Add notarization step in the CI

[umbynos]

At the beginning we thought to integrate the key generation inside the arduino-cli, the use of imgtool as a standalone tool was not a requirement. It was later decided to write a guide on how to properly use imgtool in its standalone form. Since the CI does not run notarization for MacOS binaries, the tool is marked with the com.apple.quarantine Xattr on Mac. This can be mitigated by adding The notarization step to the CI.

[umbynos]

Test release here

[umbynos]

@ubidefeo tested the rc6 and it's working:

[umbynos]

Note for future self:
It was not easy to notarize this binary, mainly because pyinstaller does generate a binary, but actually in a peculiar way: it bundles inside a self extracting archive a stripped version of the python interpreter along with the libs used. The problem with notarization is that every piece needs to be notarized and macOS is particularly picky about it. Another important thing was the entitlements: an Apple way to grant an executable permission to use a service or technology. Thanks to pyinstaller/pyinstaller#4629 I found the correct ones. Without com.apple.security.cs.disable-library-validation The notarized binary was not even starting and was outputting:

[39491] Error loading Python lib '/var/folders/l_/cjj77tdd0g73w_yr33wytwxr0000gn/T/_MEIcDhDer/libpython3.7m.dylib': dlopen: dlopen(/var/folders/l_/cjj77tdd0g73w_yr33wytwxr0000gn/T/_MEIcDhDer/libpython3.7m.dylib, 0x000A): tried: '/var/folders/l_/cjj77tdd0g73w_yr33wytwxr0000gn/T/_MEIcDhDer/libpython3.7m.dylib' (code signature in <8715BA88-05FF-3F36-A118-EF866DA00ED3> '/private/var/folders/l_/cjj77tdd0g73w_yr33wytwxr0000gn/T/_MEIcDhDer/libpython3.7m.dylib' not valid for use in process: mapped file has no Team ID and is not a platform binary (signed with custom identity or adhoc?)), '/private/var/folders/l_/cjj77tdd0g73w_yr33wytwxr0000gn/T/_MEIcDhDer/libpython3.7m.dylib' (code signature in <8715BA88-05FF-3F36-A118-EF866DA00ED3> '/private/var/folders/l_/cjj77tdd0g73w_yr33wytwxr0000gn/T/_MEIcDhDer/libpython3.7m.dylib' not valid for use in process: mapped file has no Team ID and is not a platform binary (signed with custom identity or adhoc?))

I tried different things:

• use -deep notarization (did not work because there is not an .app folder but a single binary)
• remove the signature from python (because of this)
• pin python version to 3.7.6 because of this

[per1234]

If it hasn't been done already, would one of the team members with a Mac mind double checking the notarization by running this command on the test build? Unfortunately I wasn't able to access a macOS machine to do it myself.

spctl -a -vvv -t install imgtool

[cmaglie]

👍 LGTM (macOS Monterey 12.3.1 MacBook Air M1 2020)

% ls
LICENSE.txt	imgtool
% spctl -a -vvv -t install imgtool
imgtool: accepted
source=Notarized Developer ID
origin=Developer ID Application: ARDUINO SA (7KT7ZWMCJT)
% ./imgtool 
Usage: imgtool [OPTIONS] COMMAND [ARGS]...

Options:
  -h, --help  Show this message and exit.

Commands:
  create   Create a signed or unsigned image
  exit     Exit imgtool
  getpriv  Dump private key from keypair
  getpub   Dump public key from keypair
  keygen   Generate pub/private keypair
  sign     Create a signed or unsigned image
  verify   Check that signed image can be verified by given key
  version  Print imgtool version information
% md5 ../imgtool_1.8.0-rc6_macOS_64bit.tar.gz 
MD5 (../imgtool_1.8.0-rc6_macOS_64bit.tar.gz) = e0337e93c8126e401cd4b7aff8cb317e
%