Merge pull request #12 from halprin/macos-sign-notarize

macOS Universal Binary, Sign, and Notarize. Also README.md.
halprin · Jan 9, 2025 · a967413 · a967413
2 parents c371f0a + 5fc1994
commit a967413
Show file tree

Hide file tree

Showing 4 changed files with 94 additions and 7 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,13 +5,14 @@ on:
     types:
       - published
 
+
 jobs:
-  releases-matrix:
-    name: Release Go Binaries
+  release-linux-windows:
+    name: Release for Linux and Windows
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        goos: [darwin, linux, windows]
+        goos: [linux, windows]
         goarch: [amd64, arm64]
     steps:
 
@@ -26,4 +27,50 @@ jobs:
           project_path: "./cmd/"
           extra_files: README.md LICENSE
           md5sum: FALSE
-          sha256sum: TRUE
+          sha256sum: FALSE
+
+
+  release-macos:
+    name: Release for macOS
+    runs-on: macos-latest
+    steps:
+
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Compile ARM64
+        run: |
+          GOOS=darwin GOARCH=arm64 make compile
+          mv ./aws-mfa ./aws-mfa-arm64
+
+      - name: Compile AMD64
+        run: |
+          GOOS=darwin GOARCH=amd64 make compile
+          mv ./aws-mfa ./aws-mfa-amd64
+
+      - name: Universal binary
+        run: lipo -create -output aws-mfa ./aws-mfa-arm64 ./aws-mfa-amd64
+
+      - uses: apple-actions/import-codesign-certs@v3
+        with:
+          p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
+          p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
+
+      - uses: halprin/macos-sign-package-notarize@v1
+        with:
+          path-to-binary: ./aws-mfa
+          signing-identity: ${{ secrets.SIGNING_IDENTITY }}
+          apple-id: ${{ secrets.APPLE_ID }}
+          app-specific-password: ${{ secrets.APP_SPECIFIC_PASSWORD }}
+          apple-developer-team-id: ${{ secrets.APPLE_DEVELOPER_TEAM_ID }}
+          extra-files: README.md LICENSE
+          archive-disk-name: AWS MFA
+          archive-file-path: ./aws-mfa-${{ github.event.release.tag_name }}-macos.dmg
+
+      - name: Upload Release Asset
+        run: gh release upload ${{ github.event.release.tag_name }} ./aws-mfa-${{ github.event.release.tag_name }}-macos.dmg --clobber
+        env:
+          GH_TOKEN: ${{ github.token }}
diff --git a/.gitignore b/.gitignore
@@ -7,6 +7,7 @@
 *.dll
 *.so
 *.dylib
+/aws-mfa*
 
 # Test binary, built with `go test -c`
 *.test
@@ -23,5 +24,3 @@ go.work.sum
 
 # env file
 .env
-
-/aws-mfa
diff --git a/README.md b/README.md
@@ -1,2 +1,43 @@
 # aws-mfa
+
 AWS IAM User Credentials using MFA
+
+## Set-up
+
+Modify your `~/.aws/credentials` file.
+
+First, there needs to be a profile section for the long-term credentials associated with the IAM user.
+
+```ini
+[default-long-term]
+aws_access_key_id     = <Access Key ID>
+aws_secret_access_key = <Secret Access Key>
+mfa_serial            = <ARN to MFA device assigned to IAM user>
+```
+
+Then you add a profile section that you actively use for authenticating to AWS with.
+
+```ini
+[default]
+aws_access_key_id     = a
+aws_secret_access_key = a
+aws_session_token     = a
+source_profile        = <long-term profile section name, e.g. default-long-term>
+```
+
+The `a`s will be replaced with real values after you run `aws-mfa` successfully.
+
+## Usage
+
+```shell
+aws-mfa login \
+  [--mfa-code=<Current MFA code>] \
+  [--profile=<Non-long-term profile name from the credentials file to login with>] \
+  [--mfa-device-arn=<ARN of the MFA device used to login>] \
+  [--duration=<Length of time, in seconds, to be logged in for>]
+```
+
+- `mfa-code` - If unspecified on the command line, it will be queried for.
+- `profile` - If unspecified on the command line, it defaults to `default`.
+- `mfa-device-arn` - If unspecified on the command line, it is read from the long-term profile's `mfa_serial` value in `~/.aws/credentials`.
+- `duration` - If unspecified on the command line, it defaults to 12 hours.
diff --git a/external/cli/cli.go b/external/cli/cli.go
@@ -12,7 +12,7 @@ func Start() {
 
 	loginAction := cli.NewCommand("login", "Login with MFA code").
 		WithOption(cli.NewOption("mfa-device-arn", "ARN of the MFA device used to login").WithType(cli.TypeString)).
-		WithOption(cli.NewOption("profile", "Profile name from the credentials file to login").WithType(cli.TypeString)).
+		WithOption(cli.NewOption("profile", "Non-long-term profile name from the credentials file to login with").WithType(cli.TypeString)).
 		WithOption(cli.NewOption("mfa-code", "Current MFA code").WithType(cli.TypeString)).
 		WithOption(cli.NewOption("duration", "Length of time, in seconds, to be logged in for").WithType(cli.TypeInt)).
 		WithAction(func(args []string, options map[string]string) int {