jeirmeister/Cockatrice
1
0
Fork 0
mirror of https://github.com/Cockatrice/Cockatrice.git synced 2026-06-25 08:03:54 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

move cert import too

Browse source
This commit is contained in:
tooomm 2026-06-06 22:28:38 +02:00
parent e353f4968b
commit 6f7c5d7788
3 changed files with 32 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

15
.ci/compile.sh
View file

@ -218,21 +218,6 @@ if [[ $RUNNER_OS == macOS ]]; then
echo "::endgroup::" echo "::endgroup::"
fi fi
echo "::group::Signing Certificate"
if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then
echo "$MACOS_CERTIFICATE" | base64 --decode >"certificate.p12"
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security default-keychain -s build.keychain
security set-keychain-settings -t 3600 -l build.keychain
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
echo "macOS signing certificate successfully imported and keychain configured."
else
echo "No signing certificate configured. Skipping set up of keychain in macOS environment."
fi
echo "::endgroup::"
if [[ $MAKE_PACKAGE ]]; then if [[ $MAKE_PACKAGE ]]; then
# Workaround https://github.com/actions/runner-images/issues/7522 # Workaround https://github.com/actions/runner-images/issues/7522
# have hdiutil repeat the command 10 times in hope of success # have hdiutil repeat the command 10 times in hope of success

43
.ci/sign_macos_bundle.sh
View file

@ -22,23 +22,40 @@ fi
APP_BUNDLE_PATH="$1" APP_BUNDLE_PATH="$1"
# Verify that the app bundle exists # Verify that app bundle exists
if [[ ! -e "$APP_BUNDLE_PATH" ]]; then if [[ ! -e "$APP_BUNDLE_PATH" ]]; then
echo "::error file=$0::App bundle not found at: $APP_BUNDLE_PATH" echo "::error file=$0::App bundle not found at: $APP_BUNDLE_PATH"
exit 1
fi fi
# Sign the app bundle # Configure keychain
if [[ -n "$MACOS_CERTIFICATE" ]]; then
echo "::group::Import certificate"
echo "$MACOS_CERTIFICATE" | base64 --decode >"certificate.p12"
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security default-keychain -s build.keychain
security set-keychain-settings -t 3600 -l build.keychain
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
echo "::endgroup::"
else
echo "::error file=$0::MACOS_CERTIFICATE not set. Can not configure keychain."
exit 1
fi
# Sign app bundle
if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then
echo "::group::Sign app bundle" echo "::group::Sign app bundle"
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
/usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "$APP_BUNDLE_PATH" /usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "$APP_BUNDLE_PATH"
echo "::endgroup::" echo "::endgroup::"
else else
echo "::error file=$0::MACOS_CERTIFICATE_NAME not set. Can not sign the app bundle." echo "::error file=$0::MACOS_CERTIFICATE_NAME not set. Can not sign app bundle."
exit 1 exit 1
fi fi
# Notarize the app bundle # Notarize app bundle
if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then
echo "::group::Notarize app bundle" echo "::group::Notarize app bundle"
# Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
@ -47,7 +64,7 @@ if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then
# We can't notarize an app bundle directly, but we need to compress it as an archive. # We can't notarize an app bundle directly, but we need to compress it as an archive.
# Therefore, we create a zip file containing our app bundle, so that we can send it to the notarization service # Therefore, we create a zip file containing our app bundle, so that we can send it to the notarization service
echo "" echo ""
echo "Creating temp notarization archive" echo "Creating temp notarization archive..."
ditto -c -k --keepParent "$APP_BUNDLE_PATH" "notarization.zip" ditto -c -k --keepParent "$APP_BUNDLE_PATH" "notarization.zip"
# Here we send the notarization request to the Apple's Notarization service, waiting for the result. # Here we send the notarization request to the Apple's Notarization service, waiting for the result.
@ -63,14 +80,14 @@ if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then
echo "Attach staple" echo "Attach staple"
xcrun stapler staple "$APP_BUNDLE_PATH" xcrun stapler staple "$APP_BUNDLE_PATH"
echo "::endgroup::" echo "::endgroup::"
echo "::group::Cleanup"
# Cleanup keychain and files to avoid leaking credentials
echo "Deleting keychain"
security delete-keychain build.keychain
rm -f certificate.p12 notarization.zip
echo "::endgroup::"
else else
echo "::error file=$0::MACOS_NOTARIZATION_APPLE_ID not set. Can not notarize the app bundle." echo "::error file=$0::MACOS_NOTARIZATION_APPLE_ID not set. Can not notarize app bundle."
exit 1 exit 1
fi fi
echo "::group::Cleanup"
# Cleanup keychain and files to avoid leaking credentials
echo "Deleting keychain"
security delete-keychain build.keychain
rm -f certificate.p12 notarization.zip
echo "::endgroup::"

6
.github/workflows/desktop-build.yml vendored
View file

@ -445,10 +445,6 @@ jobs:
VCPKG_DISABLE_METRICS: 1 VCPKG_DISABLE_METRICS: 1
VCPKG_BINARY_SOURCES: 'clear;files,${{ steps.vcpkg-cache.outputs.path }},readwrite' VCPKG_BINARY_SOURCES: 'clear;files,${{ steps.vcpkg-cache.outputs.path }},readwrite'
# macOS-specific environment variables, will be ignored on Windows # macOS-specific environment variables, will be ignored on Windows
MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
DEVELOPER_DIR: '/Applications/Xcode_${{matrix.xcode}}.app/Contents/Developer' DEVELOPER_DIR: '/Applications/Xcode_${{matrix.xcode}}.app/Contents/Developer'
TARGET_MACOS_VERSION: ${{ matrix.override_target }} TARGET_MACOS_VERSION: ${{ matrix.override_target }}
CCACHE_EVICTION_AGE: ${{ matrix.ccache_eviction_age }} CCACHE_EVICTION_AGE: ${{ matrix.ccache_eviction_age }}
@ -477,7 +473,9 @@ jobs:
if: matrix.os == 'macOS' if: matrix.os == 'macOS'
shell: bash shell: bash
env: env:
MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }} MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }} MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }} MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }} MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}