From e53efae012a4a9a2a200eb91464f94b77283ca0d Mon Sep 17 00:00:00 2001 From: ZeldaZach Date: Sun, 5 Jan 2025 23:02:02 -0500 Subject: [PATCH] Try another GHA maybe --- .github/workflows/desktop-build.yml | 106 +++++++++++++++------------- 1 file changed, 58 insertions(+), 48 deletions(-) diff --git a/.github/workflows/desktop-build.yml b/.github/workflows/desktop-build.yml index 2b6cf8f9b..fdd76f296 100644 --- a/.github/workflows/desktop-build.yml +++ b/.github/workflows/desktop-build.yml @@ -267,56 +267,66 @@ jobs: # https://github.com/actions/runner-images?tab=readme-ov-file#available-images run: .ci/compile.sh --server --parallel ${{matrix.core_count}} - - name: CodeSign app bundle - env: - MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }} - MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }} - MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }} - MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }} - run: | - # Turn our base64-encoded certificate back to a regular .p12 file - echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 +# - name: CodeSign app bundle +# env: +# MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }} +# MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }} +# MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }} +# MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }} +# run: | +# # Turn our base64-encoded certificate back to a regular .p12 file +# echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 +# +# # We need to create a new keychain, otherwise using the certificate will prompt +# # with a UI dialog asking for the certificate password, which we can't +# # use in a headless CI environment +# security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain +# security default-keychain -s build.keychain +# security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain +# security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign +# security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain +# +# # We finally codesign our app bundle, specifying the Hardened runtime option +# codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime "/Users/runner/work/Cockatrice/Cockatrice/build/cockatrice/cockatrice.app" -v +# codesign --verify --deep --strict "/Users/runner/work/Cockatrice/Cockatrice/build/cockatrice/cockatrice.app" +# +# - name: Notarize app bundle +# env: +# PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }} +# PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }} +# PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }} +# run: | +# # Store the notarization credentials so that we can prevent a UI password dialog +# # from blocking the CI +# echo "Create keychain profile" +# xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD" +# +# # We can't notarize an app bundle directly, but we need to compress it as an archive. +# # Therefore, we create a zip file containing our app bundle, so that we can send it to the +# # notarization service +# echo "Creating temp notarization archive" +# ditto -c -k --keepParent "/Users/runner/work/Cockatrice/Cockatrice/build/cockatrice/cockatrice.app" "notarization.zip" +# +# # Here we send the notarization request to the Apple's Notarization service, waiting for the result. +# # This typically takes a few seconds inside a CI environment, but it might take more depending on the App +# # characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if +# # you're curious +# echo "Notarize app" +# xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait +# +# # Finally, we need to "attach the staple" to our executable, which will allow our app to be +# # validated by macOS even when an internet connection is not available. +# echo "Attach staple" +# xcrun stapler staple "/Users/runner/work/Cockatrice/Cockatrice/build/cockatrice/cockatrice.app" - # We need to create a new keychain, otherwise using the certificate will prompt - # with a UI dialog asking for the certificate password, which we can't - # use in a headless CI environment - security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain - security default-keychain -s build.keychain - security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain - security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain - # We finally codesign our app bundle, specifying the Hardened runtime option - /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime "/Users/runner/work/Cockatrice/Cockatrice/build/cockatrice/cockatrice.app" -v - - - name: Notarize app bundle - env: - PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }} - PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }} - PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }} - run: | - # Store the notarization credentials so that we can prevent a UI password dialog - # from blocking the CI - echo "Create keychain profile" - xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD" - - # We can't notarize an app bundle directly, but we need to compress it as an archive. - # Therefore, we create a zip file containing our app bundle, so that we can send it to the - # notarization service - echo "Creating temp notarization archive" - ditto -c -k --keepParent "/Users/runner/work/Cockatrice/Cockatrice/build/cockatrice/cockatrice.app" "notarization.zip" - - # Here we send the notarization request to the Apple's Notarization service, waiting for the result. - # This typically takes a few seconds inside a CI environment, but it might take more depending on the App - # characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if - # you're curious - echo "Notarize app" - xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait - - # Finally, we need to "attach the staple" to our executable, which will allow our app to be - # validated by macOS even when an internet connection is not available. - echo "Attach staple" - xcrun stapler staple "/Users/runner/work/Cockatrice/Cockatrice/build/cockatrice/cockatrice.app" + - name: Sign binary + uses: lando/code-sign-action@v3 + with: + file: "/Users/runner/work/Cockatrice/Cockatrice/build/cockatrice/cockatrice.app" + certificate-data: ${{ secrets.PROD_MACOS_CERTIFICATE }} + certificate-id: STKV3NKYBF + certificate-password: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }} - name: Upload artifact if: matrix.make_package