From 6b44b9ae1eb5e60b7380ad0daf8d00a9fd895e51 Mon Sep 17 00:00:00 2001 From: RickyRister <42636155+RickyRister@users.noreply.github.com> Date: Sun, 29 Jun 2025 18:49:47 -0700 Subject: [PATCH] Revert changes related to #5999 to unbreak CI (#6011) * Revert "Attempt to fix Sign MacOS Pt1" This reverts commit 208f8349a652173c9153bb5ca4320c53c218178d. * Revert "fetch logs on error (#6003)" This reverts commit 32e71b038682b5d7805e35650ab851a86ca1f7ac. * Revert "Fix Build Attest pt3" This reverts commit 1c687e7a453fe8c30d7ff55f3e2502837ebf97e6. * Revert "Fix Build Attest pt2" This reverts commit 53ed02866330fc844fb54212e7b767899758f94d. * Revert "Fix Build Attest" This reverts commit 2a4ebe1b3e5bad804c86b79070499f0a9a901ea6. * Revert "Add write permissions for `contents` (#6002)" This reverts commit df863355b7e86570e5a5868f8edf2d5627b7be49. * Revert "make script executable (#6000)" This reverts commit b69091a51a5506e15668931af991bc4c8e15973a. * Revert "move signing mac apps to own script (#5999)" This reverts commit 0fe30ebe49a4c9b5df208a8c64cf2a1a728da515. --- .ci/compile.sh | 23 ++++++- .ci/sign_macos.sh | 95 ----------------------------- .github/workflows/desktop-build.yml | 47 ++++++++++++-- 3 files changed, 62 insertions(+), 103 deletions(-) delete mode 100755 .ci/sign_macos.sh diff --git a/.ci/compile.sh b/.ci/compile.sh index bb7eb263d..ffe733c72 100755 --- a/.ci/compile.sh +++ b/.ci/compile.sh @@ -128,13 +128,30 @@ function ccachestatsverbose() { } # Compile +if [[ $RUNNER_OS == macOS ]]; then + echo "::group::Signing Certificate" + if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then + echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 + security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain + security default-keychain -s build.keychain + security set-keychain-settings -t 3600 -l build.keychain + security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain + security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain + echo "macOS signing certificate successfully imported and keychain configured." + else + echo "No signing certificate configured. Skipping set up of keychain in macOS environment." + fi + echo "::endgroup::" +fi + if [[ $USE_CCACHE ]]; then - echo "::group::Show ccache stats (before)" + echo "::group::Show ccache stats" ccachestatsverbose echo "::endgroup::" fi -echo "::group::Configure CMake" +echo "::group::Configure cmake" cmake --version cmake .. "${flags[@]}" echo "::endgroup::" @@ -150,7 +167,7 @@ fi echo "::endgroup::" if [[ $USE_CCACHE ]]; then - echo "::group::Show ccache stats (after)" + echo "::group::Show ccache stats again" ccachestatsverbose echo "::endgroup::" fi diff --git a/.ci/sign_macos.sh b/.ci/sign_macos.sh deleted file mode 100755 index 3eefd3807..000000000 --- a/.ci/sign_macos.sh +++ /dev/null @@ -1,95 +0,0 @@ -#!/bin/bash - -# Used by CI to sign, noratize and staple build artifacts under macOS - -set -e - -APP_PATH="$1" - -if [[ -z "$APP_PATH" ]]; then - echo "Error: No input path supplied. Usage: $0 " - exit 1 -fi - -if [[ ! -e "$APP_PATH" ]]; then - echo "Error: Input path '$APP_PATH' does not exist." - exit 1 -fi - -echo "::group::Set up certificate" -if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then - echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 - security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain - security default-keychain -s build.keychain - security set-keychain-settings -t 3600 -l build.keychain - security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain - security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain -else - echo "No signing certificate configured." -fi -echo "::endgroup::" - -echo "::group::Sign app" -if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then - security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain - /usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose=3 "$APP_PATH" -else - echo "No signing certificate configured." -fi -echo "::endgroup::" - -echo "::group::Notarize app" -if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then - # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI - xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" - echo "" - - # We can't notarize an app bundle directly, but we need to compress it as an archive. - # Therefore, we create a zip file containing our app bundle, so that we can send it to the - # notarization service - echo "Creating temp notarization archive" - ditto -c -k --keepParent "$APP_PATH" "notarization.zip" - echo "" - - # Here we send the notarization request to the Apple's Notarization service, waiting for the result. - # This typically takes a few seconds inside a CI environment, but it might take more depending on the App - # characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if - # you're curious - # Submit for notarization and capture output - NOTARY_OUTPUT=$(xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait --output-format json) - - # Parse the submission ID from the JSON output - SUBMISSION_ID=$(echo "$NOTARY_OUTPUT" | jq -r '.id') - - # Parse the status field in the JSON - STATUS=$(echo "$NOTARY_OUTPUT" | jq -r '.status') - - if [[ "$STATUS" != "Accepted" ]]; then - echo "Notarization failed (status: $STATUS). Fetching detailed log..." - # Fetch and print the notarization log - xcrun notarytool log "$SUBMISSION_ID" --keychain-profile "notarytool-profile" - exit 1 - fi - -else - echo "No Apple ID configured." -fi -echo "::endgroup::" - -echo "::group::Staple app" -if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then - # Finally, we need to "attach the staple" to our executable, which will allow our app to be - # validated by macOS even when an internet connection is not available. - xcrun stapler staple "$APP_PATH" -else - echo "No Apple ID configured." -fi -echo "::endgroup::" - -echo "::group::Cleanup" -# Cleanup keychain and files to avoid leaking credentials -echo "Deleting keychain" -security delete-keychain build.keychain -rm -f certificate.p12 notarization.zip -echo "::endgroup::" diff --git a/.github/workflows/desktop-build.yml b/.github/workflows/desktop-build.yml index 55a706b41..4d97b0557 100644 --- a/.github/workflows/desktop-build.yml +++ b/.github/workflows/desktop-build.yml @@ -1,7 +1,6 @@ name: Build Desktop permissions: - contents: write id-token: write attestations: write @@ -210,6 +209,7 @@ jobs: if: steps.upload_release.outcome == 'success' uses: actions/attest-build-provenance@v2 with: + subject-path: ${{steps.build.outputs.path}} subject-name: ${{steps.build.outputs.name}} subject-digest: sha256:${{ steps.upload_artifact.outputs.artifact-digest }} @@ -292,6 +292,10 @@ jobs: BUILDTYPE: '${{matrix.type}}' MAKE_PACKAGE: '${{matrix.make_package}}' PACKAGE_SUFFIX: '-macOS${{matrix.target}}_${{matrix.soc}}' + MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }} + MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }} + MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }} + MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }} CMAKE_GENERATOR: '${{env.CMAKE_GENERATOR}}' run: .ci/compile.sh --server --test --ccache "$CCACHE_SIZE" @@ -304,16 +308,47 @@ jobs: - name: Sign app bundle if: matrix.make_package && (github.ref == 'refs/heads/master' || needs.configure.outputs.tag != null) - shell: bash env: MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }} - MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }} - MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }} MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }} + run: | + if [[ -n "$MACOS_CERTIFICATE_NAME" ]] + then + security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain + /usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose ${{steps.build.outputs.path}} + fi + + - name: Notarize app bundle + if: matrix.make_package && (github.ref == 'refs/heads/master' || needs.configure.outputs.tag != null) + env: MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }} MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }} MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }} - run: .ci/sign_macos.sh ${{steps.build.outputs.path}} + run: | + if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]] + then + # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI + echo "Create keychain profile" + xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" + + # We can't notarize an app bundle directly, but we need to compress it as an archive. + # Therefore, we create a zip file containing our app bundle, so that we can send it to the + # notarization service + echo "Creating temp notarization archive" + ditto -c -k --keepParent ${{steps.build.outputs.path}} "notarization.zip" + + # Here we send the notarization request to the Apple's Notarization service, waiting for the result. + # This typically takes a few seconds inside a CI environment, but it might take more depending on the App + # characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if + # you're curious + echo "Notarize app" + xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait + + # Finally, we need to "attach the staple" to our executable, which will allow our app to be + # validated by macOS even when an internet connection is not available. + echo "Attach staple" + xcrun stapler staple ${{steps.build.outputs.path}} + fi - name: Upload artifact id: upload_artifact @@ -340,6 +375,7 @@ jobs: if: steps.upload_release.outcome == 'success' uses: actions/attest-build-provenance@v2 with: + subject-path: ${{steps.build.outputs.path}} subject-name: ${{steps.build.outputs.name}} subject-digest: sha256:${{ steps.upload_artifact.outputs.artifact-digest }} @@ -443,6 +479,7 @@ jobs: if: steps.upload_release.outcome == 'success' uses: actions/attest-build-provenance@v2 with: + subject-path: ${{steps.build.outputs.path}} subject-name: ${{steps.build.outputs.name}} subject-digest: sha256:${{ steps.upload_artifact.outputs.artifact-digest }}