jeirmeister/Cockatrice
1
0
Fork 0
mirror of https://github.com/Cockatrice/Cockatrice.git synced 2026-06-11 00:24:47 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

move signing mac apps to own script (#5999)

Browse source
This commit is contained in:
tooomm 2025-06-22 22:21:33 +02:00 committed by ebbit1q
parent 0bbd4b6e58
commit 5f0cc94b29
3 changed files with 87 additions and 59 deletions
Download patch file Download diff file Expand all files Collapse all files

23
.ci/compile.sh
View file

@ -128,30 +128,13 @@ function ccachestatsverbose() {
} }
# Compile # Compile
if [[ $RUNNER_OS == macOS ]]; then
echo "::group::Signing Certificate"
if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security default-keychain -s build.keychain
security set-keychain-settings -t 3600 -l build.keychain
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
echo "macOS signing certificate successfully imported and keychain configured."
else
echo "No signing certificate configured. Skipping set up of keychain in macOS environment."
fi
echo "::endgroup::"
fi
if [[ $USE_CCACHE ]]; then if [[ $USE_CCACHE ]]; then
echo "::group::Show ccache stats" echo "::group::Show ccache stats (before)"
ccachestatsverbose ccachestatsverbose
echo "::endgroup::" echo "::endgroup::"
fi fi
echo "::group::Configure cmake" echo "::group::Configure CMake"
cmake --version cmake --version
cmake .. "${flags[@]}" cmake .. "${flags[@]}"
echo "::endgroup::" echo "::endgroup::"
@ -167,7 +150,7 @@ fi
echo "::endgroup::" echo "::endgroup::"
if [[ $USE_CCACHE ]]; then if [[ $USE_CCACHE ]]; then
echo "::group::Show ccache stats again" echo "::group::Show ccache stats (after)"
ccachestatsverbose ccachestatsverbose
echo "::endgroup::" echo "::endgroup::"
fi fi

80
.ci/sign_macos.sh Normal file
View file

@ -0,0 +1,80 @@
#!/bin/bash
# Used by CI to sign, noratize and staple build artifacts under macOS
set -e
APP_PATH="$1"
if [[ -z "$APP_PATH" ]]; then
echo "Error: No input path supplied. Usage: $0 <path-to-app-bundle>"
exit 1
fi
if [[ ! -e "$APP_PATH" ]]; then
echo "Error: Input path '$APP_PATH' does not exist."
exit 1
fi
echo "::group::Set up certificate"
if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security default-keychain -s build.keychain
security set-keychain-settings -t 3600 -l build.keychain
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
else
echo "No signing certificate configured."
fi
echo "::endgroup::"
echo "::group::Sign app"
if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
/usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "$APP_PATH"
else
echo "No signing certificate configured."
fi
echo "::endgroup::"
echo "::group::Notarize app"
if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then
# Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
echo ""
# We can't notarize an app bundle directly, but we need to compress it as an archive.
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
# notarization service
echo "Creating temp notarization archive"
ditto -c -k --keepParent "$APP_PATH" "notarization.zip"
echo ""
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
# characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
# you're curious
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
else
echo "No Apple ID configured."
fi
echo "::endgroup::"
echo "::group::Staple app"
if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then
# Finally, we need to "attach the staple" to our executable, which will allow our app to be
# validated by macOS even when an internet connection is not available.
xcrun stapler staple "$APP_PATH"
else
echo "No Apple ID configured."
fi
echo "::endgroup::"
echo "::group::Cleanup"
# Cleanup keychain and files to avoid leaking credentials
echo "Deleting keychain"
security delete-keychain build.keychain
rm -f certificate.p12 notarization.zip
echo "::endgroup::"

43
.github/workflows/desktop-build.yml vendored
View file

@ -292,10 +292,6 @@ jobs:
BUILDTYPE: '${{matrix.type}}' BUILDTYPE: '${{matrix.type}}'
MAKE_PACKAGE: '${{matrix.make_package}}' MAKE_PACKAGE: '${{matrix.make_package}}'
PACKAGE_SUFFIX: '-macOS${{matrix.target}}_${{matrix.soc}}' PACKAGE_SUFFIX: '-macOS${{matrix.target}}_${{matrix.soc}}'
MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
CMAKE_GENERATOR: '${{env.CMAKE_GENERATOR}}' CMAKE_GENERATOR: '${{env.CMAKE_GENERATOR}}'
run: .ci/compile.sh --server --test --ccache "$CCACHE_SIZE" run: .ci/compile.sh --server --test --ccache "$CCACHE_SIZE"
@ -308,47 +304,16 @@ jobs:
- name: Sign app bundle - name: Sign app bundle
if: matrix.make_package && (github.ref == 'refs/heads/master' || needs.configure.outputs.tag != null) if: matrix.make_package && (github.ref == 'refs/heads/master' || needs.configure.outputs.tag != null)
shell: bash
env: env:
MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }} MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }} MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
run: |
if [[ -n "$MACOS_CERTIFICATE_NAME" ]]
then
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
/usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose ${{steps.build.outputs.path}}
fi
- name: Notarize app bundle
if: matrix.make_package && (github.ref == 'refs/heads/master' || needs.configure.outputs.tag != null)
env:
MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }} MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }} MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }} MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
run: | run: .ci/sign_macos.sh ${{steps.build.outputs.path}}
if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]
then
# Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
# We can't notarize an app bundle directly, but we need to compress it as an archive.
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
# notarization service
echo "Creating temp notarization archive"
ditto -c -k --keepParent ${{steps.build.outputs.path}} "notarization.zip"
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
# characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
# you're curious
echo "Notarize app"
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
# Finally, we need to "attach the staple" to our executable, which will allow our app to be
# validated by macOS even when an internet connection is not available.
echo "Attach staple"
xcrun stapler staple ${{steps.build.outputs.path}}
fi
- name: Upload artifact - name: Upload artifact
id: upload_artifact id: upload_artifact