From 0cae73fa86e90a26858df1094e93b8cc45b625d5 Mon Sep 17 00:00:00 2001 From: FriwiDev Date: Tue, 1 Nov 2022 04:25:27 +0100 Subject: [PATCH] Switch macos builds from altool to notarytool --- .github/workflows/build-all.yml | 4 +- .github/workflows/build-macosx-amd64.yml | 2 +- .github/workflows/build-macosx-arm64.yml | 2 +- compile_macosx.sh | 7 +-- macosx_codesign.sh | 19 ++++---- macosx_notarize.sh | 55 +++++------------------- 6 files changed, 28 insertions(+), 61 deletions(-) diff --git a/.github/workflows/build-all.yml b/.github/workflows/build-all.yml index 7ee42e1..743108a 100644 --- a/.github/workflows/build-all.yml +++ b/.github/workflows/build-all.yml @@ -222,7 +222,7 @@ jobs: name: Build run: | chmod +x compile_macosx.sh - ./compile_macosx.sh amd64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} "${{ secrets.APPLE_BUILD_CERTIFICATE_NAME }}" ${{ secrets.APPLE_TEAM_NAME }} ${{ secrets.APPLE_API_KEY_NAME }} ${{ secrets.APPLE_API_KEY_ISSUER }} + ./compile_macosx.sh amd64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} "${{ secrets.APPLE_BUILD_CERTIFICATE_NAME }}" ${{ secrets.APPLE_TEAM_NAME }} ${{ secrets.APPLE_API_KEY_ID }} "${HOME}/private_keys/AuthKey_${{ secrets.APPLE_API_KEY_NAME }}.p8" ${{ secrets.APPLE_API_KEY_ISSUER }} - name: Clean up keychain if: ${{ always() }} run: | @@ -287,7 +287,7 @@ jobs: name: Build run: | chmod +x compile_macosx.sh - ./compile_macosx.sh arm64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} "${{ secrets.APPLE_BUILD_CERTIFICATE_NAME }}" ${{ secrets.APPLE_TEAM_NAME }} ${{ secrets.APPLE_API_KEY_NAME }} ${{ secrets.APPLE_API_KEY_ISSUER }} + ./compile_macosx.sh arm64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} "${{ secrets.APPLE_BUILD_CERTIFICATE_NAME }}" ${{ secrets.APPLE_TEAM_NAME }} ${{ secrets.APPLE_API_KEY_ID }} "${HOME}/private_keys/AuthKey_${{ secrets.APPLE_API_KEY_NAME }}.p8" ${{ secrets.APPLE_API_KEY_ISSUER }} - name: Clean up keychain if: ${{ always() }} run: | diff --git a/.github/workflows/build-macosx-amd64.yml b/.github/workflows/build-macosx-amd64.yml index ef85381..6177db0 100644 --- a/.github/workflows/build-macosx-amd64.yml +++ b/.github/workflows/build-macosx-amd64.yml @@ -58,7 +58,7 @@ jobs: name: Build run: | chmod +x compile_macosx.sh - ./compile_macosx.sh amd64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} "${{ secrets.APPLE_BUILD_CERTIFICATE_NAME }}" ${{ secrets.APPLE_TEAM_NAME }} ${{ secrets.APPLE_API_KEY_NAME }} ${{ secrets.APPLE_API_KEY_ISSUER }} + ./compile_macosx.sh amd64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} "${{ secrets.APPLE_BUILD_CERTIFICATE_NAME }}" ${{ secrets.APPLE_TEAM_NAME }} ${{ secrets.APPLE_API_KEY_ID }} "${HOME}/private_keys/AuthKey_${{ secrets.APPLE_API_KEY_NAME }}.p8" ${{ secrets.APPLE_API_KEY_ISSUER }} - name: Clean up keychain if: ${{ always() }} run: | diff --git a/.github/workflows/build-macosx-arm64.yml b/.github/workflows/build-macosx-arm64.yml index dd2a540..7c806e6 100644 --- a/.github/workflows/build-macosx-arm64.yml +++ b/.github/workflows/build-macosx-arm64.yml @@ -58,7 +58,7 @@ jobs: name: Build run: | chmod +x compile_macosx.sh - ./compile_macosx.sh arm64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} "${{ secrets.APPLE_BUILD_CERTIFICATE_NAME }}" ${{ secrets.APPLE_TEAM_NAME }} ${{ secrets.APPLE_API_KEY_NAME }} ${{ secrets.APPLE_API_KEY_ISSUER }} + ./compile_macosx.sh arm64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} "${{ secrets.APPLE_BUILD_CERTIFICATE_NAME }}" ${{ secrets.APPLE_TEAM_NAME }} ${{ secrets.APPLE_API_KEY_ID }} "${HOME}/private_keys/AuthKey_${{ secrets.APPLE_API_KEY_NAME }}.p8" ${{ secrets.APPLE_API_KEY_ISSUER }} - name: Clean up keychain if: ${{ always() }} run: | diff --git a/compile_macosx.sh b/compile_macosx.sh index da7cd25..502e13d 100755 --- a/compile_macosx.sh +++ b/compile_macosx.sh @@ -2,7 +2,7 @@ if [ $# -lt 2 ] || [ $# -eq 3 ] then - echo "Usage: ./compile_macosx.sh [ ] [ ]" + echo "Usage: ./compile_macosx.sh [ ] [ ]" echo "" echo "architecture: the target architecture to build for. Architectures are either amd64 or arm64." echo "buildType: either Release or Debug" @@ -10,7 +10,8 @@ if [ $# -lt 2 ] || [ $# -eq 3 ] echo "gitref: the git commit id to pull" echo "certname: the apple signing certificate name. Something like \"Developer ID Application: xxx (yyy)\"" echo "teamname: the apple team name. 10-digit id yyy from the cert name." - echo "applekeyid: your apple api key id" + echo "applekeyid: id of your apple api key" + echo "applekeypath: path to your apple api key" echo "applekeyissuer: uuid of your apple api key issuer" exit 1 fi @@ -78,7 +79,7 @@ cd binary_distrib/macosx64 if [ $# -gt 4 ] then chmod +x $WORK_DIR/macosx_codesign.sh - bash $WORK_DIR/macosx_codesign.sh $(pwd) "$5" $6 $7 $8 + bash $WORK_DIR/macosx_codesign.sh $(pwd) "$5" $6 $7 $8 $9 fi #Pack binary_distrib diff --git a/macosx_codesign.sh b/macosx_codesign.sh index fb65e44..c9b8c38 100755 --- a/macosx_codesign.sh +++ b/macosx_codesign.sh @@ -1,13 +1,14 @@ #!/bin/bash -if [ $# -lt 5 ] +if [ $# -lt 6 ] then - echo "Usage: ./macosx_codesign.sh " + echo "Usage: ./macosx_codesign.sh " echo "" echo "path: the absolute(!) target path" echo "certname: the apple signing certificate name. Something like \"Developer ID Application: xxx (yyy)\"" echo "teamname: the apple team name. 10-digit id yyy from the cert name." - echo "applekeyid: your apple api key id" + echo "applekeyid: id of your apple api key" + echo "applekeypath: path to your apple api key" echo "applekeyissuer: uuid of your apple api key issuer" exit 1 fi @@ -28,13 +29,13 @@ chmod +x macosx_codesign_zip.sh #Sign helpers echo "Signing helpers..." codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper.app" -bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper.app" "$2" $3 org.jcef.jcef.helper $4 $5 +bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper.app" "$2" $3 org.jcef.jcef.helper $4 $5 $6 codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (GPU).app" -bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (GPU).app" "$2" $3 org.jcef.jcef.helper.gpu $4 $5 +bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (GPU).app" "$2" $3 org.jcef.jcef.helper.gpu $4 $5 $6 codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (Plugin).app" -bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (Plugin).app" "$2" $3 org.jcef.jcef.helper.plugin $4 $5 +bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (Plugin).app" "$2" $3 org.jcef.jcef.helper.plugin $4 $5 $6 codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (Renderer).app" -bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (Renderer).app" "$2" $3 org.jcef.jcef.helper.renderer $4 $5 +bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (Renderer).app" "$2" $3 org.jcef.jcef.helper.renderer $4 $5 $6 #Sign libraries and framework echo "Signing libraries and framework..." @@ -42,7 +43,7 @@ codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME/Libraries/libGLESv2.dylib" codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME/Libraries/libvk_swiftshader.dylib" codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME" -bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME" "$2" $3 org.cef.framework $4 $5 +bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME" "$2" $3 org.cef.framework $4 $5 $6 codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/Contents/Java/libjcef.dylib" bash macosx_codesign_zip.sh "$APP_DIR/$APP_NAME/Contents/Java/gluegen-rt-natives-macosx-universal.jar" "natives/macosx-universal/libgluegen_rt.dylib" "$2" bash macosx_codesign_zip.sh "$APP_DIR/$APP_NAME/Contents/Java/jogl-all-natives-macosx-universal.jar" "natives/macosx-universal/libnativewindow_awt.dylib" "$2" @@ -51,6 +52,6 @@ bash macosx_codesign_zip.sh "$APP_DIR/$APP_NAME/Contents/Java/jogl-all-natives-m bash macosx_codesign_zip.sh "$APP_DIR/$APP_NAME/Contents/Java/jogl-all-natives-macosx-universal.jar" "natives/macosx-universal/libnewt_head.dylib" "$2" bash macosx_codesign_zip.sh "$APP_DIR/$APP_NAME/Contents/Java/jogl-all-natives-macosx-universal.jar" "natives/macosx-universal/libjogl_desktop.dylib" "$2" codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME" -bash macosx_notarize.sh "$APP_DIR/$APP_NAME" "$2" $3 org.jcef.jcef $4 $5 +bash macosx_notarize.sh "$APP_DIR/$APP_NAME" "$2" $3 org.jcef.jcef $4 $5 $6 echo "Done signing binaries" diff --git a/macosx_notarize.sh b/macosx_notarize.sh index 2f72cb2..00eaa27 100755 --- a/macosx_notarize.sh +++ b/macosx_notarize.sh @@ -3,15 +3,16 @@ #Contents partly stolen from https://scriptingosx.com/2019/09/notarize-a-command-line-tool/ #Will need updating for XCode 13+ -if [ $# -lt 6 ] +if [ $# -lt 7 ] then - echo "Usage: ./macosx_notarize.sh " + echo "Usage: ./macosx_notarize.sh " echo "" echo "path: the absolute(!) target path" echo "certname: the apple signing certificate name. Something like \"Developer ID Application: xxx (yyy)\"" echo "teamname: the apple team name. 10-digit id yyy from the cert name." echo "bundleid: the bundle id of the artifact" - echo "applekeyid: your apple api key id" + echo "applekeyid: id of your apple api key" + echo "applekeypath: path to your apple api key" echo "applekeyissuer: uuid of your apple api key issuer" exit 1 fi @@ -27,48 +28,12 @@ cd $APP_DIR echo "Creating zip" zip -r "$APP_NAME.zip" "$APP_NAME" -echo "Uploading $ZIP_PATH for notarization" -xcRunOutput=$(xcrun altool --notarize-app \ - --type macos \ - --primary-bundle-id "$4" \ - --apiKey "$5" \ - --apiIssuer "$6" \ - --file "$1.zip" 2>&1 ) -echo "xcrun> $xcRunOutput" -requestUUID=$(echo "$xcRunOutput" | awk '/RequestUUID/ { print $NF; }') - -echo "Notarization RequestUUID: $requestUUID" - -# clean up zip -rm -f "$APP_NAME.zip" - -if [[ $requestUUID == "" ]]; then - echo "Could not upload for notarization" - exit 1 -fi - -# wait for status to be not "in progress" any more -request_status="in progress" -while [[ "$request_status" == "in progress" ]]; do - echo -n "waiting... " - sleep 60 - request_status=$(xcrun altool --notarization-info "$requestUUID" \ - --apiKey "$5" \ - --apiIssuer "$6" 2>&1 \ - | awk -F ': ' '/Status:/ { print $2; }' ) - echo "$request_status" -done - -# print status information -xcrun altool --notarization-info "$requestUUID" \ - --apiKey "$5" \ - --apiIssuer "$6" -echo - -if [[ $request_status != "success" ]]; then - echo "Could not notarize! ($request_status)" - exit 1 -fi +echo "Uploading $ZIP_PATH for notarization and waiting for result" +xcrun notarytool submit "$1.zip" \ + --key $6 \ + --key-id $5 \ + --key-issuer $7 \ + --wait # staple xcrun stapler staple "$1"