From fcf942b5c93ae4d3158f2a20ac9115326a72be54 Mon Sep 17 00:00:00 2001
From: umbynos <umberto.baldi@edu.unito.it>
Date: Mon, 9 Nov 2020 18:57:06 +0100
Subject: [PATCH 1/6] update notarization job usable with p12 cert

---
 .github/workflows/release.yaml | 35 ++++++++++++++++++++--------------
 1 file changed, 21 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 85968612d9e..2fdf3d2b8da 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -31,6 +31,9 @@ jobs:
   notarize-macos:
     runs-on: macos-latest
     needs: create-release-artifacts
+    env:
+      INSTALLER_CERT_MAC_PASSWORD: ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
+      INSTALLER_CERT_MAC_P12: "/tmp/ArduinoCerts2020.p12"
 
     steps:
       - name: Checkout
@@ -41,27 +44,31 @@ jobs:
         with:
           name: dist
 
-      - name: Download Gon
+      - name: Import Code-Signing Certificates
+        uses: Apple-Actions/import-codesign-certs@v1
+        with:
+          # The certificates in a PKCS12 file encoded as a base64 string
+          p12-file-base64: ${{ secrets.INSTALLER_CERT_MAC_P12 }}
+          # The password used to import the PKCS12 file.
+          p12-password: ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
+
+      - name: Install gon via HomeBrew for code signing and app notarization
         run: |
-          wget -q https://github.com/mitchellh/gon/releases/download/v0.2.2/gon_0.2.2_macos.zip
-          unzip gon_0.2.2_macos.zip -d /usr/local/bin
-          rm -f gon_0.2.2_macos.zip
+          brew tap mitchellh/gon
+          brew install mitchellh/gon/gon
 
-      - name: Notarize binary, re-package it and update checksum
+      - name: Sign and notarize binary
         env:
           AC_USERNAME: ${{ secrets.AC_USERNAME }}
           AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
-        # This step performs the following:
-        # 1. Download keychain from GH secrets and decode it from base64
-        # 2. Add the keychain to the system keychains and unlock it
-        # 3. Call Gon to start notarization process (using AC_USERNAME and AC_PASSWORD)
-        # 4. Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
-        # 5. Recalculate package checksum and replace it in the goreleaser nnnnnn-checksums.txt file
         run: |
-          echo "${{ secrets.KEYCHAIN }}" | base64 --decode  > ~/Library/Keychains/apple-developer.keychain-db
-          security list-keychains -s ~/Library/Keychains/apple-developer.keychain-db
-          security unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" ~/Library/Keychains/apple-developer.keychain-db
           gon gon.config.hcl
+
+      - name: Notarize binary, re-package it and update checksum
+        # This step performs the following:
+        # 1. Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
+        # 2. Recalculate package checksum and replace it in the goreleaser nnnnnn-checksums.txt file
+        run: |
           # GitHub's upload/download-artifact@v1 actions don't preserve file permissions,
           # so we need to add execution permission back until @v2 actions are released.
           chmod +x dist/arduino_cli_osx_darwin_amd64/arduino-cli

From d6b527604341866542aa078b4c0736643a8e71c2 Mon Sep 17 00:00:00 2001
From: Umberto Baldi <34278123+umbynos@users.noreply.github.com>
Date: Wed, 11 Nov 2020 10:08:13 +0100
Subject: [PATCH 2/6] Apply suggestions from code review

Co-authored-by: per1234 <accounts@perglass.com>
---
 .github/workflows/release.yaml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 2fdf3d2b8da..61b940e967c 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -31,9 +31,6 @@ jobs:
   notarize-macos:
     runs-on: macos-latest
     needs: create-release-artifacts
-    env:
-      INSTALLER_CERT_MAC_PASSWORD: ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
-      INSTALLER_CERT_MAC_P12: "/tmp/ArduinoCerts2020.p12"
 
     steps:
       - name: Checkout
@@ -64,7 +61,7 @@ jobs:
         run: |
           gon gon.config.hcl
 
-      - name: Notarize binary, re-package it and update checksum
+      - name: Re-package binary and update checksum
         # This step performs the following:
         # 1. Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
         # 2. Recalculate package checksum and replace it in the goreleaser nnnnnn-checksums.txt file

From 098f431b31b7cd4c48d99d8a2d7b9599274673f9 Mon Sep 17 00:00:00 2001
From: umbynos <umberto.baldi@edu.unito.it>
Date: Wed, 11 Nov 2020 10:20:39 +0100
Subject: [PATCH 3/6] update nightly.yaml to use p12 cert

---
 .github/workflows/nightly.yaml | 32 ++++++++++++++++++--------------
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
index 60296995f0b..1e87f52328c 100644
--- a/.github/workflows/nightly.yaml
+++ b/.github/workflows/nightly.yaml
@@ -46,27 +46,31 @@ jobs:
         with:
           name: dist
 
-      - name: Download Gon
+      - name: Import Code-Signing Certificates
+        uses: Apple-Actions/import-codesign-certs@v1
+        with:
+          # The certificates in a PKCS12 file encoded as a base64 string
+          p12-file-base64: ${{ secrets.INSTALLER_CERT_MAC_P12 }}
+          # The password used to import the PKCS12 file.
+          p12-password: ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
+
+      - name: Install gon via HomeBrew for code signing and app notarization
         run: |
-          wget -q https://github.com/mitchellh/gon/releases/download/v0.2.2/gon_0.2.2_macos.zip
-          unzip gon_0.2.2_macos.zip -d /usr/local/bin
-          rm -f gon_0.2.2_macos.zip
+          brew tap mitchellh/gon
+          brew install mitchellh/gon/gon
 
-      - name: Notarize binary, re-package it and update checksum
+      - name: Sign and notarize binary
         env:
           AC_USERNAME: ${{ secrets.AC_USERNAME }}
           AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
-        # This step performs the following:
-        # 1. Download keychain from GH secrets and decode it from base64
-        # 2. Add the keychain to the system keychains and unlock it
-        # 3. Call Gon to start notarization process (using AC_USERNAME and AC_PASSWORD)
-        # 4. Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
-        # 5. Recalculate package checksum and replace it in the goreleaser nnnnnn-checksums.txt file
         run: |
-          echo "${{ secrets.KEYCHAIN }}" | base64 --decode  > ~/Library/Keychains/apple-developer.keychain-db
-          security list-keychains -s ~/Library/Keychains/apple-developer.keychain-db
-          security unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" ~/Library/Keychains/apple-developer.keychain-db
           gon gon.config.hcl
+
+      - name: Re-package binary and update checksum
+        # This step performs the following:
+        # 1. Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
+        # 2. Recalculate package checksum and replace it in the goreleaser nnnnnn-checksums.txt file
+        run: |
           # GitHub's upload/download-artifact@v1 actions don't preserve file permissions,
           # so we need to add execution permission back until @v2 actions are released.
           chmod +x dist/arduino_cli_osx_darwin_amd64/arduino-cli

From a875e02629a6e780cc59084833e14796b23ec0fc Mon Sep 17 00:00:00 2001
From: umbynos <umberto.baldi@edu.unito.it>
Date: Thu, 12 Nov 2020 17:53:51 +0100
Subject: [PATCH 4/6] replace third party action to handle keychain with shell
 code

---
 .github/workflows/nightly.yaml | 16 ++++++++++------
 .github/workflows/release.yaml | 16 ++++++++++------
 2 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
index 1e87f52328c..c3e873e7101 100644
--- a/.github/workflows/nightly.yaml
+++ b/.github/workflows/nightly.yaml
@@ -47,12 +47,16 @@ jobs:
           name: dist
 
       - name: Import Code-Signing Certificates
-        uses: Apple-Actions/import-codesign-certs@v1
-        with:
-          # The certificates in a PKCS12 file encoded as a base64 string
-          p12-file-base64: ${{ secrets.INSTALLER_CERT_MAC_P12 }}
-          # The password used to import the PKCS12 file.
-          p12-password: ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
+        env:
+          KEYCHAIN: "sign.keychain"
+          INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12"
+        run: |
+          echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > ${{ env.INSTALLER_CERT_MAC_PATH }}
+          security create-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
+          security default-keychain -s ${{ env.KEYCHAIN }}
+          security unlock-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
+          security import ${{ env.INSTALLER_CERT_MAC_PATH }} -k ${{ env.KEYCHAIN }} -f pkcs12 -A -T /usr/bin/codesign -P ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
+          security set-key-partition-list -S apple-tool:,apple: -s -k ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
 
       - name: Install gon via HomeBrew for code signing and app notarization
         run: |
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 61b940e967c..3cc9ea90d5c 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -42,12 +42,16 @@ jobs:
           name: dist
 
       - name: Import Code-Signing Certificates
-        uses: Apple-Actions/import-codesign-certs@v1
-        with:
-          # The certificates in a PKCS12 file encoded as a base64 string
-          p12-file-base64: ${{ secrets.INSTALLER_CERT_MAC_P12 }}
-          # The password used to import the PKCS12 file.
-          p12-password: ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
+        env:
+          KEYCHAIN: "sign.keychain"
+          INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12"
+        run: |
+          echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > ${{ env.INSTALLER_CERT_MAC_PATH }}
+          security create-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
+          security default-keychain -s ${{ env.KEYCHAIN }}
+          security unlock-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
+          security import ${{ env.INSTALLER_CERT_MAC_PATH }} -k ${{ env.KEYCHAIN }} -f pkcs12 -A -T /usr/bin/codesign -P ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
+          security set-key-partition-list -S apple-tool:,apple: -s -k ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
 
       - name: Install gon via HomeBrew for code signing and app notarization
         run: |

From d553c68a05207960d77c4a4e6709e97108d1d489 Mon Sep 17 00:00:00 2001
From: umbynos <umberto.baldi@edu.unito.it>
Date: Thu, 12 Nov 2020 20:34:47 +0100
Subject: [PATCH 5/6] revert to previous gon installation

with homebrew tap is not possible to install an exact version of an app
---
 .github/workflows/nightly.yaml | 6 +++---
 .github/workflows/release.yaml | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
index c3e873e7101..5711cef1c72 100644
--- a/.github/workflows/nightly.yaml
+++ b/.github/workflows/nightly.yaml
@@ -58,10 +58,10 @@ jobs:
           security import ${{ env.INSTALLER_CERT_MAC_PATH }} -k ${{ env.KEYCHAIN }} -f pkcs12 -A -T /usr/bin/codesign -P ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
           security set-key-partition-list -S apple-tool:,apple: -s -k ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
 
-      - name: Install gon via HomeBrew for code signing and app notarization
+      - name: Install gon for code signing and app notarization
         run: |
-          brew tap mitchellh/gon
-          brew install mitchellh/gon/gon
+          wget -q https://github.com/mitchellh/gon/releases/download/v0.2.3/gon_macos.zip
+          unzip gon_macos.zip -d /usr/local/bin
 
       - name: Sign and notarize binary
         env:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 3cc9ea90d5c..c5384102004 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -55,8 +55,8 @@ jobs:
 
       - name: Install gon via HomeBrew for code signing and app notarization
         run: |
-          brew tap mitchellh/gon
-          brew install mitchellh/gon/gon
+          wget -q https://github.com/mitchellh/gon/releases/download/v0.2.3/gon_macos.zip
+          unzip gon_macos.zip -d /usr/local/bin
 
       - name: Sign and notarize binary
         env:

From e02009879d436c7f06d609f49c5ef0687802347d Mon Sep 17 00:00:00 2001
From: umbynos <umberto.baldi@edu.unito.it>
Date: Thu, 12 Nov 2020 20:40:46 +0100
Subject: [PATCH 6/6] forgot to modify step name

---
 .github/workflows/release.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index c5384102004..c634f8a5731 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -53,7 +53,7 @@ jobs:
           security import ${{ env.INSTALLER_CERT_MAC_PATH }} -k ${{ env.KEYCHAIN }} -f pkcs12 -A -T /usr/bin/codesign -P ${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}
           security set-key-partition-list -S apple-tool:,apple: -s -k ${{ secrets.KEYCHAIN_PASSWORD }} ${{ env.KEYCHAIN }}
 
-      - name: Install gon via HomeBrew for code signing and app notarization
+      - name: Install gon for code signing and app notarization
         run: |
           wget -q https://github.com/mitchellh/gon/releases/download/v0.2.3/gon_macos.zip
           unzip gon_macos.zip -d /usr/local/bin