From 9b9aa592c891d3901c84da651540950a888f6f75 Mon Sep 17 00:00:00 2001 From: tooomm Date: Sat, 6 Jun 2026 16:51:45 +0200 Subject: [PATCH 1/5] split sign+notarize into own script --- .ci/sign_macos_bundle.sh | 68 +++++++++++++++++++++++++++++ .github/workflows/desktop-build.yml | 47 +++----------------- 2 files changed, 75 insertions(+), 40 deletions(-) create mode 100755 .ci/sign_macos_bundle.sh diff --git a/.ci/sign_macos_bundle.sh b/.ci/sign_macos_bundle.sh new file mode 100755 index 000000000..b7b12a701 --- /dev/null +++ b/.ci/sign_macos_bundle.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# This script is to be used by the ci environment. + +# Signs and notarizes a macOS app bundle +# Requires: $1 - path to the app bundle +# Environment variables: +# - MACOS_CERTIFICATE_NAME: Name of the certificate for signing (optional, skips signing if not set) +# - MACOS_CI_KEYCHAIN_PWD: Password for the CI keychain (required if MACOS_CERTIFICATE_NAME is set) +# - MACOS_NOTARIZATION_APPLE_ID: Apple ID for notarization (optional, skips notarization if not set) +# - MACOS_NOTARIZATION_PWD: Password for notarization (required if MACOS_NOTARIZATION_APPLE_ID is set) +# - MACOS_NOTARIZATION_TEAM_ID: Team ID for notarization (required if MACOS_NOTARIZATION_APPLE_ID is set) +# exitcode: 1 for failure, 2 for invalid arguments + +set -e + +# Check input arguments +if [[ $# -lt 1 ]]; then + echo "::error file=$0::No argument passed to the script - provide " + exit 2 +fi + +APP_BUNDLE_PATH="$1" + +# Verify that the app bundle exists +if [[ ! -d "$APP_BUNDLE_PATH" ]]; then + echo "::error file=$0::App bundle not found at: $APP_BUNDLE_PATH" + exit 1 +fi + +# Sign the app bundle +if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then + echo "::group::Sign app bundle" + security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain + /usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "$APP_BUNDLE_PATH" + echo "::endgroup::" +else + echo "::error file=$0::MACOS_CERTIFICATE_NAME not set. Can not sign the app bundle." + exit 1 +fi + +# Notarize the app bundle +if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then + echo "::group::Notarize app bundle" + # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI + echo "Create keychain profile" + xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" + + # We can't notarize an app bundle directly, but we need to compress it as an archive. + # Therefore, we create a zip file containing our app bundle, so that we can send it to the notarization service + echo "Creating temp notarization archive" + ditto -c -k --keepParent "$APP_BUNDLE_PATH" "notarization.zip" + + # Here we send the notarization request to the Apple's Notarization service, waiting for the result. + # This typically takes a few seconds inside a CI environment, but it might take more depending on the App characteristics. + # Visit the Notarization docs for more information and strategies on how to optimize it if you're curious. + echo "Notarize app" + xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait + + # Finally, we need to "attach the staple" to our executable, which will allow our app to be + # validated by macOS even when an internet connection is not available. + echo "Attach staple" + xcrun stapler staple "$APP_BUNDLE_PATH" + echo "::endgroup::" +else + echo "::error file=$0::MACOS_NOTARIZATION_APPLE_ID not set. Can not notarize the app bundle." + exit 1 +fi diff --git a/.github/workflows/desktop-build.yml b/.github/workflows/desktop-build.yml index 62108b34a..c6557c54d 100644 --- a/.github/workflows/desktop-build.yml +++ b/.github/workflows/desktop-build.yml @@ -446,8 +446,8 @@ jobs: VCPKG_BINARY_SOURCES: 'clear;files,${{ steps.vcpkg-cache.outputs.path }},readwrite' # macOS-specific environment variables, will be ignored on Windows MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }} - MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }} MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }} + MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }} MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }} DEVELOPER_DIR: '/Applications/Xcode_${{matrix.xcode}}.app/Contents/Developer' TARGET_MACOS_VERSION: ${{ matrix.override_target }} @@ -472,50 +472,17 @@ jobs: path: ${{env.CCACHE_DIR}} key: ${{ steps.ccache_restore.outputs.cache-primary-key }} - - name: Sign app bundle - if: matrix.os == 'macOS' && matrix.make_package && needs.configure.outputs.tag != null - id: sign_macos + - name: Sign & notarize app bundle + # if: matrix.os == 'macOS' && matrix.make_package && needs.configure.outputs.tag != null + if: matrix.os == 'macOS' + shell: bash env: MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }} MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }} - run: | - if [[ -n "$MACOS_CERTIFICATE_NAME" ]] - then - security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain - /usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "${{steps.build.outputs.path}}" - fi - - - name: Notarize app bundle - if: steps.sign_macos.outcome == 'success' - env: MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }} - MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }} MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }} - run: | - if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]] - then - # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI - echo "Create keychain profile" - xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" - - # We can't notarize an app bundle directly, but we need to compress it as an archive. - # Therefore, we create a zip file containing our app bundle, so that we can send it to the - # notarization service - echo "Creating temp notarization archive" - ditto -c -k --keepParent "${{steps.build.outputs.path}}" "notarization.zip" - - # Here we send the notarization request to the Apple's Notarization service, waiting for the result. - # This typically takes a few seconds inside a CI environment, but it might take more depending on the App - # characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if - # you're curious - echo "Notarize app" - xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait - - # Finally, we need to "attach the staple" to our executable, which will allow our app to be - # validated by macOS even when an internet connection is not available. - echo "Attach staple" - xcrun stapler staple "${{steps.build.outputs.path}}" - fi + MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }} + run: .ci/sign_macos_bundle.sh "${{ steps.build.outputs.path }}" - name: Upload artifact if: matrix.make_package From a5fe1ebd0af4f2f1d629317c2c0beedf1667f753 Mon Sep 17 00:00:00 2001 From: tooomm Date: Sat, 6 Jun 2026 20:36:49 +0200 Subject: [PATCH 2/5] fix --- .ci/sign_macos_bundle.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ci/sign_macos_bundle.sh b/.ci/sign_macos_bundle.sh index b7b12a701..dc928bbb7 100755 --- a/.ci/sign_macos_bundle.sh +++ b/.ci/sign_macos_bundle.sh @@ -23,7 +23,7 @@ fi APP_BUNDLE_PATH="$1" # Verify that the app bundle exists -if [[ ! -d "$APP_BUNDLE_PATH" ]]; then +if [[ ! -e "$APP_BUNDLE_PATH" ]]; then echo "::error file=$0::App bundle not found at: $APP_BUNDLE_PATH" exit 1 fi From 2e4030cccaf9c3a321d33eaf89f04aedbc73892e Mon Sep 17 00:00:00 2001 From: tooomm Date: Sat, 6 Jun 2026 20:58:01 +0200 Subject: [PATCH 3/5] add --- .ci/sign_macos_bundle.sh | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/.ci/sign_macos_bundle.sh b/.ci/sign_macos_bundle.sh index dc928bbb7..cf673771c 100755 --- a/.ci/sign_macos_bundle.sh +++ b/.ci/sign_macos_bundle.sh @@ -25,7 +25,6 @@ APP_BUNDLE_PATH="$1" # Verify that the app bundle exists if [[ ! -e "$APP_BUNDLE_PATH" ]]; then echo "::error file=$0::App bundle not found at: $APP_BUNDLE_PATH" - exit 1 fi # Sign the app bundle @@ -43,25 +42,34 @@ fi if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then echo "::group::Notarize app bundle" # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI - echo "Create keychain profile" xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" - + # We can't notarize an app bundle directly, but we need to compress it as an archive. # Therefore, we create a zip file containing our app bundle, so that we can send it to the notarization service + echo "" echo "Creating temp notarization archive" ditto -c -k --keepParent "$APP_BUNDLE_PATH" "notarization.zip" - + # Here we send the notarization request to the Apple's Notarization service, waiting for the result. # This typically takes a few seconds inside a CI environment, but it might take more depending on the App characteristics. # Visit the Notarization docs for more information and strategies on how to optimize it if you're curious. - echo "Notarize app" + echo "" xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait - + echo "::endgroup::" + + echo "::group::Staple app" # Finally, we need to "attach the staple" to our executable, which will allow our app to be # validated by macOS even when an internet connection is not available. echo "Attach staple" xcrun stapler staple "$APP_BUNDLE_PATH" echo "::endgroup::" + + echo "::group::Cleanup" + # Cleanup keychain and files to avoid leaking credentials + echo "Deleting keychain" + security delete-keychain build.keychain + rm -f certificate.p12 notarization.zip + echo "::endgroup::" else echo "::error file=$0::MACOS_NOTARIZATION_APPLE_ID not set. Can not notarize the app bundle." exit 1 From d35983760be70db9f55bc972ba077bad91196727 Mon Sep 17 00:00:00 2001 From: tooomm Date: Sat, 6 Jun 2026 22:28:38 +0200 Subject: [PATCH 4/5] move cert import too --- .ci/compile.sh | 15 ---------- .ci/sign_macos_bundle.sh | 43 ++++++++++++++++++++--------- .github/workflows/desktop-build.yml | 6 ++-- 3 files changed, 32 insertions(+), 32 deletions(-) diff --git a/.ci/compile.sh b/.ci/compile.sh index ee846897b..19777aa94 100755 --- a/.ci/compile.sh +++ b/.ci/compile.sh @@ -218,21 +218,6 @@ if [[ $RUNNER_OS == macOS ]]; then echo "::endgroup::" fi - echo "::group::Signing Certificate" - if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then - echo "$MACOS_CERTIFICATE" | base64 --decode >"certificate.p12" - security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain - security default-keychain -s build.keychain - security set-keychain-settings -t 3600 -l build.keychain - security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain - security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain - echo "macOS signing certificate successfully imported and keychain configured." - else - echo "No signing certificate configured. Skipping set up of keychain in macOS environment." - fi - echo "::endgroup::" - if [[ $MAKE_PACKAGE ]]; then # Workaround https://github.com/actions/runner-images/issues/7522 # have hdiutil repeat the command 10 times in hope of success diff --git a/.ci/sign_macos_bundle.sh b/.ci/sign_macos_bundle.sh index cf673771c..60ac7b3c7 100755 --- a/.ci/sign_macos_bundle.sh +++ b/.ci/sign_macos_bundle.sh @@ -22,23 +22,40 @@ fi APP_BUNDLE_PATH="$1" -# Verify that the app bundle exists +# Verify that app bundle exists if [[ ! -e "$APP_BUNDLE_PATH" ]]; then echo "::error file=$0::App bundle not found at: $APP_BUNDLE_PATH" + exit 1 fi -# Sign the app bundle +# Configure keychain +if [[ -n "$MACOS_CERTIFICATE" ]]; then + echo "::group::Import certificate" + echo "$MACOS_CERTIFICATE" | base64 --decode >"certificate.p12" + security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain + security default-keychain -s build.keychain + security set-keychain-settings -t 3600 -l build.keychain + security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain + security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain + echo "::endgroup::" +else + echo "::error file=$0::MACOS_CERTIFICATE not set. Can not configure keychain." + exit 1 +fi + +# Sign app bundle if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then echo "::group::Sign app bundle" security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain /usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "$APP_BUNDLE_PATH" echo "::endgroup::" else - echo "::error file=$0::MACOS_CERTIFICATE_NAME not set. Can not sign the app bundle." + echo "::error file=$0::MACOS_CERTIFICATE_NAME not set. Can not sign app bundle." exit 1 fi -# Notarize the app bundle +# Notarize app bundle if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then echo "::group::Notarize app bundle" # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI @@ -47,7 +64,7 @@ if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then # We can't notarize an app bundle directly, but we need to compress it as an archive. # Therefore, we create a zip file containing our app bundle, so that we can send it to the notarization service echo "" - echo "Creating temp notarization archive" + echo "Creating temp notarization archive..." ditto -c -k --keepParent "$APP_BUNDLE_PATH" "notarization.zip" # Here we send the notarization request to the Apple's Notarization service, waiting for the result. @@ -63,14 +80,14 @@ if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then echo "Attach staple" xcrun stapler staple "$APP_BUNDLE_PATH" echo "::endgroup::" - - echo "::group::Cleanup" - # Cleanup keychain and files to avoid leaking credentials - echo "Deleting keychain" - security delete-keychain build.keychain - rm -f certificate.p12 notarization.zip - echo "::endgroup::" else - echo "::error file=$0::MACOS_NOTARIZATION_APPLE_ID not set. Can not notarize the app bundle." + echo "::error file=$0::MACOS_NOTARIZATION_APPLE_ID not set. Can not notarize app bundle." exit 1 fi + +echo "::group::Cleanup" +# Cleanup keychain and files to avoid leaking credentials +echo "Deleting keychain" +security delete-keychain build.keychain +rm -f certificate.p12 notarization.zip +echo "::endgroup::" diff --git a/.github/workflows/desktop-build.yml b/.github/workflows/desktop-build.yml index c6557c54d..acc8266dd 100644 --- a/.github/workflows/desktop-build.yml +++ b/.github/workflows/desktop-build.yml @@ -445,10 +445,6 @@ jobs: VCPKG_DISABLE_METRICS: 1 VCPKG_BINARY_SOURCES: 'clear;files,${{ steps.vcpkg-cache.outputs.path }},readwrite' # macOS-specific environment variables, will be ignored on Windows - MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }} - MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }} - MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }} - MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }} DEVELOPER_DIR: '/Applications/Xcode_${{matrix.xcode}}.app/Contents/Developer' TARGET_MACOS_VERSION: ${{ matrix.override_target }} CCACHE_EVICTION_AGE: ${{ matrix.ccache_eviction_age }} @@ -477,7 +473,9 @@ jobs: if: matrix.os == 'macOS' shell: bash env: + MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }} MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }} + MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }} MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }} MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }} MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }} From 2c1f32ba81cb91f1c8fe3fd18122a5b908c2f843 Mon Sep 17 00:00:00 2001 From: tooomm Date: Mon, 8 Jun 2026 20:32:35 +0200 Subject: [PATCH 5/5] Update sign_macos_bundle.sh --- .ci/sign_macos_bundle.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.ci/sign_macos_bundle.sh b/.ci/sign_macos_bundle.sh index 60ac7b3c7..9e73fe87d 100755 --- a/.ci/sign_macos_bundle.sh +++ b/.ci/sign_macos_bundle.sh @@ -23,7 +23,7 @@ fi APP_BUNDLE_PATH="$1" # Verify that app bundle exists -if [[ ! -e "$APP_BUNDLE_PATH" ]]; then +if [[ ! -f "$APP_BUNDLE_PATH" ]]; then echo "::error file=$0::App bundle not found at: $APP_BUNDLE_PATH" exit 1 fi @@ -47,7 +47,6 @@ fi # Sign app bundle if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then echo "::group::Sign app bundle" - security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain /usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "$APP_BUNDLE_PATH" echo "::endgroup::" else