On 12 November 2017 at 02:02, Dirk Hohndel <d...@hohndel.org> wrote: > >> On Nov 11, 2017, at 3:49 PM, Lubomir I. Ivanov <neolit...@gmail.com> wrote: >>> >>> Thank you. This was harder than I expected it to be - but I hope that the >>> reward >>> will be worth it. >>> >>> Now, of course, I have smelled blood and want to automate a Mac build, too. >>> >>> Because I have nothing else to waste my time on, right? >>> >> >> but all builds will be automated after that? so, worthy time investment? > > So right now we have AppImage and Windows installer automated. Both for > each PR / merge and by extension for each release. > We don't have the submissions to OBS and Launchpad automized, nor do > we have Mac builds automized. One challenge with the Mac builds (besides > getting them working in the first place) is that they need to be signed in > order > to actually work for our users - and I won't upload my signing key to GitHub > or Travis, for obvious reasons. So this will still require either some manual > effort or some more investigation how I could script that :-) > > But yes. MORE automation. >
maybe Travis can create a unsigned OSX app builds at least. but yeah, the signing will be a challenge without uploading a signing key. the way people do it, seems to be to upload an encrypted key and password protect it, where the password is encrypted in the yml. i did some investigation and this is one way of doing it without uploading the key: we can install a github-hook on the repository that sends a "releaseevent" https://developer.github.com/v3/activity/events/types/#releaseevent so when a release happens: - the repo has a webhook to notify a server about a release using a secure payload: https://developer.github.com/webhooks/securing/ then the server: - receives a JSON payload (releaseevent) - checks the JSON if this is an unsigned OSX release and not some other release - pulls the unsigned app DMG - signs the DMG with "codesign" - creates a new signed OSX release with this tool: https://github.com/aktau/github-release which can also upload files - the DMG. this way the signing key stays on the server. lubomir -- _______________________________________________ subsurface mailing list subsurface@subsurface-divelog.org http://lists.subsurface-divelog.org/cgi-bin/mailman/listinfo/subsurface
