Merge branch 'master' into tooomm-ci_sign_mac

.ci/compile.sh

@@ -218,21 +218,6 @@ if [[ $RUNNER_OS == macOS ]]; then
     echo "::endgroup::"
   fi
 
-  echo "::group::Signing Certificate"
-  if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then
-    echo "$MACOS_CERTIFICATE" | base64 --decode >"certificate.p12"
-    security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
-    security default-keychain -s build.keychain
-    security set-keychain-settings -t 3600 -l build.keychain
-    security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
-    security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
-    security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
-    echo "macOS signing certificate successfully imported and keychain configured."
-  else
-    echo "No signing certificate configured. Skipping set up of keychain in macOS environment."
-  fi
-  echo "::endgroup::"
-
   if [[ $MAKE_PACKAGE ]]; then
     # Workaround https://github.com/actions/runner-images/issues/7522
     # have hdiutil repeat the command 10 times in hope of success

.ci/sign_macos_bundle.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+# This script is to be used by the ci environment.
+
+# Signs and notarizes a macOS app bundle
+# Requires: $1 - path to the app bundle
+# Environment variables:
+# - MACOS_CERTIFICATE_NAME: Name of the certificate for signing (optional, skips signing if not set)
+# - MACOS_CI_KEYCHAIN_PWD: Password for the CI keychain (required if MACOS_CERTIFICATE_NAME is set)
+# - MACOS_NOTARIZATION_APPLE_ID: Apple ID for notarization (optional, skips notarization if not set)
+# - MACOS_NOTARIZATION_PWD: Password for notarization (required if MACOS_NOTARIZATION_APPLE_ID is set)
+# - MACOS_NOTARIZATION_TEAM_ID: Team ID for notarization (required if MACOS_NOTARIZATION_APPLE_ID is set)
+# exitcode: 1 for failure, 2 for invalid arguments
+
+set -e
+
+# Check input arguments
+if [[ $# -lt 1 ]]; then
+  echo "::error file=$0::No argument passed to the script - provide <path_to_app_bundle>"
+  exit 2
+fi
+
+APP_BUNDLE_PATH="$1"
+
+# Verify that app bundle exists
+if [[ ! -f "$APP_BUNDLE_PATH" ]]; then
+  echo "::error file=$0::App bundle not found at: $APP_BUNDLE_PATH"
+  exit 1
+fi
+
+# Configure keychain
+if [[ -n "$MACOS_CERTIFICATE" ]]; then
+  echo "::group::Import certificate"
+  echo "$MACOS_CERTIFICATE" | base64 --decode >"certificate.p12"
+  security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
+  security default-keychain -s build.keychain
+  security set-keychain-settings -t 3600 -l build.keychain
+  security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
+  security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
+  security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
+  echo "::endgroup::"
+else
+  echo "::error file=$0::MACOS_CERTIFICATE not set. Can not configure keychain."
+  exit 1
+fi
+
+# Sign app bundle
+if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then
+  echo "::group::Sign app bundle"
+  /usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "$APP_BUNDLE_PATH"
+  echo "::endgroup::"
+else
+  echo "::error file=$0::MACOS_CERTIFICATE_NAME not set. Can not sign app bundle."
+  exit 1
+fi
+
+# Notarize app bundle
+if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then
+  echo "::group::Notarize app bundle"
+  # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
+  xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
+  
+  # We can't notarize an app bundle directly, but we need to compress it as an archive.
+  # Therefore, we create a zip file containing our app bundle, so that we can send it to the notarization service
+  echo ""
+  echo "Creating temp notarization archive..."
+  ditto -c -k --keepParent "$APP_BUNDLE_PATH" "notarization.zip"
+  
+  # Here we send the notarization request to the Apple's Notarization service, waiting for the result.
+  # This typically takes a few seconds inside a CI environment, but it might take more depending on the App characteristics.
+  # Visit the Notarization docs for more information and strategies on how to optimize it if you're curious.
+  echo ""
+  xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
+  echo "::endgroup::"
+  
+  echo "::group::Staple app"
+  # Finally, we need to "attach the staple" to our executable, which will allow our app to be
+  # validated by macOS even when an internet connection is not available.
+  echo "Attach staple"
+  xcrun stapler staple "$APP_BUNDLE_PATH"
+  echo "::endgroup::"
+else
+  echo "::error file=$0::MACOS_NOTARIZATION_APPLE_ID not set. Can not notarize app bundle."
+  exit 1
+fi
+
+echo "::group::Cleanup"
+# Cleanup keychain and files to avoid leaking credentials
+echo "Deleting keychain"
+security delete-keychain build.keychain
+rm -f certificate.p12 notarization.zip
+echo "::endgroup::"

.github/workflows/desktop-build.yml

@@ -448,10 +448,6 @@ jobs:
           CMAKE_GENERATOR: ${{ matrix.cmake_generator }}
           CMAKE_GENERATOR_PLATFORM: ${{ matrix.cmake_generator_platform }}
           DEVELOPER_DIR: '/Applications/Xcode_${{ matrix.xcode }}.app/Contents/Developer'
-          MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
-          MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
-          MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
-          MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
           MAKE_PACKAGE: '${{ matrix.make_package }}'
           PACKAGE_SUFFIX: '${{ matrix.package_suffix }}'
           TARGET_MACOS_VERSION: ${{ matrix.override_target }}
@@ -478,50 +474,19 @@ jobs:
           key: ${{ steps.ccache_restore.outputs.cache-primary-key }}
           path: ${{ env.CCACHE_DIR }}
 
-      - name: "[macOS] Sign app bundle"
-        if: matrix.os == 'macOS' && matrix.make_package && needs.configure.outputs.tag != null
-        id: sign_macos
+      - name: "[macOS] Sign & notarize app bundle"
+        # if: matrix.os == 'macOS' && matrix.make_package && needs.configure.outputs.tag != null
+        if: matrix.os == 'macOS'
+        shell: bash
         env:
+          MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
           MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
+          MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
           MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
-        run: |
-          if [[ -n "$MACOS_CERTIFICATE_NAME" ]]
-          then
-            security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
-            /usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "${{ steps.build.outputs.path }}"
-          fi
-
-      - name: "[macOS] Notarize app bundle"
-        if: matrix.os == 'macOS' && steps.sign_macos.outcome == 'success'
-        env:
           MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
           MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
           MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
-        run: |
-          if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]
-          then
-            # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
-            echo "Create keychain profile"
-            xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
-
-            # We can't notarize an app bundle directly, but we need to compress it as an archive.
-            # Therefore, we create a zip file containing our app bundle, so that we can send it to the
-            # notarization service
-            echo "Creating temp notarization archive"
-            ditto -c -k --keepParent "${{ steps.build.outputs.path }}" "notarization.zip"
-
-            # Here we send the notarization request to the Apple's Notarization service, waiting for the result.
-            # This typically takes a few seconds inside a CI environment, but it might take more depending on the App
-            # characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
-            # you're curious
-            echo "Notarize app"
-            xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
-
-            # Finally, we need to "attach the staple" to our executable, which will allow our app to be
-            # validated by macOS even when an internet connection is not available.
-            echo "Attach staple"
-            xcrun stapler staple "${{ steps.build.outputs.path }}"
-          fi
+        run: .ci/sign_macos_bundle.sh "${{ steps.build.outputs.path }}"
 
       - name: "Upload artifact"
         if: matrix.make_package