From 30c2b4fd17a4a51c4f9692f0cc059fb7bc2906ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20F=C3=B6rtsch?= Date: Sun, 24 May 2026 20:24:17 +0200 Subject: [PATCH] make gatekeeper assessment optional --- .gitea/workflows/custom-release.yml | 3 ++- scripts/tests/test-custom-release-macos-runner.bats | 11 ++++++++++- scripts/update-custom-release.sh | 9 +++++++-- 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/.gitea/workflows/custom-release.yml b/.gitea/workflows/custom-release.yml index 6c95263cb..5e1f7381c 100644 --- a/.gitea/workflows/custom-release.yml +++ b/.gitea/workflows/custom-release.yml @@ -18,7 +18,7 @@ on: description: "Optional upstream Syncthing tag, for example v2.1.0" required: false suffix: - description: "Optional custom release suffix, for example stignore.6" + description: "Optional custom release suffix, for example stignore.7" required: false schedule: - cron: "17 04 * * *" @@ -120,6 +120,7 @@ jobs: CUSTOM_RELEASE_REMOTE: origin CUSTOM_RELEASE_BUILDS: "darwin/arm64/zip/1 linux/amd64/tar/0 linux/arm64/tar/0" CUSTOM_RELEASE_CODESIGN_TEAM_ID: "NG5W75WE8U" + CUSTOM_RELEASE_REQUIRE_GATEKEEPER_ASSESSMENT: "0" CUSTOM_RELEASE_CREATE_GITEA_RELEASE: "1" CUSTOM_RELEASE_TEA_REPO: felixfoertsch/syncthing diff --git a/scripts/tests/test-custom-release-macos-runner.bats b/scripts/tests/test-custom-release-macos-runner.bats index 0d05cc816..e9a57a7ff 100644 --- a/scripts/tests/test-custom-release-macos-runner.bats +++ b/scripts/tests/test-custom-release-macos-runner.bats @@ -156,7 +156,7 @@ setup() { [ "$status" -eq 0 ] } -@test "custom release validates darwin binaries before publishing" { +@test "custom release validates signed darwin binaries before publishing" { run rg -n 'modernc-sqlite' "$RELEASE_SCRIPT" [ "$status" -eq 0 ] @@ -166,6 +166,15 @@ setup() { run rg -n 'TeamIdentifier=NG5W75WE8U|TeamIdentifier.*NG5W75WE8U' "$RELEASE_SCRIPT" [ "$status" -eq 0 ] + run rg -n 'CUSTOM_RELEASE_REQUIRE_GATEKEEPER_ASSESSMENT: "0"' "$WORKFLOW" + [ "$status" -eq 0 ] + + run rg -n 'require_gatekeeper_assessment="\$\{CUSTOM_RELEASE_REQUIRE_GATEKEEPER_ASSESSMENT:-0\}"' "$RELEASE_SCRIPT" + [ "$status" -eq 0 ] + + run rg -n 'if \[\[ "\$require_gatekeeper_assessment" == "1" \]\]; then' "$RELEASE_SCRIPT" + [ "$status" -eq 0 ] + run rg -n 'spctl -a -vv --type execute' "$RELEASE_SCRIPT" [ "$status" -eq 0 ] } diff --git a/scripts/update-custom-release.sh b/scripts/update-custom-release.sh index 95e88dec3..f191e46bb 100755 --- a/scripts/update-custom-release.sh +++ b/scripts/update-custom-release.sh @@ -6,7 +6,7 @@ set -euo pipefail upstream_url="${CUSTOM_RELEASE_UPSTREAM_URL:-https://github.com/syncthing/syncthing.git}" upstream_tag="${CUSTOM_RELEASE_UPSTREAM_TAG:-}" -suffix="${CUSTOM_RELEASE_SUFFIX:-stignore.6}" +suffix="${CUSTOM_RELEASE_SUFFIX:-stignore.7}" branch_prefix="${CUSTOM_RELEASE_BRANCH_PREFIX:-custom}" dist_dir="${CUSTOM_RELEASE_DIST_DIR:-dist}" target="${CUSTOM_RELEASE_TARGET:-syncthing}" @@ -15,6 +15,7 @@ build_specs="${CUSTOM_RELEASE_BUILDS:-}" default_cgo_enabled="${CUSTOM_RELEASE_CGO_ENABLED:-0}" codesign_identity="${CUSTOM_RELEASE_CODESIGN_IDENTITY:-}" codesign_team_id="${CUSTOM_RELEASE_CODESIGN_TEAM_ID:-NG5W75WE8U}" +require_gatekeeper_assessment="${CUSTOM_RELEASE_REQUIRE_GATEKEEPER_ASSESSMENT:-0}" push_release="${CUSTOM_RELEASE_PUSH:-0}" push_branch="${CUSTOM_RELEASE_PUSH_BRANCH:-0}" push_remote="${CUSTOM_RELEASE_REMOTE:-origin}" @@ -329,7 +330,11 @@ sign_and_validate_darwin_binary() { printf '%s\n' "$codesign_details" >&2 die "darwin build is not signed by TeamIdentifier=$codesign_team_id" fi - spctl -a -vv --type execute "$binary" + if [[ "$require_gatekeeper_assessment" == "1" ]]; then + spctl -a -vv --type execute "$binary" + else + log "Skipping Gatekeeper assessment because CUSTOM_RELEASE_REQUIRE_GATEKEEPER_ASSESSMENT=$require_gatekeeper_assessment" + fi } push_refs() {