Add extra pages to pkg installers #852

marcoesters · 2024-09-06T16:43:04Z

Description

Summary of changes

Add feature to create extra pages to pkg installers after the installation step, analogous to the capability for Windows installers.
Refactor code signing for pkg installers into a class.
Add testing for application signing.
Expand the post-install page features to Windows.
Expand documentation about signing pkg installers.

Detailed explanation

constructor has the capability to add additional pages for exe installer by overloading the custom_conclusion property. This is not possible for pkg installer because custom pages have a different format from conclusion pages: extra pages follow the Apple plugins format whereas conclusions are RTF or HTML.

So, a new keyword for construct.yaml is required. For pkg installer, this keyword can take multiple extra pages and add them to a pkg installer. These pages can either be compiled projects or simple, single-target projects. The latter is helpful for repositories since it would not require committing binaries.

The plugins must be signed to pass notarization just like the _conda binary. To make the code DRYer, the codesign commands are now a class just like the Windows signing tools. Caveat: get_signing_command() has a different return type because they are used differently. However, I'm happy to change the Windows return type to list and do the join operation elsewhere.

Signing has not been tested on MacOS yet. The challenge is to create self-signed certificates that must be added to a keychain. This is limited to application signing. For installers, a certificate has to be trusted to be found in the keychain. Trusting a certificate requires authentication and interaction with keychains, causing the job to be stuck. I have not found a way to circumvent this.

This concept has been expanded to Windows as well. While this can still be done via custom_conclusion, using the extra pages keyword provides a cleaner solution, especially for those who use the default conclusion page.

Checklist - did you ...

Add a file to the news directory (using the template) for the next release's release notes?
Add / update necessary tests?
Add / update outdated documentation?

…into pkg-extra-pages

constructor/construct.py

constructor/osxpkg.py

examples/osxpkg_extra_pages/construct.yaml

constructor/osxpkg.py

Co-authored-by: jaimergp <jaimergp@users.noreply.github.com>

jaimergp

Thanks!

marcoesters added 12 commits August 20, 2024 08:49

Add extra pages feature for pkg installers

2a8f0e4

Compile xcodeprojects

62b3cc6

Restructure signing

59a02c6

Use manual code signing for example

f35df22

Create CodeSign class

44eac8f

Add testing for signed installers

555eccb

Update documentation

769a07a

Enable MacOS signing testing on CI

71fcd61

Expand post-install pages to Windows

1866452

Clarify in tests that codesign outputs to stderr

c5971c1

Add news file

80479ac

Remove debug code

9b856c6

conda-bot added the cla-signed [bot] added once the contributor has signed the CLA label Sep 6, 2024

marcoesters added 17 commits September 6, 2024 10:23

Test: do not run add-trusted-cert on CI

9d08014

Merge branch 'pkg-extra-pages' of github.com:marcoesters/constructor …

d9b13ed

…into pkg-extra-pages

Test: Skip trusting

ca9f855

Add to system keychain

0a956b5

Use system keychain on CI

3f65457

Skip keychain domains

5fc9d33

Set default keychain instead of using list-keychains

0dfc46c

Actually set default keychain

7fc2d23

Unset password for system keychain

1ad573d

Use system keychain only for certificate trusting

875af89

Fix CI logic

5f5b2e4

Do not test for installer signing

261fbe2

Remove special signing keyword

db7e736

Set up debug session for macos-13

dd8e347

Move tmate action behind example runs

fcfee0f

Start session after setup steps

477ad90

Disable default shell

737d364

marcoesters added 2 commits September 9, 2024 10:07

Do not set -e with default shell

5869348

Copy full environment for self-signed certificates

79aade5

marcoesters marked this pull request as ready for review September 9, 2024 22:33

marcoesters requested a review from a team as a code owner September 9, 2024 22:33