try to use this fork (https://github.com/darkvertex/gon/tree/deep_sign_support) to use deep notarization, since this is not yet merged mitchellh/gon#42

umbynos · umbynos · commit 9318fc44706a · 2022-05-12T14:10:30.000+02:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -9,8 +9,10 @@ env:
   AWS_PLUGIN_TARGET: /tools/
   # See: https://github.com/actions/setup-python/tree/v3#available-versions-of-python
   PYTHON_VERSION: "3.7"
+  GO_VERSION: "1.17"
   MCUBOOT_PATH: ${{ github.workspace }}/mcuboot
   IMGTOOL_PACKING_PATH: ${{ github.workspace }}/imgtool-packing
+  GON_PATH: ${{ github.workspace }}/gon
 
 on:
   push:
@@ -215,18 +217,31 @@ jobs:
             -k "${{ env.KEYCHAIN_PASSWORD }}" \
             "${{ env.KEYCHAIN }}"
 
+      - name: Install Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
       - name: Install gon for code signing and app notarization
+        uses: actions/checkout@v3
+        with:
+          repository: darkvertex/gon #this fork has support for --deep notarization
+          path: ${{ env.GON_PATH }}
+          ref: deep_sign_support
+          
+      - name: Build gon
+        working-directory: ${{ env.GON_PATH }}/
         run: |
-          wget -q https://github.com/mitchellh/gon/releases/download/v0.2.3/gon_macos.zip
-          unzip gon_macos.zip -d /usr/local/bin
+          ls -lah
+          go build
+          mv gon /usr/local/bin
 
       - name: Sign and notarize binary
         env:
           AC_USERNAME: ${{ secrets.AC_USERNAME }}
           AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
         run: |
-          # gon gon.config.hcl
-          codesign -s "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)" -v --deep --force --timestamp --entitlements entitlements.plist -o runtime dist/imgtool_macOS_64bit/imgtool
+          gon gon.config.hcl
 
       - name: Re-package binary
         # This step performs the following:
diff --git a/gon.config.hcl b/gon.config.hcl
@@ -6,6 +6,7 @@ bundle_id = "cc.arduino.imgtool"
 sign {
   application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)"
   entitlements_file = "entitlements.plist"
+  deep = true
 }
 
 # Ask Gon for zip output to force notarization process to take place.

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ bundle_id = "cc.arduino.imgtool"`
`6`	`6`	`sign {`
`7`	`7`	`application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)"`
`8`	`8`	`entitlements_file = "entitlements.plist"`
	`9`	`+ deep = true`
`9`	`10`	`}`
`10`	`11`
`11`	`12`	`# Ask Gon for zip output to force notarization process to take place.`