printing sensitive information but all others will be read from the environment and passed by value to altool.

Resolves #9

+93 -12

0 comment

8 changed files

maxfierke

pr closed time in 3 months

issue closedmitchellh/gon

Support reading Apple ID username/email from environment

Right now the properties within apple_id are being passed verbatim to altool, which has native support for reading Apple ID password from the environment (or keychain), but it would handy to also support providing the Apple ID username via an environment variable.

I'd like to commit my application's gon config to the repo that uses it, but would prefer to avoid publishing my Apple ID username/email.

If this seems reasonable, I can throw up a PR.

closed time in 3 months

maxfierke

Pull request review commentmitchellh/gon

Fallback to environment if values not specified for AppleId

 func realMain() int { 		} 	} +	// If not specified in the configuration, we initialize a new struct that we'll+	// load with values from the environment.+	if cfg.AppleId == nil {+		cfg.AppleId = &config.AppleId{}+	}++	if cfg.AppleId.Username == "" {+		appleIdUsername, ok := os.LookupEnv("AC_USERNAME")++		if ok {

This is fine, but I prefer to do a !ok check and exit, so that we don't need a full else case.

maxfierke

comment created time in 3 months

issue commentmitchellh/gon

Support use of apiKey/apiIssuer instead of username/password

Sure! This sounds good. I’ve never used these values so I didn’t support them because I couldnt’ test them. If you want to take a stab I’d be happy to review that PR. Also, if you want to let me know how I can get these types of credentials and I can test it that’d be appreciated.

lovelace

comment created time in 3 months

issue commentmitchellh/gon

Support reading Apple ID username/email from environment

Hey, I think that is reasonable. As you probably already know: the syntax we use for the Apple ID password is just what altool accepts so we can’t really accept the same values for the username (since I don’t believe altool parses those for keychain or env access).

If I recall in Apple’s docs they use the AC_USERNAME and AC_PASSWORD env vars. I’d be supportive of just supporting those as defaults if there is no config set.

maxfierke

comment created time in 3 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha 358bd1c201ba00484ce2b3721800b4947bd650ea

package/dmg: update doc to note it uses create-dmg

view details

push time in 3 months

created tagmitchellh/gon

tagv0.2.1

Sign, notarize, and package macOS CLI tools and applications written in any language. Available as both a CLI and a Go library.

created time in 3 months

release mitchellh/gon

v0.2.1

released time in 3 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha 6bf907f21f68b871035378f4da75b3b7e0bdfcae

v0.2.1

view details

push time in 3 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha 184f2663ea8ef704ba11f955f06cedb673fcff26

notarize: tests for parselog

view details

push time in 3 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha 4c90bcde7ace62b6baeac283788084dc4cc68451

notarize: specify null logger for retryable client

view details

push time in 3 months

issue closedmitchellh/gon

Signing with an invalid developer ID cert returns success

Issue: When I provide an invalid developer ID cert (oops), gon successfully completes and doesn't return an error. The log file shows a warning with the following under issues:

"issues": [
    {
      "severity": "warning",
      "code": null,
      "path": "terraform",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": null,
      "architecture": "x86_64"
    }
  ]

IMO this is a fatal error, as the resulting executables can't be opened on OSX 10.15.

Solution: Exit gon and return an error if this 'warning' appears in the log file.

closed time in 3 months

mdeggies

issue commentmitchellh/gon

Signing with an invalid developer ID cert returns success

Fixed by #6. I'm going to add more tests and fix a couple other issues, will cut a release tomorrow or later tonight.

mdeggies

comment created time in 3 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha 0a5bebe7a3c0a0b62020b947eae4cd3493001fd0

notarize: parse logs

view details

Mitchell Hashimoto

commit sha 1ba8a7adeefc992ef82bd0a2aded257cc0642881

cmd/gon: download and parse logs for issues

view details

Mitchell Hashimoto

commit sha 3aa853b2b3be5fee293b04bae53f86077822ca04

cmd/gon: download the log and output issues

view details

Mitchell Hashimoto

commit sha 26e74e39091b7be1d074b8792f943854f70de32a

cmd/gon: error if there are warnings or log file can't be downloaded

view details

Mitchell Hashimoto

commit sha a5f0eaeefdbca1ab42045eec7a68dbe9bcde3ce8

notarize: use a retryable HTTP client for downloading logs

view details

Mitchell Hashimoto

commit sha 8962847dab7aa4baf7b66a542168929c384ba534

Merge pull request #6 from mitchellh/f-notarization-log Download notarization log, parse issues, error if any issues

view details

push time in 3 months

delete branch mitchellh/gon

delete branch : f-notarization-log

delete time in 3 months

PR merged mitchellh/gon

Download notarization log, parse issues, error if any issues

This is a really sad thing discovered pursuing #5.

It turns out that the notarization status can be "success" and there can be "warnings" in the issues list in the log. If there are warnings, Gatekeeper still fails to validate a package and it won't launch.

This PR introduces the ability to download and parse logs, and errors if there are any issues (including warnings). We also output these directly in the CLI now which is nice. If we fail to download the log, we consider notarization a failure.

I wanted to add more tests for this but wanted to get this merged in quickly since its blocking us in some ways. I'll add tests in future commits.

2019-11-05 at 6 13 PM

+168 -7

0 comment

5 changed files

mitchellh

pr closed time in 3 months

PR opened mitchellh/gon

Download notarization log, parse issues, error if any issues

This is a really sad thing discovered pursuing #5.

It turns out that the notarization status can be "success" and there can be "warnings" in the issues list in the log. If there are warnings, Gatekeeper still fails to validate a package and it won't launch.

This PR introduces the ability to download and parse logs, and errors if there are any issues (including warnings). We also output these directly in the CLI now which is nice. If we fail to download the log, we consider notarization a failure.

I wanted to add more tests for this but wanted to get this merged in quickly since its blocking us in some ways. I'll add tests in future commits.

+168 -7

0 comment

5 changed files

pr created time in 3 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha a5f0eaeefdbca1ab42045eec7a68dbe9bcde3ce8

notarize: use a retryable HTTP client for downloading logs

view details

push time in 3 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha 26e74e39091b7be1d074b8792f943854f70de32a

cmd/gon: error if there are warnings or log file can't be downloaded

view details

push time in 3 months

create barnchmitchellh/gon

branch : f-notarization-log

created branch time in 3 months

issue commentgoreleaser/goreleaser

integrate mitchellh/gon lib for signing and notarizing macOS binaries

Awesome thanks @joemiller. Agreed a builds filter would help a lot here.

joemiller

comment created time in 3 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha 0a56f02d901311d24fe60b5cc1ae19371c6590b7

sign: on error show the full output

view details

push time in 3 months

issue closedmitchellh/gon

Enhancement: Add support for an Entitlements file

Add an optional entitlements_file string attribute to the sign config object. This will add the --entitlements <filepath> argument to the codesign command line.

https://github.com/etter-tanium/gon/blob/8ff56016325245ba1ddc327398bf86b35883863b/internal/config/config.go#L65 https://github.com/etter-tanium/gon/blob/8ff56016325245ba1ddc327398bf86b35883863b/sign/sign.go#L74

closed time in 3 months

etter-tanium

push eventmitchellh/gon

Matthew Etter

commit sha 1aaac0ab74c03369c06f222ee1c9442aabebe4cb

Add support for --entitlements file - Optional entitlements_file in the "Sign" field - Add example .hcl file - Correct some minor tabs/spaces from previous PR

view details

Matthew Etter

commit sha 8ff56016325245ba1ddc327398bf86b35883863b

Update README

view details

Matthew Etter

commit sha 861a6224b40540080c7bd3cb964304d9cb08026e

Remove entitlements from roadmaps TODOs

view details

Mitchell Hashimoto

commit sha 0723683e3a6e54ccd0b75e1ff1f5bc3dd2154dc2

Merge pull request #4 from etter-tanium/support-entitlements Add support for signing with an Entitlements file

view details

push time in 3 months

PR merged mitchellh/gon

Add support for signing with an Entitlements file

For issue: https://github.com/mitchellh/gon/issues/3

+35 -13

1 comment

7 changed files

etter-tanium

pr closed time in 3 months

pull request commentmitchellh/gon

Add support for signing with an Entitlements file

Looks perfect. Thanks!

etter-tanium

comment created time in 3 months

issue commentmitchellh/gon

Signing with an invalid developer ID cert returns success

Hey @mdeggies, can you get me -log-level=trace output?

This might be working as intended, since Apple currently relaxed the notarization requirements: https://developer.apple.com/news/?id=09032019a

As noted in the logs they're just warnings and not errors. Regardless, I think its a useful enhancement to download that log file and parse this and show the user.

mdeggies

comment created time in 3 months

push eventmitchellh/dotfiles

Mitchell Hashimoto

commit sha 20558c91f264ec940e54408941d3a96fe66af5a6

Update Brewfile

view details

push time in 3 months

issue commentmitchellh/gon

Enhancement: Add support for an Entitlements file

👍

etter-tanium

comment created time in 3 months

pull request commentmitchellh/gon

Building on top of #1

Awesome.

It’d be helpful if you just opened an issue to warn me its coming so I don’t overlap with you. That cool? If you want to include some thoughts on how you’re going to do the config we can bikeshed on that there so when the PR comes in hopefully can just merge quickly.

I appreciate the contribution!

mitchellh

comment created time in 3 months

created tagmitchellh/gon

tagv0.2.0

Sign, notarize, and package macOS CLI tools and applications written in any language. Available as both a CLI and a Go library.

created time in 3 months

release mitchellh/gon

v0.2.0

released time in 3 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha 69049d85a02d19b33ad705d2d1e58c48cb8e1aa0

v0.2.0

view details

push time in 3 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha 4cdac7b5bff99b6047facd0c697084fe080c8a32

Typo in README

view details

push time in 3 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha 024ee7836846e2eb7be78e22ca45766c6e1b04ec

make source/bundle_id optional for notarization-only mode

view details

push time in 3 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha d4cbc0ce1ed0b93041dbd164eb57dab4f256cc81

update README

view details

push time in 3 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha b45a4b83f1b92f29d050da8887ad5cf6100511cc

cmd/gon: shuffle some logic to be a bit clearer

view details

push time in 3 months

delete branch mitchellh/gon

delete branch : etter-tanium-standalone-notarization

delete time in 3 months

push eventmitchellh/gon

Matthew Etter

commit sha 1d9cee1fdb7adb94ec64e5a2b712d21dfc98fbdd

Support a notarization-only workflow - Add new optional notarize section to the config - Allow specifying notarize in lieu of sources

view details

Mitchell Hashimoto

commit sha 92ccbcb34ad792b3bd66baaa31718dc8278b9b7f

support multiple `notarize` blocks, more validation in `gon`

view details

Mitchell Hashimoto

commit sha 3cd4dbca3f19d0252ae23bd5067bfea604b3360a

update README

view details

Mitchell Hashimoto

commit sha b86987ec953307f63d29d4c61484c888b4ca1e57

Merge pull request #2 from mitchellh/etter-tanium-standalone-notarization Support a notarization-only mode, thanks to @etter-tanium

view details

push time in 3 months

PR merged mitchellh/gon

Building on top of #1

See #1

@etter-tanium - Here is what I noted in my comment. I added commits to your branch so you retain original authorship there.

+287 -72

0 comment

9 changed files

mitchellh

pr closed time in 3 months

PR closed mitchellh/gon

Support a notarization-only workflow

To support a workflow where the item to be notarized (.pkg or .zip) does not require the existing gon process to perform the signing and packaging steps.

  • Add new optional notarize section to the config
  • Allow specifying notarize in lieu of sources
+77 -26

5 comments

4 changed files

etter-tanium

pr closed time in 3 months

pull request commentmitchellh/gon

Support a notarization-only workflow

Pushed a modification to #2. I retained your commit! Thanks.

I also think I can add optional signing support here too...

etter-tanium

comment created time in 3 months

PR opened mitchellh/gon

Building on top of #1

See #1

@etter-tanium - Here is what I noted in my comment. I added commits to your branch so you retain original authorship there.

+287 -72

0 comment

9 changed files

pr created time in 3 months

create barnchmitchellh/gon

branch : etter-tanium-standalone-notarization

created branch time in 3 months

pull request commentmitchellh/gon

Support a notarization-only workflow

I think we can do something simpler and incrementally change the config:

  • multiple notarize blocks support, each one represents a parallel notarization
  • add bundle_id to notarize, it uses that
  • keep sources and root bundle_id for now, that'll be used for from-source notarizing only.

Its a bit arbitrary seeming but I think we can get to a point where step 3 turns into:

  • source {} block (single) which has files and bundle_id as parameters to attach to the source-based build.

And I think we can do that last step while keeping backwards compatibility and showing a warning for awhile. Very few people are probably using this project so we could probably break compat but I'd rather not if we can help it :)

etter-tanium

comment created time in 3 months

pull request commentmitchellh/gon

Support a notarization-only workflow

I think this makes a lot of sense and was something I was thinking about myself.

It bothers me a bit that the config feels a little weird (really bundle_id should be part of notarize). This isn't your fault at all its just the way it is currently. Let me think about that for a bit.

I might build on this a bit, because I think it'd be valuable to support notarizing multiple files since effectively support that functionality already. It'd also enable us to provide maybe a split workflow in the future (where given a single config you can do the sign step, package step, notarize step separately). Any thoughts?

etter-tanium

comment created time in 3 months

issue commentnodejs/node

macOS Installer Requires Notarization To Be Run Under Catalina and Beyond

Hello! I've been helping our company (HashiCorp) work through this, even though we aren't Node users, and I wanted to drop a few things here that may be helpful. I've also been spending quite a lot of time researching this so if there are any questions I'd be happy to answer them. Like I said, I'm not a Node user or really part of this community, but from a general FOSS perspective, I'm happy to be of service.

What @directionless said is correct. For step 1, Apple supports only four formats dmg, pkg, app, or zip. The one caveat with zip is that it does not support stapling (step 4 of what @directionless said), so users would need to have internet on first use (of any exec of the an executable, not the unzipping action) to verify the notarization.

If you're looking to automate this to some extent, I've built a CLI to do that (language agnostic): https://github.com/mitchellh/gon It probably doesn't have the features the Node project needs to fully integrate it but I'm happy to help with that. Ultimately, I don't care if you use my tool, but the source code may be helpful in better understanding how this works. One thing I found building that tool is that therea re various transient errors to be aware of that are safe for retries.

Good luck! 🚀

enquora

comment created time in 4 months

issue commentgoreleaser/goreleaser

integrate mitchellh/gon lib for signing and notarizing macOS binaries

@joemiller Can you share your goreleaser config if you get it working?

One of the improvements I had thought of for gon is introducing flags to split the steps across multiple invocations to make it more friendly to hook into something like goreleaser but I wasn't able to verify the hooks are there. Let me know.

joemiller

comment created time in 4 months

issue commentgoreleaser/goreleaser

integrate mitchellh/gon lib for signing and notarizing macOS binaries

Hey! Thanks for making this issue. 😄 My motivation for exposing gon as a library was actually hoping that goreleaser could integrate in some way. I just want to note that I'm happy to answer any questions or make any improvements to gon as this project sees fit.

I built gon to be more generic than just Go projects hence its its own CLI, plus the needs we have at HashiCorp are a bit more specialized than goreleaser can handle so gon provides something we can better integrate. However, I use goreleaser for a lot of projects (and we do for some at the company too) and I'd love to see better support for this.

Let me note a few difficulties I had with goreleaser where I couldn't find a way to fit gon in on its own:

  • For stapling support (verification works offline), you need to package your CLI into a DMG (or pkg, or .app/). I couldn't see a way to do this in goreleaser today.
  • For notarization, you need to operate on the dmg at least and its async as noted above.

One annoying point is this all has to happen on macOS. It requires Xcode tooling that doesn't exist on other platforms today. I'm sure someone can reverse engineer it and make it work, but we're a long way from that.

I'd love to see goreleaser natively support notarization (including stapling with dmgs). The experience without notarization on macOS Catalina is quite extreme.

Thank you!

joemiller

comment created time in 4 months

created tagmitchellh/panicwrap

tagv1.0.0

panicwrap is a Go library for catching and handling panics in Go applications.

created time in 4 months

push eventmitchellh/panicwrap

Mitchell Hashimoto

commit sha b3f3dc3c6bac25d9aa700825f5dc0dba75c5f2a8

update go.mod

view details

push time in 4 months

PR merged mitchellh/panicwrap

Prevent false positives if, after a relaunch, the program tries to execute itself independently of panicwrap

Hi,

An issue as arised from Terraform use of panicwrap.

If, after a relaunch and panicwrap's setup, the application tries to execute itself recursively, as the cookie env variable will still be set, Wrapped will return true in this new process.

This is an issue for Terraform as they add prefix to the outputs when Wrapped yield true causing bad outputs.

To solve this I've made it that after we detect that we are indeed in a wrapped process using the env variable, we unset it.

Do you agree with the proposed solution?

You can find the Terraform issue and conversation here https://github.com/hashicorp/terraform/issues/20293

+49 -2

4 comments

2 changed files

DaemonSnake

pr closed time in 4 months

push eventmitchellh/panicwrap

Bastien Penavayre

commit sha aed6ae0068931d5b068806896c49786ff500c552

Unset cookie env var after it's use if we are already wrapped This is done to prevent false positives if, in a wrapped state, the program tries to execute itself independently of panicwrap

view details

Bastien Penavayre

commit sha 417842d607525ac37bf9113b619f223be45fc13d

Update test to reflect unset of cookie env variable in a wrapped context

view details

Bastien Penavayre

commit sha 82e88f90e40c2432b5472e77830ed09086d0094b

Add test to verify that within a wrapped context, an independent new process isn't considered as a panicwrapped one

view details

Mitchell Hashimoto

commit sha 7daf7ec89acdfa94e677720dc07b21ac2b350385

Merge branch 'DaemonSnake-master'

view details

push time in 4 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha 419730c8eb85417f27b2cf369a4e7f14b63239e5

update README

view details

push time in 4 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha 3c9ddecade4b729818381e409e7abf4881c38553

update README

view details

push time in 4 months

created tagmitchellh/gon

tagv0.1.1

Sign, notarize, and package macOS CLI tools and applications written in any language. Available as both a CLI and a Go library.

created time in 4 months

release mitchellh/gon

v0.1.1

released time in 4 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha 31b5d020cad5ae8dae181be88f58b95aad58938e

notarize: use strutured errors to check for error 1519

view details

push time in 4 months

delete tag mitchellh/gon

delete tag : v0.1.1

delete time in 4 months

created tagmitchellh/gon

tagv0.1.1

Sign, notarize, and package macOS CLI tools and applications written in any language. Available as both a CLI and a Go library.

created time in 4 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha 2f48e6bbf26fd598ded2baae9e34eaa70bdbfb5c

v0.1.1

view details

push time in 4 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha 8a115c2f6ecdedc407036b8bafbec57c831b55dd

notarize: limit concurrent uploads to avoid error -18000

view details

push time in 4 months

PublicEvent

startedmitchellh/gon

started time in 4 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha 56f3b7415b4f999e7f8e712fc716198912d72b57

update README

view details

push time in 4 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha 91f77b797ca7359c0f102251759873afd2766b4c

update README

view details

push time in 4 months

push eventmitchellh/gon

Mitchell Hashimoto

commit sha f3470bd64d716a56fa75cef799cdea8ba1826a15

Add package docs

view details

push time in 4 months

created tagmitchellh/golicense

tagv0.2.0

Scan and analyze OSS dependencies and licenses from compiled Go binaries

created time in 4 months

more