Feat python package codesign (#1780)

* feat: add codesign for macos

* feat: add codesign for macos

* fix: notary python zipped folder

---------

Co-authored-by: Hien To <tominhhien97@gmail.com>

.github/workflows/python-package.yml

@@ -30,23 +30,23 @@ env:
 jobs:
   build-and-test:
     runs-on: ${{ matrix.runs-on }}
-    timeout-minutes: 60
+    timeout-minutes: 360
     strategy:
       fail-fast: false
       matrix:
         include:
           # - os: "linux"
           #   name: "amd64"
           #   runs-on: "ubuntu-20-04-cuda-12-0"
-          # - os: "mac"
-          #   name: "amd64"
-          #   runs-on: "macos-selfhosted-12"
-          # - os: "mac"
-          #   name: "arm64"
-          #   runs-on: "macos-silicon"
-          - os: "windows"
+          - os: "mac"
             name: "amd64"
-            runs-on: "windows-cuda-12-0"
+            runs-on: "macos-selfhosted-12"
+          - os: "mac"
+            name: "arm64"
+            runs-on: "macos-silicon"
+          # - os: "windows"
+          #   name: "amd64"
+          #   runs-on: "windows-cuda-12-0"
     steps:
       - name: Clone
         id: checkout
@@ -66,13 +66,33 @@ jobs:
         with:
           python-version: "3.11"
 
+      - name: Get Cer for code signing
+        if: runner.os == 'macOS'
+        run: base64 -d <<< "$CODE_SIGN_P12_BASE64" > /tmp/codesign.p12
+        shell: bash
+        env:
+          CODE_SIGN_P12_BASE64: ${{ secrets.CODE_SIGN_P12_BASE64 }}
+
+      - uses: apple-actions/import-codesign-certs@v2
+        continue-on-error: true
+        if: runner.os == 'macOS'
+        with:
+          p12-file-base64: ${{ secrets.CODE_SIGN_P12_BASE64 }}
+          p12-password: ${{ secrets.CODE_SIGN_P12_PASSWORD }}
+
+      - name: Get Cer for code signing
+        if: runner.os == 'macOS'
+        run: base64 -d <<< "$NOTARIZE_P8_BASE64" > /tmp/notary-key.p8
+        shell: bash
+        env:
+          NOTARIZE_P8_BASE64: ${{ secrets.NOTARIZE_P8_BASE64 }}
+
       - name: Install dependencies Windows
         if: runner.os == 'windows'
         shell: pwsh
         run: |
-                
-                python3 -m pip install --upgrade pip
-                python3 -m pip install -r ${{env.MODEL_DIR}}/requirements.cuda.txt
+          python3 -m pip install --upgrade pip
+          python3 -m pip install -r ${{env.MODEL_DIR}}/requirements.cuda.txt
 
       - name: Install dependencies Linux
         if: runner.os == 'linux'
@@ -102,9 +122,8 @@ jobs:
             echo "Python path (where.exe): $pythonPath"
             $pythonFolder = Split-Path -Path "$pythonPath" -Parent
             echo "PYTHON_FOLDER=$pythonFolder" >> $env:GITHUB_ENV
-            
             copy "$pythonFolder\python*.*" "$pythonFolder\Scripts\"
-            
+
       - name: prepare python package macos
         if : runner.os == 'macOs'
         run: |
@@ -128,7 +147,65 @@ jobs:
             rm -rf $PYTHON_FOLDER/lib/python3.1
             echo "PYTHON_FOLDER=$PYTHON_FOLDER" >> $GITHUB_ENV
             echo "github end PYTHON_FOLDER: ${{env.PYTHON_FOLDER}}"
-      
+
+      - name: create plist file
+        if: runner.os == 'macOS'
+        run: |
+          cat << EOF > /tmp/entitlements.plist
+          <?xml version="1.0" encoding="UTF-8"?>
+          <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+          <plist version="1.0">
+          <dict>
+              <!-- These are required for binaries built by PyInstaller -->
+              <key>com.apple.security.cs.allow-jit</key>
+              <true/>
+              <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+              <true/>
+
+              <!-- Add these for additional permissions -->
+              <key>com.apple.security.app-sandbox</key>
+              <false/>
+              <key>com.apple.security.network.client</key>
+              <true/>
+              <key>com.apple.security.network.server</key>
+              <true/>
+              <key>com.apple.security.device.audio-input</key>
+              <true/>
+              <key>com.apple.security.device.microphone</key>
+              <true/>
+              <key>com.apple.security.device.camera</key>
+              <true/>
+              <key>com.apple.security.files.user-selected.read-write</key>
+              <true/>
+              <key>com.apple.security.cs.disable-library-validation</key>
+              <true/>
+              <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+              <true/>
+              <key>com.apple.security.cs.allow-executable-memory</key>
+              <true/>
+          </dict>
+          </plist>
+          EOF
+
+      - name: Notary macOS Binary
+        if: runner.os == 'macOS'
+        run: |
+          codesign --force --entitlements="/tmp/entitlements.plist" -s "${{ secrets.DEVELOPER_ID }}" --options=runtime ${{env.PYTHON_FOLDER}}/bin/python
+          codesign --force --entitlements="/tmp/entitlements.plist" -s "${{ secrets.DEVELOPER_ID }}" --options=runtime ${{env.PYTHON_FOLDER}}/bin/python3
+          # Code sign all .so files and .dylib files
+          
+          find ${{env.PYTHON_FOLDER}} -type f \( -name "*.so" -o -name "*.dylib" \) -exec codesign --force --entitlements="/tmp/entitlements.plist" -s "${{ secrets.DEVELOPER_ID }}" --options=runtime {} \;
+
+          curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh | sudo sh -s -- -b /usr/local/bin
+          # Notarize the binary
+          quill notarize ${{env.PYTHON_FOLDER}}/bin/python
+          quill notarize ${{env.PYTHON_FOLDER}}/bin/python3
+          find ${{env.PYTHON_FOLDER}} -type f \( -name "*.so" -o -name "*.dylib" \) -exec quill notarize {} \;
+        env:
+          QUILL_NOTARY_KEY_ID: ${{ secrets.NOTARY_KEY_ID }}
+          QUILL_NOTARY_ISSUER: ${{ secrets.NOTARY_ISSUER }}
+          QUILL_NOTARY_KEY: "/tmp/notary-key.p8"
+
       - name: Upload Artifact
         #if : runner.os == 'windows' || runner.os == 'linux'
         uses: actions/upload-artifact@v4
@@ -143,43 +220,8 @@ jobs:
         run: |
           rm ${{env.PYTHON_FOLDER}}/Scripts/python*.*
 
-  codesign:
-    runs-on: macos-latest
-    needs: build-and-test
-    steps:
-      - name: checkout
-        uses: actions/checkout@v3
-      - uses: apple-actions/import-codesign-certs@v2
+      - name: Remove Keychain
         continue-on-error: true
-        with:
-          p12-file-base64: ${{ secrets.CODE_SIGN_P12_BASE64 }}
-          p12-password: ${{ secrets.CODE_SIGN_P12_PASSWORD }}
-      - name: Download Artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: ${{env.MODEL_NAME}}-mac-amd64
-          path: ${{env.MODEL_NAME}}-mac-amd64
-      - name: Download Artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: ${{env.MODEL_NAME}}-mac-arm64
-          path: ${{env.MODEL_NAME}}-mac-arm64
-
-      - run: |
-          find "${{env.MODEL_NAME}}-mac-amd64" \( -type f -perm +111 \) -exec codesign --force --entitlements="./engine/templates/macos/entitlements.plist" -s "${{ secrets.DEVELOPER_ID }}" --options=runtime {} \;
-          find "${{env.MODEL_NAME}}-mac-arm64" \( -type f -perm +111 \) -exec codesign --force --entitlements="./engine/templates/macos/entitlements.plist" -s "${{ secrets.DEVELOPER_ID }}" --options=runtime {} \;
-      
-      - name: Upload Artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{env.MODEL_NAME}}-mac-amd64-signed
-          path: ${{env.MODEL_NAME}}-mac-amd64
-          include-hidden-files: true
-          compression-level: 9
-      - name: Upload Artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{env.MODEL_NAME}}-mac-arm64-signed
-          path: ${{env.MODEL_NAME}}-mac-arm64
-          include-hidden-files: true
-          compression-level: 9
+        if: always() && runner.os == 'macOS'
+        run: |
+          security delete-keychain signing_temp.keychain