Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: add documentation for release images in Orka #3891

Merged
merged 1 commit into from
Sep 9, 2024
Merged

docs: add documentation for release images in Orka #3891

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
101 changes: 100 additions & 1 deletion orka/templates/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ Orka provides a base image that we need to customize to our needs.



**Manual Steps**
### Manual Steps for all the images

1. Update Sudoers file:

Expand All @@ -123,3 +123,102 @@ sudo xcode-select --install

Do a an update using the UI. Check the available updates and install them (click in "more info"). Note that you don't want to update the OS, just the software.

### Manual Steps for the release images

1. Full Xcode installation

Xcode Command-line tools are not enough to perform a full notarization cycle, full Xcode must be installed manually.

As root:

* Download Xcode: https://developer.apple.com/download/more/ - find non-beta version, open Developer Tools in browser, Networking tab, start download (then cancel), in Networking tab "Copy as cURL" (available in Chrome & FF)
* On OSX 13 we currently install 14.13.1.
* Go to downloads folder, decompress the xip file (double click) and delete the xip file
* Move the Xcode.app to /Applications
* Open xcode, accept the license, install the built-in components and close xcode
* `sudo xcode-select --switch /Applications/Xcode.app`
* `sudo xcodebuild -license` - accept license
* `git` - check that git is working (confirming license has been accepted)
* Empty the trash


2. OSX Keychain Profile

Unblok the keychain:

```bash
security unlock-keychain -u /Library/Keychains/System.keychain
```

Create a keychain profile (`NODE_RELEASE_PROFILE`) for the release machine:

```bash
sudo xcrun notarytool store-credentials NODE_RELEASE_PROFILE \
--apple-id XXXX \
--team-id XXXX \
--password XXXX \
--keychain /Library/Keychains/System.keychain
```

Note: `XXXX` values are found in `secrets/build/release/apple.md`

The expected output is:

```
This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name.

Validating your credentials...
Success. Credentials validated.
Credentials saved to Keychain.
To use them, specify `--keychain-profile "NODE_RELEASE_PROFILE" --keychain /Library/Keychains/System.keychain`
```

3. Signing certificates

* Go to the `build/release` folder in the secrets repo.
* Extract from secrets/build/release: `dotgpg cat Apple\ Developer\ ID\ Node.js\ Foundation.p12.base64 | base64 -D > /tmp/Apple\ Developer\ ID\ Node.js\ Foundation.p12`
* Transfer to release machine (scp to /tmp)
* `sudo security import /tmp/Apple\ Developer\ ID\ Node.js\ Foundation.p12 -k /Library/Keychains/System.keychain -T /usr/bin/codesign -T /usr/bin/productsign -P 'XXXX'` (where XXXX is found in secrets/build/release/apple.md) (`security unlock-keychain -u /Library/Keychains/System.keychain` _may_ be required prior to running this command).

4. Validating certificates are in date and valid

1. `security -i unlock-keychain` Enter the password for the machine located in secrets
2. `security find-certificate -c "Developer ID Application" -p > /tmp/app.cert` outputs the PEM format of the cert so we can properly inspect it
3. `security find-certificate -c "Developer ID Installer" -p > /tmp/installer.cert`
4. `openssl x509 -inform PEM -text -in /tmp/app.cert | less`
5. `openssl x509 -inform PEM -text -in /tmp/installer.cert | less`
6. `security find-identity -p codesigning -v`

The steps 4 and 5 will show the details of the certificates allowing to see expiry dates.

Example:

```
Not Before: Jan 22 03:40:05 2020 GMT
Not After : Jan 22 03:40:05 2025 GMT
```

The step 6 will show the list of certificates available on the machine.

Example:

```
1) XXXXXXXXXXX "Developer ID Application: Node.js Foundation (XXXXXXX)"
1 valid identities found
```

5. Change the default password

Use the password found in the secrets repository to change the default password:

```shell
passwd
```

Also change the keychain password:

```shell
security set-keychain-password
```

**:warning: IMPORTANT** We do this step manually at this point and not while using Packer because we added already sensitive information to the image.