From e353f4968b6a091a76ffd84ecf8e2ce12d5243de Mon Sep 17 00:00:00 2001 From: tooomm Date: Sat, 6 Jun 2026 16:51:45 +0200 Subject: [PATCH 1/6] split sign+notarize into own script --- .ci/sign_macos_bundle.sh | 76 +++++++++++++++++++++++++++++ .github/workflows/desktop-build.yml | 47 +++--------------- 2 files changed, 83 insertions(+), 40 deletions(-) create mode 100755 .ci/sign_macos_bundle.sh diff --git a/.ci/sign_macos_bundle.sh b/.ci/sign_macos_bundle.sh new file mode 100755 index 000000000..cf673771c --- /dev/null +++ b/.ci/sign_macos_bundle.sh @@ -0,0 +1,76 @@ +#!/bin/bash + +# This script is to be used by the ci environment. + +# Signs and notarizes a macOS app bundle +# Requires: $1 - path to the app bundle +# Environment variables: +# - MACOS_CERTIFICATE_NAME: Name of the certificate for signing (optional, skips signing if not set) +# - MACOS_CI_KEYCHAIN_PWD: Password for the CI keychain (required if MACOS_CERTIFICATE_NAME is set) +# - MACOS_NOTARIZATION_APPLE_ID: Apple ID for notarization (optional, skips notarization if not set) +# - MACOS_NOTARIZATION_PWD: Password for notarization (required if MACOS_NOTARIZATION_APPLE_ID is set) +# - MACOS_NOTARIZATION_TEAM_ID: Team ID for notarization (required if MACOS_NOTARIZATION_APPLE_ID is set) +# exitcode: 1 for failure, 2 for invalid arguments + +set -e + +# Check input arguments +if [[ $# -lt 1 ]]; then + echo "::error file=$0::No argument passed to the script - provide " + exit 2 +fi + +APP_BUNDLE_PATH="$1" + +# Verify that the app bundle exists +if [[ ! -e "$APP_BUNDLE_PATH" ]]; then + echo "::error file=$0::App bundle not found at: $APP_BUNDLE_PATH" +fi + +# Sign the app bundle +if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then + echo "::group::Sign app bundle" + security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain + /usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "$APP_BUNDLE_PATH" + echo "::endgroup::" +else + echo "::error file=$0::MACOS_CERTIFICATE_NAME not set. Can not sign the app bundle." + exit 1 +fi + +# Notarize the app bundle +if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then + echo "::group::Notarize app bundle" + # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI + xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" + + # We can't notarize an app bundle directly, but we need to compress it as an archive. + # Therefore, we create a zip file containing our app bundle, so that we can send it to the notarization service + echo "" + echo "Creating temp notarization archive" + ditto -c -k --keepParent "$APP_BUNDLE_PATH" "notarization.zip" + + # Here we send the notarization request to the Apple's Notarization service, waiting for the result. + # This typically takes a few seconds inside a CI environment, but it might take more depending on the App characteristics. + # Visit the Notarization docs for more information and strategies on how to optimize it if you're curious. + echo "" + xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait + echo "::endgroup::" + + echo "::group::Staple app" + # Finally, we need to "attach the staple" to our executable, which will allow our app to be + # validated by macOS even when an internet connection is not available. + echo "Attach staple" + xcrun stapler staple "$APP_BUNDLE_PATH" + echo "::endgroup::" + + echo "::group::Cleanup" + # Cleanup keychain and files to avoid leaking credentials + echo "Deleting keychain" + security delete-keychain build.keychain + rm -f certificate.p12 notarization.zip + echo "::endgroup::" +else + echo "::error file=$0::MACOS_NOTARIZATION_APPLE_ID not set. Can not notarize the app bundle." + exit 1 +fi diff --git a/.github/workflows/desktop-build.yml b/.github/workflows/desktop-build.yml index 62108b34a..c6557c54d 100644 --- a/.github/workflows/desktop-build.yml +++ b/.github/workflows/desktop-build.yml @@ -446,8 +446,8 @@ jobs: VCPKG_BINARY_SOURCES: 'clear;files,${{ steps.vcpkg-cache.outputs.path }},readwrite' # macOS-specific environment variables, will be ignored on Windows MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }} - MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }} MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }} + MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }} MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }} DEVELOPER_DIR: '/Applications/Xcode_${{matrix.xcode}}.app/Contents/Developer' TARGET_MACOS_VERSION: ${{ matrix.override_target }} @@ -472,50 +472,17 @@ jobs: path: ${{env.CCACHE_DIR}} key: ${{ steps.ccache_restore.outputs.cache-primary-key }} - - name: Sign app bundle - if: matrix.os == 'macOS' && matrix.make_package && needs.configure.outputs.tag != null - id: sign_macos + - name: Sign & notarize app bundle + # if: matrix.os == 'macOS' && matrix.make_package && needs.configure.outputs.tag != null + if: matrix.os == 'macOS' + shell: bash env: MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }} MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }} - run: | - if [[ -n "$MACOS_CERTIFICATE_NAME" ]] - then - security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain - /usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "${{steps.build.outputs.path}}" - fi - - - name: Notarize app bundle - if: steps.sign_macos.outcome == 'success' - env: MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }} - MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }} MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }} - run: | - if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]] - then - # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI - echo "Create keychain profile" - xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" - - # We can't notarize an app bundle directly, but we need to compress it as an archive. - # Therefore, we create a zip file containing our app bundle, so that we can send it to the - # notarization service - echo "Creating temp notarization archive" - ditto -c -k --keepParent "${{steps.build.outputs.path}}" "notarization.zip" - - # Here we send the notarization request to the Apple's Notarization service, waiting for the result. - # This typically takes a few seconds inside a CI environment, but it might take more depending on the App - # characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if - # you're curious - echo "Notarize app" - xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait - - # Finally, we need to "attach the staple" to our executable, which will allow our app to be - # validated by macOS even when an internet connection is not available. - echo "Attach staple" - xcrun stapler staple "${{steps.build.outputs.path}}" - fi + MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }} + run: .ci/sign_macos_bundle.sh "${{ steps.build.outputs.path }}" - name: Upload artifact if: matrix.make_package From 6f7c5d7788c1ef0eacf84fc12ea83bff31d23f04 Mon Sep 17 00:00:00 2001 From: tooomm Date: Sat, 6 Jun 2026 22:28:38 +0200 Subject: [PATCH 2/6] move cert import too --- .ci/compile.sh | 15 ---------- .ci/sign_macos_bundle.sh | 43 ++++++++++++++++++++--------- .github/workflows/desktop-build.yml | 6 ++-- 3 files changed, 32 insertions(+), 32 deletions(-) diff --git a/.ci/compile.sh b/.ci/compile.sh index ee846897b..19777aa94 100755 --- a/.ci/compile.sh +++ b/.ci/compile.sh @@ -218,21 +218,6 @@ if [[ $RUNNER_OS == macOS ]]; then echo "::endgroup::" fi - echo "::group::Signing Certificate" - if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then - echo "$MACOS_CERTIFICATE" | base64 --decode >"certificate.p12" - security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain - security default-keychain -s build.keychain - security set-keychain-settings -t 3600 -l build.keychain - security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain - security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain - echo "macOS signing certificate successfully imported and keychain configured." - else - echo "No signing certificate configured. Skipping set up of keychain in macOS environment." - fi - echo "::endgroup::" - if [[ $MAKE_PACKAGE ]]; then # Workaround https://github.com/actions/runner-images/issues/7522 # have hdiutil repeat the command 10 times in hope of success diff --git a/.ci/sign_macos_bundle.sh b/.ci/sign_macos_bundle.sh index cf673771c..60ac7b3c7 100755 --- a/.ci/sign_macos_bundle.sh +++ b/.ci/sign_macos_bundle.sh @@ -22,23 +22,40 @@ fi APP_BUNDLE_PATH="$1" -# Verify that the app bundle exists +# Verify that app bundle exists if [[ ! -e "$APP_BUNDLE_PATH" ]]; then echo "::error file=$0::App bundle not found at: $APP_BUNDLE_PATH" + exit 1 fi -# Sign the app bundle +# Configure keychain +if [[ -n "$MACOS_CERTIFICATE" ]]; then + echo "::group::Import certificate" + echo "$MACOS_CERTIFICATE" | base64 --decode >"certificate.p12" + security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain + security default-keychain -s build.keychain + security set-keychain-settings -t 3600 -l build.keychain + security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain + security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain + echo "::endgroup::" +else + echo "::error file=$0::MACOS_CERTIFICATE not set. Can not configure keychain." + exit 1 +fi + +# Sign app bundle if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then echo "::group::Sign app bundle" security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain /usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "$APP_BUNDLE_PATH" echo "::endgroup::" else - echo "::error file=$0::MACOS_CERTIFICATE_NAME not set. Can not sign the app bundle." + echo "::error file=$0::MACOS_CERTIFICATE_NAME not set. Can not sign app bundle." exit 1 fi -# Notarize the app bundle +# Notarize app bundle if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then echo "::group::Notarize app bundle" # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI @@ -47,7 +64,7 @@ if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then # We can't notarize an app bundle directly, but we need to compress it as an archive. # Therefore, we create a zip file containing our app bundle, so that we can send it to the notarization service echo "" - echo "Creating temp notarization archive" + echo "Creating temp notarization archive..." ditto -c -k --keepParent "$APP_BUNDLE_PATH" "notarization.zip" # Here we send the notarization request to the Apple's Notarization service, waiting for the result. @@ -63,14 +80,14 @@ if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then echo "Attach staple" xcrun stapler staple "$APP_BUNDLE_PATH" echo "::endgroup::" - - echo "::group::Cleanup" - # Cleanup keychain and files to avoid leaking credentials - echo "Deleting keychain" - security delete-keychain build.keychain - rm -f certificate.p12 notarization.zip - echo "::endgroup::" else - echo "::error file=$0::MACOS_NOTARIZATION_APPLE_ID not set. Can not notarize the app bundle." + echo "::error file=$0::MACOS_NOTARIZATION_APPLE_ID not set. Can not notarize app bundle." exit 1 fi + +echo "::group::Cleanup" +# Cleanup keychain and files to avoid leaking credentials +echo "Deleting keychain" +security delete-keychain build.keychain +rm -f certificate.p12 notarization.zip +echo "::endgroup::" diff --git a/.github/workflows/desktop-build.yml b/.github/workflows/desktop-build.yml index c6557c54d..acc8266dd 100644 --- a/.github/workflows/desktop-build.yml +++ b/.github/workflows/desktop-build.yml @@ -445,10 +445,6 @@ jobs: VCPKG_DISABLE_METRICS: 1 VCPKG_BINARY_SOURCES: 'clear;files,${{ steps.vcpkg-cache.outputs.path }},readwrite' # macOS-specific environment variables, will be ignored on Windows - MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }} - MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }} - MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }} - MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }} DEVELOPER_DIR: '/Applications/Xcode_${{matrix.xcode}}.app/Contents/Developer' TARGET_MACOS_VERSION: ${{ matrix.override_target }} CCACHE_EVICTION_AGE: ${{ matrix.ccache_eviction_age }} @@ -477,7 +473,9 @@ jobs: if: matrix.os == 'macOS' shell: bash env: + MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }} MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }} + MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }} MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }} MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }} MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }} From 80705afafe6c3b3e427b073eaef54b4882a65d63 Mon Sep 17 00:00:00 2001 From: tooomm Date: Sat, 13 Jun 2026 22:30:57 +0200 Subject: [PATCH 3/6] Update desktop-build.yml --- .github/workflows/desktop-build.yml | 67 +++++++++++++---------------- 1 file changed, 30 insertions(+), 37 deletions(-) diff --git a/.github/workflows/desktop-build.yml b/.github/workflows/desktop-build.yml index f3536c9e2..b6c7b9fe4 100644 --- a/.github/workflows/desktop-build.yml +++ b/.github/workflows/desktop-build.yml @@ -7,6 +7,17 @@ permissions: id-token: write # needed for signing certificate in attestation on: + pull_request: + paths: + - '*/**' # matches all files not in root + - '!**.md' + - '!.github/**' + - '!.tx/**' + - '!doc/**' + - '.github/workflows/desktop-build.yml' + - 'CMakeLists.txt' + - 'vcpkg.json' + - 'vcpkg' # needed to match submodule bumps (gitlink) push: branches: - master @@ -22,30 +33,19 @@ on: - 'vcpkg' # needed to match submodule bumps (gitlink) tags: - '*' - pull_request: - paths: - - '*/**' # matches all files not in root - - '!**.md' - - '!.github/**' - - '!.tx/**' - - '!doc/**' - - '.github/workflows/desktop-build.yml' - - 'CMakeLists.txt' - - 'vcpkg.json' - - 'vcpkg' # needed to match submodule bumps (gitlink) # Cancel earlier, unfinished runs of this workflow on the same branch (unless on release) concurrency: - group: "${{ github.workflow }} @ ${{ github.ref_name }}" cancel-in-progress: ${{ github.ref_type != 'tag' }} + group: "${{ github.workflow }} @ ${{ github.ref_name }}" jobs: configure: name: Configure runs-on: ubuntu-slim outputs: - tag: ${{ steps.configure.outputs.tag }} sha: ${{ steps.configure.outputs.sha }} + tag: ${{ steps.configure.outputs.tag }} steps: - name: "Configure" @@ -54,7 +54,7 @@ jobs: run: | tag_regex='^refs/tags/' if [[ $GITHUB_EVENT_NAME == pull-request ]]; then # pull request - sha="${{github.event.pull_request.head.sha}}" + sha="${{ github.event.pull_request.head.sha }}" elif [[ $GITHUB_REF =~ $tag_regex ]]; then # release sha="$GITHUB_SHA" tag="${GITHUB_REF/refs\/tags\//}" @@ -71,8 +71,8 @@ jobs: fetch-depth: 0 # fetch all history for all branches and tags - name: "Prepare release parameters" - id: prepare if: steps.configure.outputs.tag != null + id: prepare shell: bash env: TAG: ${{ steps.configure.outputs.tag }} @@ -83,12 +83,12 @@ jobs: id: create_release shell: bash env: + body_path: ${{ steps.prepare.outputs.body_path }} GH_TOKEN: ${{ github.token }} + prerelease: ${{ steps.prepare.outputs.is_beta }} + release_name: ${{ steps.prepare.outputs.title }} tag_name: ${{ steps.configure.outputs.tag }} target: ${{ steps.configure.outputs.sha }} - release_name: ${{ steps.prepare.outputs.title }} - body_path: ${{ steps.prepare.outputs.body_path }} - prerelease: ${{ steps.prepare.outputs.is_beta }} run: | args=() [[ $prerelease == yes ]] && args+=(--prerelease) @@ -188,13 +188,13 @@ jobs: --cmake-generator "$CMAKE_GENERATOR" - name: "Build release package" - id: build if: matrix.package != 'skip' + id: build shell: bash env: - SUFFIX: '-${{ matrix.distro }}${{ matrix.version }}' package: '${{ matrix.package }}' server_only: '${{ matrix.server_only }}' + SUFFIX: '-${{ matrix.distro }}${{ matrix.version }}' run: | source .ci/docker.sh args=() @@ -225,8 +225,8 @@ jobs: path: ${{ env.CACHE }} - name: "Upload artifact" - id: upload_artifact if: matrix.package != 'skip' + id: upload_artifact uses: actions/upload-artifact@v7 with: archive: false @@ -234,8 +234,8 @@ jobs: path: ${{ steps.build.outputs.path }} - name: "Upload to release" - id: upload_release if: matrix.package != 'skip' && needs.configure.outputs.tag != null + id: upload_release shell: bash env: asset_name: ${{ steps.build.outputs.fullname }} @@ -245,8 +245,8 @@ jobs: run: gh release upload "$tag_name" "$asset_path#$asset_name" - name: "Attest binary provenance" - id: attestation if: steps.upload_release.outcome == 'success' + id: attestation uses: actions/attest@v4 with: show-summary: false @@ -268,7 +268,6 @@ jobs: target: 13 runner: macos-15-intel - ccache_eviction_age: 7d cmake_generator: Ninja make_package: 1 override_target: 13 @@ -285,7 +284,6 @@ jobs: target: 14 runner: macos-14 - ccache_eviction_age: 7d cmake_generator: Ninja make_package: 1 package_suffix: "-macOS14" @@ -301,7 +299,6 @@ jobs: target: 15 runner: macos-15 - ccache_eviction_age: 7d cmake_generator: Ninja make_package: 1 package_suffix: "-macOS15" @@ -317,7 +314,6 @@ jobs: target: 15 runner: macos-15 - ccache_eviction_age: 7d cmake_generator: Ninja qt_version: 6.11.0 qt_arch: clang_64 @@ -346,6 +342,7 @@ jobs: timeout-minutes: 100 env: CCACHE_DIR: ${{ github.workspace }}/.cache/ + CCACHE_EVICTION_AGE: 7d CCACHE_SIZE: 550M # space of all repo is 10Gi: https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#usage-limits-and-eviction-policy steps: @@ -443,16 +440,12 @@ jobs: id: build shell: bash env: - BUILDTYPE: '${{matrix.type}}' - MAKE_PACKAGE: '${{matrix.make_package}}' - PACKAGE_SUFFIX: '${{matrix.package_suffix}}' - CMAKE_GENERATOR: ${{matrix.cmake_generator}} - CMAKE_GENERATOR_PLATFORM: ${{matrix.cmake_generator_platform}} - USE_CCACHE: ${{matrix.use_ccache}} - VCPKG_DISABLE_METRICS: 1 - VCPKG_BINARY_SOURCES: 'clear;files,${{ steps.vcpkg-cache.outputs.path }},readwrite' - # macOS-specific environment variables, will be ignored on Windows - DEVELOPER_DIR: '/Applications/Xcode_${{matrix.xcode}}.app/Contents/Developer' + BUILDTYPE: ${{ matrix.type }} + CMAKE_GENERATOR: ${{ matrix.cmake_generator }} + CMAKE_GENERATOR_PLATFORM: ${{ matrix.cmake_generator_platform }} + DEVELOPER_DIR: '/Applications/Xcode_${{ matrix.xcode }}.app/Contents/Developer' + MAKE_PACKAGE: ${{ matrix.make_package }} + PACKAGE_SUFFIX: ${{ matrix.package_suffix }} TARGET_MACOS_VERSION: ${{ matrix.override_target }} USE_CCACHE: ${{ matrix.use_ccache }} VCPKG_BINARY_SOURCES: 'clear;files,${{ steps.vcpkg-cache.outputs.path }},readwrite' From 3978c7e642d2d2d2c716db084de69d248c7a3645 Mon Sep 17 00:00:00 2001 From: tooomm Date: Sun, 14 Jun 2026 00:22:29 +0200 Subject: [PATCH 4/6] move keychain setup and cert import back into build step --- .ci/compile.sh | 15 +++++++++++++++ .ci/sign_macos_bundle.sh | 16 ---------------- .github/workflows/desktop-build.yml | 6 ++++-- 3 files changed, 19 insertions(+), 18 deletions(-) diff --git a/.ci/compile.sh b/.ci/compile.sh index 19777aa94..ee846897b 100755 --- a/.ci/compile.sh +++ b/.ci/compile.sh @@ -218,6 +218,21 @@ if [[ $RUNNER_OS == macOS ]]; then echo "::endgroup::" fi + echo "::group::Signing Certificate" + if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then + echo "$MACOS_CERTIFICATE" | base64 --decode >"certificate.p12" + security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain + security default-keychain -s build.keychain + security set-keychain-settings -t 3600 -l build.keychain + security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain + security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain + echo "macOS signing certificate successfully imported and keychain configured." + else + echo "No signing certificate configured. Skipping set up of keychain in macOS environment." + fi + echo "::endgroup::" + if [[ $MAKE_PACKAGE ]]; then # Workaround https://github.com/actions/runner-images/issues/7522 # have hdiutil repeat the command 10 times in hope of success diff --git a/.ci/sign_macos_bundle.sh b/.ci/sign_macos_bundle.sh index 60ac7b3c7..e645d6119 100755 --- a/.ci/sign_macos_bundle.sh +++ b/.ci/sign_macos_bundle.sh @@ -28,22 +28,6 @@ if [[ ! -e "$APP_BUNDLE_PATH" ]]; then exit 1 fi -# Configure keychain -if [[ -n "$MACOS_CERTIFICATE" ]]; then - echo "::group::Import certificate" - echo "$MACOS_CERTIFICATE" | base64 --decode >"certificate.p12" - security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain - security default-keychain -s build.keychain - security set-keychain-settings -t 3600 -l build.keychain - security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain - security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain - echo "::endgroup::" -else - echo "::error file=$0::MACOS_CERTIFICATE not set. Can not configure keychain." - exit 1 -fi - # Sign app bundle if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then echo "::group::Sign app bundle" diff --git a/.github/workflows/desktop-build.yml b/.github/workflows/desktop-build.yml index b6c7b9fe4..17a85529f 100644 --- a/.github/workflows/desktop-build.yml +++ b/.github/workflows/desktop-build.yml @@ -444,6 +444,10 @@ jobs: CMAKE_GENERATOR: ${{ matrix.cmake_generator }} CMAKE_GENERATOR_PLATFORM: ${{ matrix.cmake_generator_platform }} DEVELOPER_DIR: '/Applications/Xcode_${{ matrix.xcode }}.app/Contents/Developer' + MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }} + MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }} + MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }} + MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }} MAKE_PACKAGE: ${{ matrix.make_package }} PACKAGE_SUFFIX: ${{ matrix.package_suffix }} TARGET_MACOS_VERSION: ${{ matrix.override_target }} @@ -475,9 +479,7 @@ jobs: if: matrix.os == 'macOS' shell: bash env: - MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }} MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }} - MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }} MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }} MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }} MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }} From cc4f21b369666e95eb3ac65cfe22b85342ca34f2 Mon Sep 17 00:00:00 2001 From: tooomm Date: Sun, 14 Jun 2026 00:54:33 +0200 Subject: [PATCH 5/6] stricter check for file in app bundle path --- .ci/sign_macos_bundle.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ci/sign_macos_bundle.sh b/.ci/sign_macos_bundle.sh index e645d6119..344f27cb7 100755 --- a/.ci/sign_macos_bundle.sh +++ b/.ci/sign_macos_bundle.sh @@ -23,7 +23,7 @@ fi APP_BUNDLE_PATH="$1" # Verify that app bundle exists -if [[ ! -e "$APP_BUNDLE_PATH" ]]; then +if [[ ! -f "$APP_BUNDLE_PATH" ]]; then echo "::error file=$0::App bundle not found at: $APP_BUNDLE_PATH" exit 1 fi From cbab00b72140d9aa256c0b70e12e72291b4f0360 Mon Sep 17 00:00:00 2001 From: tooomm Date: Sun, 14 Jun 2026 07:05:43 +0200 Subject: [PATCH 6/6] Update desktop-build.yml --- .github/workflows/desktop-build.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/desktop-build.yml b/.github/workflows/desktop-build.yml index 17a85529f..cbc382c96 100644 --- a/.github/workflows/desktop-build.yml +++ b/.github/workflows/desktop-build.yml @@ -475,8 +475,7 @@ jobs: path: ${{ env.CCACHE_DIR }} - name: "[macOS] Sign & notarize app bundle" - # if: matrix.os == 'macOS' && matrix.make_package && needs.configure.outputs.tag != null - if: matrix.os == 'macOS' + if: matrix.os == 'macOS' && matrix.make_package && needs.configure.outputs.tag != null shell: bash env: MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}