mirror of
https://github.com/Cockatrice/Cockatrice.git
synced 2026-07-08 00:53:57 -07:00
Compare commits
6 commits
cc4f21b369
...
0685e1614f
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
0685e1614f | ||
|
|
2c1f32ba81 | ||
|
|
d35983760b | ||
|
|
2e4030ccca | ||
|
|
a5fe1ebd0a | ||
|
|
9b9aa592c8 |
3 changed files with 99 additions and 57 deletions
|
|
@ -218,21 +218,6 @@ if [[ $RUNNER_OS == macOS ]]; then
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "::group::Signing Certificate"
|
|
||||||
if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then
|
|
||||||
echo "$MACOS_CERTIFICATE" | base64 --decode >"certificate.p12"
|
|
||||||
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
|
||||||
security default-keychain -s build.keychain
|
|
||||||
security set-keychain-settings -t 3600 -l build.keychain
|
|
||||||
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
|
||||||
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
|
|
||||||
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
|
||||||
echo "macOS signing certificate successfully imported and keychain configured."
|
|
||||||
else
|
|
||||||
echo "No signing certificate configured. Skipping set up of keychain in macOS environment."
|
|
||||||
fi
|
|
||||||
echo "::endgroup::"
|
|
||||||
|
|
||||||
if [[ $MAKE_PACKAGE ]]; then
|
if [[ $MAKE_PACKAGE ]]; then
|
||||||
# Workaround https://github.com/actions/runner-images/issues/7522
|
# Workaround https://github.com/actions/runner-images/issues/7522
|
||||||
# have hdiutil repeat the command 10 times in hope of success
|
# have hdiutil repeat the command 10 times in hope of success
|
||||||
|
|
|
||||||
92
.ci/sign_macos_bundle.sh
Executable file
92
.ci/sign_macos_bundle.sh
Executable file
|
|
@ -0,0 +1,92 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# This script is to be used by the ci environment.
|
||||||
|
|
||||||
|
# Signs and notarizes a macOS app bundle
|
||||||
|
# Requires: $1 - path to the app bundle
|
||||||
|
# Environment variables:
|
||||||
|
# - MACOS_CERTIFICATE_NAME: Name of the certificate for signing (optional, skips signing if not set)
|
||||||
|
# - MACOS_CI_KEYCHAIN_PWD: Password for the CI keychain (required if MACOS_CERTIFICATE_NAME is set)
|
||||||
|
# - MACOS_NOTARIZATION_APPLE_ID: Apple ID for notarization (optional, skips notarization if not set)
|
||||||
|
# - MACOS_NOTARIZATION_PWD: Password for notarization (required if MACOS_NOTARIZATION_APPLE_ID is set)
|
||||||
|
# - MACOS_NOTARIZATION_TEAM_ID: Team ID for notarization (required if MACOS_NOTARIZATION_APPLE_ID is set)
|
||||||
|
# exitcode: 1 for failure, 2 for invalid arguments
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# Check input arguments
|
||||||
|
if [[ $# -lt 1 ]]; then
|
||||||
|
echo "::error file=$0::No argument passed to the script - provide <path_to_app_bundle>"
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
|
||||||
|
APP_BUNDLE_PATH="$1"
|
||||||
|
|
||||||
|
# Verify that app bundle exists
|
||||||
|
if [[ ! -f "$APP_BUNDLE_PATH" ]]; then
|
||||||
|
echo "::error file=$0::App bundle not found at: $APP_BUNDLE_PATH"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Configure keychain
|
||||||
|
if [[ -n "$MACOS_CERTIFICATE" ]]; then
|
||||||
|
echo "::group::Import certificate"
|
||||||
|
echo "$MACOS_CERTIFICATE" | base64 --decode >"certificate.p12"
|
||||||
|
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
||||||
|
security default-keychain -s build.keychain
|
||||||
|
security set-keychain-settings -t 3600 -l build.keychain
|
||||||
|
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
||||||
|
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
|
||||||
|
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
||||||
|
echo "::endgroup::"
|
||||||
|
else
|
||||||
|
echo "::error file=$0::MACOS_CERTIFICATE not set. Can not configure keychain."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Sign app bundle
|
||||||
|
if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then
|
||||||
|
echo "::group::Sign app bundle"
|
||||||
|
/usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "$APP_BUNDLE_PATH"
|
||||||
|
echo "::endgroup::"
|
||||||
|
else
|
||||||
|
echo "::error file=$0::MACOS_CERTIFICATE_NAME not set. Can not sign app bundle."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Notarize app bundle
|
||||||
|
if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then
|
||||||
|
echo "::group::Notarize app bundle"
|
||||||
|
# Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
|
||||||
|
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
|
||||||
|
|
||||||
|
# We can't notarize an app bundle directly, but we need to compress it as an archive.
|
||||||
|
# Therefore, we create a zip file containing our app bundle, so that we can send it to the notarization service
|
||||||
|
echo ""
|
||||||
|
echo "Creating temp notarization archive..."
|
||||||
|
ditto -c -k --keepParent "$APP_BUNDLE_PATH" "notarization.zip"
|
||||||
|
|
||||||
|
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
|
||||||
|
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App characteristics.
|
||||||
|
# Visit the Notarization docs for more information and strategies on how to optimize it if you're curious.
|
||||||
|
echo ""
|
||||||
|
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
|
||||||
|
echo "::endgroup::"
|
||||||
|
|
||||||
|
echo "::group::Staple app"
|
||||||
|
# Finally, we need to "attach the staple" to our executable, which will allow our app to be
|
||||||
|
# validated by macOS even when an internet connection is not available.
|
||||||
|
echo "Attach staple"
|
||||||
|
xcrun stapler staple "$APP_BUNDLE_PATH"
|
||||||
|
echo "::endgroup::"
|
||||||
|
else
|
||||||
|
echo "::error file=$0::MACOS_NOTARIZATION_APPLE_ID not set. Can not notarize app bundle."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "::group::Cleanup"
|
||||||
|
# Cleanup keychain and files to avoid leaking credentials
|
||||||
|
echo "Deleting keychain"
|
||||||
|
security delete-keychain build.keychain
|
||||||
|
rm -f certificate.p12 notarization.zip
|
||||||
|
echo "::endgroup::"
|
||||||
49
.github/workflows/desktop-build.yml
vendored
49
.github/workflows/desktop-build.yml
vendored
|
|
@ -448,10 +448,6 @@ jobs:
|
||||||
CMAKE_GENERATOR: ${{ matrix.cmake_generator }}
|
CMAKE_GENERATOR: ${{ matrix.cmake_generator }}
|
||||||
CMAKE_GENERATOR_PLATFORM: ${{ matrix.cmake_generator_platform }}
|
CMAKE_GENERATOR_PLATFORM: ${{ matrix.cmake_generator_platform }}
|
||||||
DEVELOPER_DIR: '/Applications/Xcode_${{ matrix.xcode }}.app/Contents/Developer'
|
DEVELOPER_DIR: '/Applications/Xcode_${{ matrix.xcode }}.app/Contents/Developer'
|
||||||
MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
|
|
||||||
MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
|
|
||||||
MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
|
|
||||||
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
|
|
||||||
MAKE_PACKAGE: '${{ matrix.make_package }}'
|
MAKE_PACKAGE: '${{ matrix.make_package }}'
|
||||||
PACKAGE_SUFFIX: '${{ matrix.package_suffix }}'
|
PACKAGE_SUFFIX: '${{ matrix.package_suffix }}'
|
||||||
TARGET_MACOS_VERSION: ${{ matrix.override_target }}
|
TARGET_MACOS_VERSION: ${{ matrix.override_target }}
|
||||||
|
|
@ -478,50 +474,19 @@ jobs:
|
||||||
key: ${{ steps.ccache_restore.outputs.cache-primary-key }}
|
key: ${{ steps.ccache_restore.outputs.cache-primary-key }}
|
||||||
path: ${{ env.CCACHE_DIR }}
|
path: ${{ env.CCACHE_DIR }}
|
||||||
|
|
||||||
- name: "[macOS] Sign app bundle"
|
- name: "[macOS] Sign & notarize app bundle"
|
||||||
if: matrix.os == 'macOS' && matrix.make_package && needs.configure.outputs.tag != null
|
# if: matrix.os == 'macOS' && matrix.make_package && needs.configure.outputs.tag != null
|
||||||
id: sign_macos
|
if: matrix.os == 'macOS'
|
||||||
|
shell: bash
|
||||||
env:
|
env:
|
||||||
|
MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
|
||||||
MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
|
MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
|
||||||
|
MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
|
||||||
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
|
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
|
||||||
run: |
|
|
||||||
if [[ -n "$MACOS_CERTIFICATE_NAME" ]]
|
|
||||||
then
|
|
||||||
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
|
||||||
/usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "${{ steps.build.outputs.path }}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
- name: "[macOS] Notarize app bundle"
|
|
||||||
if: matrix.os == 'macOS' && steps.sign_macos.outcome == 'success'
|
|
||||||
env:
|
|
||||||
MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
|
MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
|
||||||
MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
|
MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
|
||||||
MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
|
MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
|
||||||
run: |
|
run: .ci/sign_macos_bundle.sh "${{ steps.build.outputs.path }}"
|
||||||
if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]
|
|
||||||
then
|
|
||||||
# Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
|
|
||||||
echo "Create keychain profile"
|
|
||||||
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
|
|
||||||
|
|
||||||
# We can't notarize an app bundle directly, but we need to compress it as an archive.
|
|
||||||
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
|
|
||||||
# notarization service
|
|
||||||
echo "Creating temp notarization archive"
|
|
||||||
ditto -c -k --keepParent "${{ steps.build.outputs.path }}" "notarization.zip"
|
|
||||||
|
|
||||||
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
|
|
||||||
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
|
|
||||||
# characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
|
|
||||||
# you're curious
|
|
||||||
echo "Notarize app"
|
|
||||||
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
|
|
||||||
|
|
||||||
# Finally, we need to "attach the staple" to our executable, which will allow our app to be
|
|
||||||
# validated by macOS even when an internet connection is not available.
|
|
||||||
echo "Attach staple"
|
|
||||||
xcrun stapler staple "${{ steps.build.outputs.path }}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
- name: "Upload artifact"
|
- name: "Upload artifact"
|
||||||
if: matrix.make_package
|
if: matrix.make_package
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue