diff --git a/.ci/sign_macos_bundle.sh b/.ci/sign_macos_bundle.sh index dc928bbb7..cf673771c 100755 --- a/.ci/sign_macos_bundle.sh +++ b/.ci/sign_macos_bundle.sh @@ -25,7 +25,6 @@ APP_BUNDLE_PATH="$1" # Verify that the app bundle exists if [[ ! -e "$APP_BUNDLE_PATH" ]]; then echo "::error file=$0::App bundle not found at: $APP_BUNDLE_PATH" - exit 1 fi # Sign the app bundle @@ -43,25 +42,34 @@ fi if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then echo "::group::Notarize app bundle" # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI - echo "Create keychain profile" xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" - + # We can't notarize an app bundle directly, but we need to compress it as an archive. # Therefore, we create a zip file containing our app bundle, so that we can send it to the notarization service + echo "" echo "Creating temp notarization archive" ditto -c -k --keepParent "$APP_BUNDLE_PATH" "notarization.zip" - + # Here we send the notarization request to the Apple's Notarization service, waiting for the result. # This typically takes a few seconds inside a CI environment, but it might take more depending on the App characteristics. # Visit the Notarization docs for more information and strategies on how to optimize it if you're curious. - echo "Notarize app" + echo "" xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait - + echo "::endgroup::" + + echo "::group::Staple app" # Finally, we need to "attach the staple" to our executable, which will allow our app to be # validated by macOS even when an internet connection is not available. echo "Attach staple" xcrun stapler staple "$APP_BUNDLE_PATH" echo "::endgroup::" + + echo "::group::Cleanup" + # Cleanup keychain and files to avoid leaking credentials + echo "Deleting keychain" + security delete-keychain build.keychain + rm -f certificate.p12 notarization.zip + echo "::endgroup::" else echo "::error file=$0::MACOS_NOTARIZATION_APPLE_ID not set. Can not notarize the app bundle." exit 1