mirror of
https://github.com/Cockatrice/Cockatrice.git
synced 2026-07-19 00:42:14 -07:00
Signing seems to work?
This commit is contained in:
parent
2c5f92c5c4
commit
c4abfc9183
3 changed files with 84 additions and 132 deletions
|
|
@ -10,5 +10,8 @@
|
||||||
|
|
||||||
<key>com.apple.security.cs.disable-executable-page-protection</key>
|
<key>com.apple.security.cs.disable-executable-page-protection</key>
|
||||||
<true/>
|
<true/>
|
||||||
|
|
||||||
|
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
|
||||||
|
<true/>
|
||||||
</dict>
|
</dict>
|
||||||
</plist>
|
</plist>
|
||||||
|
|
|
||||||
182
.github/workflows/desktop-build.yml
vendored
182
.github/workflows/desktop-build.yml
vendored
|
|
@ -254,163 +254,85 @@ jobs:
|
||||||
brew update
|
brew update
|
||||||
brew install protobuf qt --force-bottle
|
brew install protobuf qt --force-bottle
|
||||||
|
|
||||||
- name: Build on Xcode ${{matrix.xcode}}
|
- name: Build & Sign on Xcode ${{matrix.xcode}}
|
||||||
shell: bash
|
shell: bash
|
||||||
id: build
|
id: build
|
||||||
env:
|
env:
|
||||||
BUILDTYPE: '${{matrix.type}}'
|
BUILDTYPE: '${{matrix.type}}'
|
||||||
MAKE_TEST: 1
|
MAKE_TEST: 1
|
||||||
# MAKE_PACKAGE: '${{matrix.make_package}}'
|
MAKE_PACKAGE: '${{matrix.make_package}}'
|
||||||
PACKAGE_SUFFIX: '-macOS${{matrix.target}}_${{matrix.soc}}'
|
PACKAGE_SUFFIX: '-macOS${{matrix.target}}_${{matrix.soc}}'
|
||||||
|
MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
|
||||||
|
MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
|
||||||
|
MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
|
||||||
|
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
|
||||||
# macOS runner have 3 cores usually - only the macos-13 image has 4:
|
# macOS runner have 3 cores usually - only the macos-13 image has 4:
|
||||||
# https://docs.github.com/en/actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories
|
# https://docs.github.com/en/actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories
|
||||||
# https://github.com/actions/runner-images?tab=readme-ov-file#available-images
|
# https://github.com/actions/runner-images?tab=readme-ov-file#available-images
|
||||||
run: .ci/compile.sh --server --parallel ${{matrix.core_count}}
|
run: |
|
||||||
|
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
|
||||||
|
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
||||||
|
security default-keychain -s build.keychain
|
||||||
|
security set-keychain-settings -t 3600 -l build.keychain
|
||||||
|
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
||||||
|
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
|
||||||
|
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
||||||
|
.ci/compile.sh --server --parallel ${{matrix.core_count}}
|
||||||
|
|
||||||
- name: Codesign app bundle
|
- name: Sign app bundle
|
||||||
env:
|
env:
|
||||||
MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
|
MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
|
||||||
MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
|
MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
|
||||||
MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
|
MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
|
||||||
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
|
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
|
||||||
run: |
|
run: |
|
||||||
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
|
|
||||||
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
|
||||||
security default-keychain -s build.keychain
|
|
||||||
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
||||||
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
|
/usr/bin/codesign
|
||||||
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
--sign="$MACOS_CERTIFICATE_NAME"
|
||||||
/usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "./build/cockatrice/cockatrice.app"
|
--entitlements="../../.ci/macos.entitlements"
|
||||||
/usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "./build/oracle/oracle.app"
|
--options=runtime
|
||||||
/usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "./build/servatrice/servatrice.app"
|
--force
|
||||||
/usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "./build/dbconverter/dbconverter.app"
|
--deep
|
||||||
|
--timestamp
|
||||||
|
--verbose $(find . -name "*.dmg")
|
||||||
|
|
||||||
# - name: CodeSign app bundle
|
- name: Notarize app bundle
|
||||||
# env:
|
env:
|
||||||
# MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
|
PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
|
||||||
# MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
|
PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
|
||||||
# MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
|
PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
|
||||||
# MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
|
run: |
|
||||||
# run: |
|
# Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
|
||||||
# # Turn our base64-encoded certificate back to a regular .p12 file
|
echo "Create keychain profile"
|
||||||
# echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
|
xcrun notarytool store-credentials "notarytool-profile"
|
||||||
#
|
--apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID"
|
||||||
# # We need to create a new keychain, otherwise using the certificate will prompt
|
--team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID"
|
||||||
# # with a UI dialog asking for the certificate password, which we can't
|
--password "$PROD_MACOS_NOTARIZATION_PWD"
|
||||||
# # use in a headless CI environment
|
|
||||||
# security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
|
||||||
# security default-keychain -s build.keychain
|
|
||||||
# security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
|
||||||
# security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
|
|
||||||
# security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
|
||||||
#
|
|
||||||
# # We finally codesign our app bundle, specifying the Hardened runtime option
|
|
||||||
# codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime "/Users/runner/work/Cockatrice/Cockatrice/build/cockatrice/cockatrice.app" -v
|
|
||||||
# codesign --verify --deep --strict "/Users/runner/work/Cockatrice/Cockatrice/build/cockatrice/cockatrice.app"
|
|
||||||
#
|
|
||||||
# - name: Notarize app bundle
|
|
||||||
# env:
|
|
||||||
# PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
|
|
||||||
# PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
|
|
||||||
# PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
|
|
||||||
# run: |
|
|
||||||
# # Store the notarization credentials so that we can prevent a UI password dialog
|
|
||||||
# # from blocking the CI
|
|
||||||
# echo "Create keychain profile"
|
|
||||||
# xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD"
|
|
||||||
#
|
|
||||||
# # We can't notarize an app bundle directly, but we need to compress it as an archive.
|
|
||||||
# # Therefore, we create a zip file containing our app bundle, so that we can send it to the
|
|
||||||
# # notarization service
|
|
||||||
# echo "Creating temp notarization archive"
|
|
||||||
# ditto -c -k --keepParent "/Users/runner/work/Cockatrice/Cockatrice/build/cockatrice/cockatrice.app" "notarization.zip"
|
|
||||||
#
|
|
||||||
# # Here we send the notarization request to the Apple's Notarization service, waiting for the result.
|
|
||||||
# # This typically takes a few seconds inside a CI environment, but it might take more depending on the App
|
|
||||||
# # characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
|
|
||||||
# # you're curious
|
|
||||||
# echo "Notarize app"
|
|
||||||
# xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
|
|
||||||
#
|
|
||||||
# # Finally, we need to "attach the staple" to our executable, which will allow our app to be
|
|
||||||
# # validated by macOS even when an internet connection is not available.
|
|
||||||
# echo "Attach staple"
|
|
||||||
# xcrun stapler staple "/Users/runner/work/Cockatrice/Cockatrice/build/cockatrice/cockatrice.app"
|
|
||||||
|
|
||||||
# - name: Sign binary 2
|
# We can't notarize an app bundle directly, but we need to compress it as an archive.
|
||||||
# uses: lando/code-sign-action@v3
|
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
|
||||||
# with:
|
# notarization service
|
||||||
# file: "build/cockatrice/cockatrice.app"
|
echo "Creating temp notarization archive"
|
||||||
# certificate-data: ${{ secrets.PROD_MACOS_CERTIFICATE }}
|
ditto -c -k --keepParent ${{steps.build.outputs.path}} "notarization.zip"
|
||||||
# certificate-password: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
|
|
||||||
# certificate-id: STKV3NKYBF
|
|
||||||
# apple-notary-user: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
|
|
||||||
# apple-notary-password: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
|
|
||||||
## apple-notary-tool: altool
|
|
||||||
# apple-team-id: STKV3NKYBF
|
|
||||||
# apple-product-id: cockatrice.us.code-sign-action
|
|
||||||
# options: --options runtime -v
|
|
||||||
|
|
||||||
|
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
|
||||||
|
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
|
||||||
|
# characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
|
||||||
|
# you're curious
|
||||||
|
echo "Notarize app"
|
||||||
|
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
|
||||||
|
|
||||||
# - name: Sign binary
|
# Finally, we need to "attach the staple" to our executable, which will allow our app to be
|
||||||
# uses: lando/code-sign-action@v3
|
# validated by macOS even when an internet connection is not available.
|
||||||
# with:
|
echo "Attach staple"
|
||||||
# file: "build/cockatrice/cockatrice.app"
|
xcrun stapler staple ${{steps.build.outputs.path}}
|
||||||
# certificate-id: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
|
|
||||||
# certificate-data: ${{ secrets.PROD_MACOS_CERTIFICATE }}
|
|
||||||
# certificate-password: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
|
|
||||||
# apple-notary-password: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
|
|
||||||
# apple-notary-user: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
|
|
||||||
# apple-notary-tool: 'notarytool'
|
|
||||||
# apple-team-id: "STKV3NKYBF"
|
|
||||||
|
|
||||||
|
|
||||||
# - name: Code Sign (macOS)
|
|
||||||
# env:
|
|
||||||
# MACOS_CODE_CERT_DATA: ${{ secrets.PROD_MACOS_CERTIFICATE }}
|
|
||||||
# MACOS_CODE_CERT_PASS: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
|
|
||||||
# MACOS_CODE_CERT_TEAM_ID: "STKV3NKYBF"
|
|
||||||
# MACOS_EXECUTABLE_PATH: "./build/cockatrice/cockatrice.app"
|
|
||||||
# run: |
|
|
||||||
# echo $MACOS_CODE_CERT_DATA | base64 --decode > certificate.p12
|
|
||||||
# security create-keychain -p $MACOS_CODE_CERT_PASS build.keychain
|
|
||||||
# security default-keychain -s build.keychain
|
|
||||||
# security unlock-keychain -p $MACOS_CODE_CERT_PASS build.keychain
|
|
||||||
# security import certificate.p12 -k build.keychain -P $MACOS_CODE_CERT_PASS -T /usr/bin/codesign
|
|
||||||
# security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_CODE_CERT_PASS build.keychain
|
|
||||||
# /usr/bin/codesign --force -s $MACOS_CODE_CERT_TEAM_ID --deep --options=runtime "$MACOS_EXECUTABLE_PATH"
|
|
||||||
#
|
|
||||||
# - name: Notarize (macOS)
|
|
||||||
# env:
|
|
||||||
# MACOS_NOTARY_USER: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
|
|
||||||
# MACOS_NOTARY_PASS: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
|
|
||||||
# uses: lando/notarize-action@v2
|
|
||||||
# with:
|
|
||||||
# primary-bundle-id: org.cockatrice.client
|
|
||||||
# product-path: "./build/cockatrice/cockatrice.app"
|
|
||||||
# verbose: true
|
|
||||||
# appstore-connect-password: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
|
|
||||||
# appstore-connect-team-id: "STKV3NKYBF"
|
|
||||||
# appstore-connect-username: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# - name: Sign and notarize the release build
|
|
||||||
# uses: toitlang/action-macos-sign-notarize@v1.2.0
|
|
||||||
# with:
|
|
||||||
# certificate: ${{ secrets.PROD_MACOS_CERTIFICATE }}
|
|
||||||
# certificate-password: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
|
|
||||||
# username: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
|
|
||||||
# password: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
|
|
||||||
# apple-team-id: "STKV3NKYBF"
|
|
||||||
# app-path: "build/cockatrice/cockatrice.app"
|
|
||||||
|
|
||||||
- name: Upload artifact
|
- name: Upload artifact
|
||||||
if: matrix.make_package
|
if: matrix.make_package
|
||||||
uses: actions/upload-artifact@v4
|
uses: actions/upload-artifact@v4
|
||||||
with:
|
with:
|
||||||
name: macOS${{matrix.target}}${{ matrix.soc == 'Intel' && '_Intel' || '' }}${{ matrix.type == 'Debug' && '_Debug' || '' }}-dmg
|
name: macOS${{matrix.target}}${{ matrix.soc == 'Intel' && '_Intel' || '' }}${{ matrix.type == 'Debug' && '_Debug' || '' }}-dmg
|
||||||
path: "./build/cockatrice/cockatrice.app"
|
path: ${{steps.build.outputs.path}}
|
||||||
if-no-files-found: error
|
if-no-files-found: error
|
||||||
|
|
||||||
- name: Upload to release
|
- name: Upload to release
|
||||||
|
|
|
||||||
|
|
@ -4,11 +4,38 @@ if(APPLE)
|
||||||
set(APPLICATIONS "cockatrice" "servatrice" "oracle" "dbconverter")
|
set(APPLICATIONS "cockatrice" "servatrice" "oracle" "dbconverter")
|
||||||
foreach(app_name IN LISTS APPLICATIONS)
|
foreach(app_name IN LISTS APPLICATIONS)
|
||||||
set(FULL_APP_PATH "${CPACK_TEMPORARY_INSTALL_DIRECTORY}/${app_name}.app")
|
set(FULL_APP_PATH "${CPACK_TEMPORARY_INSTALL_DIRECTORY}/${app_name}.app")
|
||||||
message(STATUS "Re-signing ${app_name}.app")
|
|
||||||
|
message(STATUS "Signing Interior Dynamically Loaded Libraries for ${app_name}.app")
|
||||||
|
execute_process(COMMAND
|
||||||
|
"find"
|
||||||
|
"${FULL_APP_PATH}"
|
||||||
|
"-name"
|
||||||
|
"*.dylib"
|
||||||
|
OUTPUT_VARIABLE
|
||||||
|
INTERIOR_DLLS)
|
||||||
|
string(REPLACE "\n" ";" INTERIOR_DLLS_LIST ${INTERIOR_DLLS})
|
||||||
|
|
||||||
|
foreach(INTERIOR_DLL IN LISTS INTERIOR_DLLS_LIST)
|
||||||
|
execute_process(COMMAND
|
||||||
|
"codesign"
|
||||||
|
"--sign"
|
||||||
|
"$ENV{MACOS_CERTIFICATE}"
|
||||||
|
"--entitlements"
|
||||||
|
"../.ci/macos.entitlements"
|
||||||
|
"--options"
|
||||||
|
"runtime"
|
||||||
|
"--force"
|
||||||
|
"--deep"
|
||||||
|
"--timestamp"
|
||||||
|
"--verbose"
|
||||||
|
"${INTERIOR_DLL}")
|
||||||
|
endforeach()
|
||||||
|
|
||||||
|
message(STATUS "Signing Exterior Applications ${app_name}.app")
|
||||||
execute_process(COMMAND
|
execute_process(COMMAND
|
||||||
"codesign"
|
"codesign"
|
||||||
"--sign"
|
"--sign"
|
||||||
"Developer ID Application: Zachary Halpern (STKV3NKYBF)"
|
"$ENV{MACOS_CERTIFICATE}"
|
||||||
"--entitlements"
|
"--entitlements"
|
||||||
"../.ci/macos.entitlements"
|
"../.ci/macos.entitlements"
|
||||||
"--options"
|
"--options"
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue