mirror of
https://github.com/Cockatrice/Cockatrice.git
synced 2026-01-03 16:47:53 -08:00
move signing mac apps to own script (#5999)
This commit is contained in:
tooomm
@@ -128,30 +128,13 @@ function ccachestatsverbose() {
|
||||
}
|
||||
|
||||
# Compile
|
||||
if [[ $RUNNER_OS == macOS ]]; then
|
||||
echo "::group::Signing Certificate"
|
||||
if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then
|
||||
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
|
||||
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
||||
security default-keychain -s build.keychain
|
||||
security set-keychain-settings -t 3600 -l build.keychain
|
||||
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
||||
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
|
||||
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
||||
echo "macOS signing certificate successfully imported and keychain configured."
|
||||
else
|
||||
echo "No signing certificate configured. Skipping set up of keychain in macOS environment."
|
||||
fi
|
||||
echo "::endgroup::"
|
||||
fi
|
||||
|
||||
if [[ $USE_CCACHE ]]; then
|
||||
echo "::group::Show ccache stats"
|
||||
echo "::group::Show ccache stats (before)"
|
||||
ccachestatsverbose
|
||||
echo "::endgroup::"
|
||||
fi
|
||||
|
||||
echo "::group::Configure cmake"
|
||||
echo "::group::Configure CMake"
|
||||
cmake --version
|
||||
cmake .. "${flags[@]}"
|
||||
echo "::endgroup::"
|
||||
@@ -167,7 +150,7 @@ fi
|
||||
echo "::endgroup::"
|
||||
|
||||
if [[ $USE_CCACHE ]]; then
|
||||
echo "::group::Show ccache stats again"
|
||||
echo "::group::Show ccache stats (after)"
|
||||
ccachestatsverbose
|
||||
echo "::endgroup::"
|
||||
fi
|
||||
|
||||
80
.ci/sign_macos.sh
Normal file
80
.ci/sign_macos.sh
Normal file
@@ -0,0 +1,80 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Used by CI to sign, noratize and staple build artifacts under macOS
|
||||
|
||||
set -e
|
||||
|
||||
APP_PATH="$1"
|
||||
|
||||
if [[ -z "$APP_PATH" ]]; then
|
||||
echo "Error: No input path supplied. Usage: $0 <path-to-app-bundle>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ ! -e "$APP_PATH" ]]; then
|
||||
echo "Error: Input path '$APP_PATH' does not exist."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "::group::Set up certificate"
|
||||
if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then
|
||||
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
|
||||
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
||||
security default-keychain -s build.keychain
|
||||
security set-keychain-settings -t 3600 -l build.keychain
|
||||
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
||||
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
|
||||
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
||||
else
|
||||
echo "No signing certificate configured."
|
||||
fi
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Sign app"
|
||||
if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then
|
||||
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
|
||||
/usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "$APP_PATH"
|
||||
else
|
||||
echo "No signing certificate configured."
|
||||
fi
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Notarize app"
|
||||
if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then
|
||||
# Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
|
||||
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
|
||||
echo ""
|
||||
|
||||
# We can't notarize an app bundle directly, but we need to compress it as an archive.
|
||||
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
|
||||
# notarization service
|
||||
echo "Creating temp notarization archive"
|
||||
ditto -c -k --keepParent "$APP_PATH" "notarization.zip"
|
||||
echo ""
|
||||
|
||||
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
|
||||
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
|
||||
# characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
|
||||
# you're curious
|
||||
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
|
||||
else
|
||||
echo "No Apple ID configured."
|
||||
fi
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Staple app"
|
||||
if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then
|
||||
# Finally, we need to "attach the staple" to our executable, which will allow our app to be
|
||||
# validated by macOS even when an internet connection is not available.
|
||||
xcrun stapler staple "$APP_PATH"
|
||||
else
|
||||
echo "No Apple ID configured."
|
||||
fi
|
||||
echo "::endgroup::"
|
||||
|
||||
echo "::group::Cleanup"
|
||||
# Cleanup keychain and files to avoid leaking credentials
|
||||
echo "Deleting keychain"
|
||||
security delete-keychain build.keychain
|
||||
rm -f certificate.p12 notarization.zip
|
||||
echo "::endgroup::"
|
||||
Reference in New Issue
Block a user