mirror of
https://github.com/Cockatrice/Cockatrice.git
synced 2026-07-18 16:32:16 -07:00
Signing seems to work?
This commit is contained in:
parent
2c5f92c5c4
commit
c4abfc9183
3 changed files with 84 additions and 132 deletions
|
|
@ -10,5 +10,8 @@
|
|||
|
||||
<key>com.apple.security.cs.disable-executable-page-protection</key>
|
||||
<true/>
|
||||
|
||||
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
|
||||
<true/>
|
||||
</dict>
|
||||
</plist>
|
||||
|
|
|
|||
182
.github/workflows/desktop-build.yml
vendored
182
.github/workflows/desktop-build.yml
vendored
|
|
@ -254,163 +254,85 @@ jobs:
|
|||
brew update
|
||||
brew install protobuf qt --force-bottle
|
||||
|
||||
- name: Build on Xcode ${{matrix.xcode}}
|
||||
- name: Build & Sign on Xcode ${{matrix.xcode}}
|
||||
shell: bash
|
||||
id: build
|
||||
env:
|
||||
BUILDTYPE: '${{matrix.type}}'
|
||||
MAKE_TEST: 1
|
||||
# MAKE_PACKAGE: '${{matrix.make_package}}'
|
||||
MAKE_PACKAGE: '${{matrix.make_package}}'
|
||||
PACKAGE_SUFFIX: '-macOS${{matrix.target}}_${{matrix.soc}}'
|
||||
MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
|
||||
MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
|
||||
MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
|
||||
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
|
||||
# macOS runner have 3 cores usually - only the macos-13 image has 4:
|
||||
# https://docs.github.com/en/actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories
|
||||
# https://github.com/actions/runner-images?tab=readme-ov-file#available-images
|
||||
run: .ci/compile.sh --server --parallel ${{matrix.core_count}}
|
||||
run: |
|
||||
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
|
||||
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
||||
security default-keychain -s build.keychain
|
||||
security set-keychain-settings -t 3600 -l build.keychain
|
||||
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
||||
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
|
||||
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
||||
.ci/compile.sh --server --parallel ${{matrix.core_count}}
|
||||
|
||||
- name: Codesign app bundle
|
||||
- name: Sign app bundle
|
||||
env:
|
||||
MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
|
||||
MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
|
||||
MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
|
||||
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
|
||||
run: |
|
||||
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
|
||||
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
||||
security default-keychain -s build.keychain
|
||||
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
||||
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
|
||||
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
||||
/usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "./build/cockatrice/cockatrice.app"
|
||||
/usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "./build/oracle/oracle.app"
|
||||
/usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "./build/servatrice/servatrice.app"
|
||||
/usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "./build/dbconverter/dbconverter.app"
|
||||
/usr/bin/codesign
|
||||
--sign="$MACOS_CERTIFICATE_NAME"
|
||||
--entitlements="../../.ci/macos.entitlements"
|
||||
--options=runtime
|
||||
--force
|
||||
--deep
|
||||
--timestamp
|
||||
--verbose $(find . -name "*.dmg")
|
||||
|
||||
# - name: CodeSign app bundle
|
||||
# env:
|
||||
# MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
|
||||
# MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
|
||||
# MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
|
||||
# MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
|
||||
# run: |
|
||||
# # Turn our base64-encoded certificate back to a regular .p12 file
|
||||
# echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
|
||||
#
|
||||
# # We need to create a new keychain, otherwise using the certificate will prompt
|
||||
# # with a UI dialog asking for the certificate password, which we can't
|
||||
# # use in a headless CI environment
|
||||
# security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
||||
# security default-keychain -s build.keychain
|
||||
# security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
||||
# security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
|
||||
# security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
||||
#
|
||||
# # We finally codesign our app bundle, specifying the Hardened runtime option
|
||||
# codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime "/Users/runner/work/Cockatrice/Cockatrice/build/cockatrice/cockatrice.app" -v
|
||||
# codesign --verify --deep --strict "/Users/runner/work/Cockatrice/Cockatrice/build/cockatrice/cockatrice.app"
|
||||
#
|
||||
# - name: Notarize app bundle
|
||||
# env:
|
||||
# PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
|
||||
# PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
|
||||
# PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
|
||||
# run: |
|
||||
# # Store the notarization credentials so that we can prevent a UI password dialog
|
||||
# # from blocking the CI
|
||||
# echo "Create keychain profile"
|
||||
# xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD"
|
||||
#
|
||||
# # We can't notarize an app bundle directly, but we need to compress it as an archive.
|
||||
# # Therefore, we create a zip file containing our app bundle, so that we can send it to the
|
||||
# # notarization service
|
||||
# echo "Creating temp notarization archive"
|
||||
# ditto -c -k --keepParent "/Users/runner/work/Cockatrice/Cockatrice/build/cockatrice/cockatrice.app" "notarization.zip"
|
||||
#
|
||||
# # Here we send the notarization request to the Apple's Notarization service, waiting for the result.
|
||||
# # This typically takes a few seconds inside a CI environment, but it might take more depending on the App
|
||||
# # characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
|
||||
# # you're curious
|
||||
# echo "Notarize app"
|
||||
# xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
|
||||
#
|
||||
# # Finally, we need to "attach the staple" to our executable, which will allow our app to be
|
||||
# # validated by macOS even when an internet connection is not available.
|
||||
# echo "Attach staple"
|
||||
# xcrun stapler staple "/Users/runner/work/Cockatrice/Cockatrice/build/cockatrice/cockatrice.app"
|
||||
- name: Notarize app bundle
|
||||
env:
|
||||
PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
|
||||
PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
|
||||
PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
|
||||
run: |
|
||||
# Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
|
||||
echo "Create keychain profile"
|
||||
xcrun notarytool store-credentials "notarytool-profile"
|
||||
--apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID"
|
||||
--team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID"
|
||||
--password "$PROD_MACOS_NOTARIZATION_PWD"
|
||||
|
||||
# - name: Sign binary 2
|
||||
# uses: lando/code-sign-action@v3
|
||||
# with:
|
||||
# file: "build/cockatrice/cockatrice.app"
|
||||
# certificate-data: ${{ secrets.PROD_MACOS_CERTIFICATE }}
|
||||
# certificate-password: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
|
||||
# certificate-id: STKV3NKYBF
|
||||
# apple-notary-user: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
|
||||
# apple-notary-password: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
|
||||
## apple-notary-tool: altool
|
||||
# apple-team-id: STKV3NKYBF
|
||||
# apple-product-id: cockatrice.us.code-sign-action
|
||||
# options: --options runtime -v
|
||||
# We can't notarize an app bundle directly, but we need to compress it as an archive.
|
||||
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
|
||||
# notarization service
|
||||
echo "Creating temp notarization archive"
|
||||
ditto -c -k --keepParent ${{steps.build.outputs.path}} "notarization.zip"
|
||||
|
||||
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
|
||||
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
|
||||
# characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
|
||||
# you're curious
|
||||
echo "Notarize app"
|
||||
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
|
||||
|
||||
# - name: Sign binary
|
||||
# uses: lando/code-sign-action@v3
|
||||
# with:
|
||||
# file: "build/cockatrice/cockatrice.app"
|
||||
# certificate-id: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
|
||||
# certificate-data: ${{ secrets.PROD_MACOS_CERTIFICATE }}
|
||||
# certificate-password: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
|
||||
# apple-notary-password: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
|
||||
# apple-notary-user: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
|
||||
# apple-notary-tool: 'notarytool'
|
||||
# apple-team-id: "STKV3NKYBF"
|
||||
|
||||
|
||||
# - name: Code Sign (macOS)
|
||||
# env:
|
||||
# MACOS_CODE_CERT_DATA: ${{ secrets.PROD_MACOS_CERTIFICATE }}
|
||||
# MACOS_CODE_CERT_PASS: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
|
||||
# MACOS_CODE_CERT_TEAM_ID: "STKV3NKYBF"
|
||||
# MACOS_EXECUTABLE_PATH: "./build/cockatrice/cockatrice.app"
|
||||
# run: |
|
||||
# echo $MACOS_CODE_CERT_DATA | base64 --decode > certificate.p12
|
||||
# security create-keychain -p $MACOS_CODE_CERT_PASS build.keychain
|
||||
# security default-keychain -s build.keychain
|
||||
# security unlock-keychain -p $MACOS_CODE_CERT_PASS build.keychain
|
||||
# security import certificate.p12 -k build.keychain -P $MACOS_CODE_CERT_PASS -T /usr/bin/codesign
|
||||
# security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_CODE_CERT_PASS build.keychain
|
||||
# /usr/bin/codesign --force -s $MACOS_CODE_CERT_TEAM_ID --deep --options=runtime "$MACOS_EXECUTABLE_PATH"
|
||||
#
|
||||
# - name: Notarize (macOS)
|
||||
# env:
|
||||
# MACOS_NOTARY_USER: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
|
||||
# MACOS_NOTARY_PASS: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
|
||||
# uses: lando/notarize-action@v2
|
||||
# with:
|
||||
# primary-bundle-id: org.cockatrice.client
|
||||
# product-path: "./build/cockatrice/cockatrice.app"
|
||||
# verbose: true
|
||||
# appstore-connect-password: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
|
||||
# appstore-connect-team-id: "STKV3NKYBF"
|
||||
# appstore-connect-username: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
|
||||
|
||||
|
||||
|
||||
# - name: Sign and notarize the release build
|
||||
# uses: toitlang/action-macos-sign-notarize@v1.2.0
|
||||
# with:
|
||||
# certificate: ${{ secrets.PROD_MACOS_CERTIFICATE }}
|
||||
# certificate-password: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
|
||||
# username: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
|
||||
# password: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
|
||||
# apple-team-id: "STKV3NKYBF"
|
||||
# app-path: "build/cockatrice/cockatrice.app"
|
||||
# Finally, we need to "attach the staple" to our executable, which will allow our app to be
|
||||
# validated by macOS even when an internet connection is not available.
|
||||
echo "Attach staple"
|
||||
xcrun stapler staple ${{steps.build.outputs.path}}
|
||||
|
||||
- name: Upload artifact
|
||||
if: matrix.make_package
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: macOS${{matrix.target}}${{ matrix.soc == 'Intel' && '_Intel' || '' }}${{ matrix.type == 'Debug' && '_Debug' || '' }}-dmg
|
||||
path: "./build/cockatrice/cockatrice.app"
|
||||
path: ${{steps.build.outputs.path}}
|
||||
if-no-files-found: error
|
||||
|
||||
- name: Upload to release
|
||||
|
|
|
|||
|
|
@ -4,11 +4,38 @@ if(APPLE)
|
|||
set(APPLICATIONS "cockatrice" "servatrice" "oracle" "dbconverter")
|
||||
foreach(app_name IN LISTS APPLICATIONS)
|
||||
set(FULL_APP_PATH "${CPACK_TEMPORARY_INSTALL_DIRECTORY}/${app_name}.app")
|
||||
message(STATUS "Re-signing ${app_name}.app")
|
||||
|
||||
message(STATUS "Signing Interior Dynamically Loaded Libraries for ${app_name}.app")
|
||||
execute_process(COMMAND
|
||||
"find"
|
||||
"${FULL_APP_PATH}"
|
||||
"-name"
|
||||
"*.dylib"
|
||||
OUTPUT_VARIABLE
|
||||
INTERIOR_DLLS)
|
||||
string(REPLACE "\n" ";" INTERIOR_DLLS_LIST ${INTERIOR_DLLS})
|
||||
|
||||
foreach(INTERIOR_DLL IN LISTS INTERIOR_DLLS_LIST)
|
||||
execute_process(COMMAND
|
||||
"codesign"
|
||||
"--sign"
|
||||
"$ENV{MACOS_CERTIFICATE}"
|
||||
"--entitlements"
|
||||
"../.ci/macos.entitlements"
|
||||
"--options"
|
||||
"runtime"
|
||||
"--force"
|
||||
"--deep"
|
||||
"--timestamp"
|
||||
"--verbose"
|
||||
"${INTERIOR_DLL}")
|
||||
endforeach()
|
||||
|
||||
message(STATUS "Signing Exterior Applications ${app_name}.app")
|
||||
execute_process(COMMAND
|
||||
"codesign"
|
||||
"--sign"
|
||||
"Developer ID Application: Zachary Halpern (STKV3NKYBF)"
|
||||
"$ENV{MACOS_CERTIFICATE}"
|
||||
"--entitlements"
|
||||
"../.ci/macos.entitlements"
|
||||
"--options"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue