NeoAnd/mcp-server-wazuh
1
0
Fork 0
mirror of https://github.com/gbrigandi/mcp-server-wazuh.git synced 2026-01-05 11:46:55 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added MacOS code signing and notarization

Browse Source
This commit is contained in:
Gianluca Brigandi
2025-12-05 16:08:03 -08:00
parent 005e5f89a4
commit 80b0078a7f
1 changed files with 155 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

181
.github/workflows/release.yml vendored
View File

@@ -10,46 +10,68 @@ permissions:
packages: write # Needed to push to GitHub Container Registry packages: write # Needed to push to GitHub Container Registry
jobs: jobs:
create_release: validate_version:
name: Create Release name: Validate Version
runs-on: ubuntu-latest runs-on: ubuntu-latest
outputs:
upload_url: ${{ steps.create_release.outputs.upload_url }}
steps: steps:
- name: Create Release - uses: actions/checkout@v4
id: create_release
uses: actions/create-release@v1 - name: Validate tag format
env: run: |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} if [[ ! "${GITHUB_REF}" =~ ^refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
with: echo "❌ Invalid tag format. Must be v#.#.#"
tag_name: ${{ github.ref_name }} exit 1
release_name: Release ${{ github.ref_name }} fi
draft: false echo "✅ Tag format is valid"
prerelease: false
- name: Check version in Cargo.toml
run: |
TAG_VERSION=${GITHUB_REF#refs/tags/v}
echo "Tag version: $TAG_VERSION"
CARGO_VERSION=$(grep '^version' Cargo.toml | head -1 | cut -d '"' -f 2)
echo "Cargo.toml version: $CARGO_VERSION"
if [ "$CARGO_VERSION" != "$TAG_VERSION" ]; then
echo "❌ Version mismatch"
echo " Tag version: $TAG_VERSION"
echo " Cargo.toml version: $CARGO_VERSION"
exit 1
fi
echo "✅ Version matches: $TAG_VERSION"
build_binaries: build_binaries:
name: Build Binaries for ${{ matrix.target }} name: Build Binaries for ${{ matrix.target }}
needs: create_release needs: validate_version
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
strategy: strategy:
matrix: matrix:
include: include:
# Linux Intel (musl for static linking)
- os: ubuntu-latest - os: ubuntu-latest
target: x86_64-unknown-linux-musl target: x86_64-unknown-linux-musl
asset_name_suffix: linux-amd64 asset_name_suffix: linux-amd64
output_name: mcp-server-wazuh output_name: mcp-server-wazuh
# Windows Intel
- os: windows-latest - os: windows-latest
target: x86_64-pc-windows-msvc target: x86_64-pc-windows-msvc
asset_name_suffix: windows-amd64.exe asset_name_suffix: windows-amd64.exe
output_name: mcp-server-wazuh.exe output_name: mcp-server-wazuh.exe
- os: macos-latest # Intel runner
# macOS Intel
- os: macos-latest
target: x86_64-apple-darwin target: x86_64-apple-darwin
asset_name_suffix: macos-amd64 asset_name_suffix: macos-amd64
output_name: mcp-server-wazuh output_name: mcp-server-wazuh
- os: macos-14 # ARM64/M1 runner
# macOS Apple Silicon
- os: macos-14
target: aarch64-apple-darwin target: aarch64-apple-darwin
asset_name_suffix: macos-arm64 asset_name_suffix: macos-arm64
output_name: mcp-server-wazuh output_name: mcp-server-wazuh
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
@@ -67,19 +89,127 @@ jobs:
- name: Build binary - name: Build binary
run: cargo build --verbose --release --target ${{ matrix.target }} run: cargo build --verbose --release --target ${{ matrix.target }}
- name: Upload Release Asset - name: Check dynamic dependencies (macOS only)
uses: actions/upload-release-asset@v1 if: matrix.os == 'macos-latest' || matrix.os == 'macos-14'
run: |
echo "=== Checking dynamic library dependencies ==="
otool -L ./target/${{ matrix.target }}/release/${{ matrix.output_name }} || true
echo ""
echo "=== Checking for problematic dependencies ==="
if otool -L ./target/${{ matrix.target }}/release/${{ matrix.output_name }} | grep -E "(liblzma|/opt/homebrew|/usr/local)"; then
echo "WARNING: Found dynamic dependencies that may cause issues with code signing"
fi
- name: Import Apple Certificate (macOS only)
if: matrix.os == 'macos-latest' || matrix.os == 'macos-14'
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
run: |
# Create temporary keychain with proper extension
security create-keychain -p temp-password build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p temp-password build.keychain
security set-keychain-settings -lut 21600 build.keychain
# Add build keychain to search list
security list-keychains -d user -s build.keychain $(security list-keychains -d user | sed s/\"//g)
# Import certificate with -A flag to avoid access control issues
echo "$APPLE_CERTIFICATE_BASE64" | base64 --decode > certificate.p12
# Import certificate (should contain both cert and private key)
security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -A -T /usr/bin/codesign
# Import Apple intermediate certificate (DER format)
curl -o DeveloperIDG2CA.cer https://www.apple.com/certificateauthority/DeveloperIDG2CA.cer
security import DeveloperIDG2CA.cer -k build.keychain -A -T /usr/bin/codesign
# Import Apple Worldwide Developer Relations CA G3 (DER format)
curl -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
security import AppleWWDRCAG3.cer -k build.keychain -A -T /usr/bin/codesign
# Set partition list to avoid password prompts
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k temp-password build.keychain
# Clean up certificate files
rm certificate.p12 DeveloperIDG2CA.cer AppleWWDRCAG3.cer
- name: Code Sign Binary (macOS only)
if: matrix.os == 'macos-latest' || matrix.os == 'macos-14'
env:
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
run: |
# Check identities in build keychain
echo "=== Code signing identities in build.keychain ==="
security find-identity -v -p codesigning build.keychain || true
# Extract signing identity hash from build keychain
SIGNING_HASH=$(security find-identity -v -p codesigning build.keychain | grep "$APPLE_SIGNING_IDENTITY" | grep -oE "[0-9A-F]{40}" | head -n 1)
echo "Using signing hash: $SIGNING_HASH"
# Sign the binary using the SHA-1 hash
/usr/bin/codesign --force --sign "$SIGNING_HASH" --timestamp --options runtime ./target/${{ matrix.target }}/release/${{ matrix.output_name }} -v
# Verify signature
/usr/bin/codesign --verify --verbose ./target/${{ matrix.target }}/release/${{ matrix.output_name }}
- name: Notarize Binary (macOS only)
if: matrix.os == 'macos-latest' || matrix.os == 'macos-14'
env:
APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
APPLE_API_ISSUER_ID: ${{ secrets.APPLE_API_ISSUER_ID }}
run: |
# Create API key file
echo "=== Creating API key file ==="
API_KEY_FILE="AuthKey_${APPLE_API_KEY_ID}.p8"
echo "$APPLE_API_KEY_BASE64" | base64 --decode > "$API_KEY_FILE"
echo "Created: $API_KEY_FILE"
# Create zip file for notarization using ditto (preserves metadata better)
echo "=== Creating zip file for notarization ==="
ZIP_FILE="mcp-server-wazuh-${{ matrix.asset_name_suffix }}-notarization.zip"
ditto -c -k --sequesterRsrc --keepParent ./target/${{ matrix.target }}/release/${{ matrix.output_name }} "$ZIP_FILE"
echo "Created: $ZIP_FILE"
# Submit for notarization
echo "=== Submitting for notarization ==="
echo "This may take several minutes..."
xcrun notarytool submit "$ZIP_FILE" \
--key "$API_KEY_FILE" \
--key-id "$APPLE_API_KEY_ID" \
--issuer "$APPLE_API_ISSUER_ID" \
--wait
# Attempt to staple the notarization (will fail for command-line tools - this is expected)
echo "=== Attempting to staple notarization ==="
echo "Note: Stapling fails for command-line tools - this is normal"
xcrun stapler staple ./target/${{ matrix.target }}/release/${{ matrix.output_name }} || echo "Stapling failed (expected for command-line tools)"
# Final verification
echo "=== Final signature and notarization verification ==="
codesign --verify --verbose ./target/${{ matrix.target }}/release/${{ matrix.output_name }}
spctl --assess --type execute --verbose ./target/${{ matrix.target }}/release/${{ matrix.output_name }} || echo "spctl assessment completed"
# Clean up files
rm -f "$ZIP_FILE" "$API_KEY_FILE"
echo "=== Notarization completed successfully ==="
- name: Rename binary for upload
shell: bash
run: |
cp ./target/${{ matrix.target }}/release/${{ matrix.output_name }} mcp-server-wazuh-${{ matrix.asset_name_suffix }}
- name: Upload Release Asset
uses: softprops/action-gh-release@v2
with: with:
upload_url: ${{ needs.create_release.outputs.upload_url }} files: mcp-server-wazuh-${{ matrix.asset_name_suffix }}
asset_path: ./target/${{ matrix.target }}/release/${{ matrix.output_name }}
asset_name: mcp-server-wazuh-${{ matrix.asset_name_suffix }}
asset_content_type: application/octet-stream
build_docker: build_docker:
name: Build and Push Docker Image name: Build and Push Docker Image
needs: create_release needs: validate_version
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout code - name: Checkout code
@@ -114,4 +244,3 @@ jobs:
labels: ${{ steps.meta.outputs.labels }} labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha cache-from: type=gha
cache-to: type=gha,mode=max cache-to: type=gha,mode=max