gitea-mirror/Cockatrice
1
0
Fork 0
mirror of https://github.com/Cockatrice/Cockatrice.git synced 2025-12-15 17:10:45 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
0fe30ebe49a4c9b5df208a8c64cf2a1a728da515
Cockatrice/.ci/sign_macos.sh
tooomm 0fe30ebe49 move signing mac apps to own script (#5999)
2025-06-22 16:21:33 -04:00

81 lines
3.0 KiB
Bash
Raw Blame History

#!/bin/bash
# Used by CI to sign, noratize and staple build artifacts under macOS
set -e
APP_PATH="$1"
if [[ -z "$APP_PATH" ]]; then
echo "Error: No input path supplied. Usage: $0 <path-to-app-bundle>"
exit 1
fi
if [[ ! -e "$APP_PATH" ]]; then
echo "Error: Input path '$APP_PATH' does not exist."
exit 1
fi
echo "::group::Set up certificate"
if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security default-keychain -s build.keychain
security set-keychain-settings -t 3600 -l build.keychain
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
else
echo "No signing certificate configured."
fi
echo "::endgroup::"
echo "::group::Sign app"
if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
/usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose "$APP_PATH"
else
echo "No signing certificate configured."
fi
echo "::endgroup::"
echo "::group::Notarize app"
if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then
# Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
echo ""
# We can't notarize an app bundle directly, but we need to compress it as an archive.
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
# notarization service
echo "Creating temp notarization archive"
ditto -c -k --keepParent "$APP_PATH" "notarization.zip"
echo ""
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
# characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
# you're curious
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
else
echo "No Apple ID configured."
fi
echo "::endgroup::"
echo "::group::Staple app"
if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then
# Finally, we need to "attach the staple" to our executable, which will allow our app to be
# validated by macOS even when an internet connection is not available.
xcrun stapler staple "$APP_PATH"
else
echo "No Apple ID configured."
fi
echo "::endgroup::"
echo "::group::Cleanup"
# Cleanup keychain and files to avoid leaking credentials
echo "Deleting keychain"
security delete-keychain build.keychain
rm -f certificate.p12 notarization.zip
echo "::endgroup::"
Reference in New Issue View Git Blame Copy Permalink