From 2e95840055c8106d93daa18a98f0445b67154b24 Mon Sep 17 00:00:00 2001 From: FriwiDev Date: Thu, 24 Feb 2022 22:07:00 +0100 Subject: [PATCH] Introduce code signing to all macosx builds --- .github/workflows/build-all.yml | 54 +++++++++++++++++++++++- .github/workflows/build-macosx-arm64.yml | 27 +++++++++++- 2 files changed, 78 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-all.yml b/.github/workflows/build-all.yml index 6f81534..15da4ba 100644 --- a/.github/workflows/build-all.yml +++ b/.github/workflows/build-all.yml @@ -242,11 +242,36 @@ jobs: run: | chmod +x scripts/install_macos_dependencies.sh ./scripts/install_macos_dependencies.sh + - name: Install Apple certificate + env: + BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_BUILD_CERTIFICATE_BASE64 }} + P12_PASSWORD: ${{ secrets.APPLE_P12_PASSWORD }} + KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} + run: | + # create variables + CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 + KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db + + # import certificate from secrets + echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode --output $CERTIFICATE_PATH + + # create temporary keychain + security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + security set-keychain-settings -lut 21600 $KEYCHAIN_PATH + security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + + # import certificate to keychain + security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH -T /usr/bin/codesign + security list-keychain -d user -s $KEYCHAIN_PATH - name: Build run: | chmod +x compile_macosx.sh - ./compile_macosx.sh amd64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} + ./compile_macosx.sh amd64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} "${{ secrets.APPLE_BUILD_CERTIFICATE_NAME }}" + - name: Clean up keychain + if: ${{ always() }} + run: | + security delete-keychain $RUNNER_TEMP/app-signing.keychain-db - name: Export distribution uses: actions/upload-release-asset@v1 env: @@ -277,11 +302,36 @@ jobs: run: | chmod +x scripts/install_macos_dependencies.sh ./scripts/install_macos_dependencies.sh + - name: Install Apple certificate + env: + BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_BUILD_CERTIFICATE_BASE64 }} + P12_PASSWORD: ${{ secrets.APPLE_P12_PASSWORD }} + KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} + run: | + # create variables + CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 + KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db + + # import certificate from secrets + echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode --output $CERTIFICATE_PATH + + # create temporary keychain + security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + security set-keychain-settings -lut 21600 $KEYCHAIN_PATH + security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + + # import certificate to keychain + security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH -T /usr/bin/codesign + security list-keychain -d user -s $KEYCHAIN_PATH - name: Build run: | chmod +x compile_macosx.sh - ./compile_macosx.sh arm64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} + ./compile_macosx.sh arm64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} "${{ secrets.APPLE_BUILD_CERTIFICATE_NAME }}" + - name: Clean up keychain + if: ${{ always() }} + run: | + security delete-keychain $RUNNER_TEMP/app-signing.keychain-db - name: Export distribution uses: actions/upload-release-asset@v1 env: diff --git a/.github/workflows/build-macosx-arm64.yml b/.github/workflows/build-macosx-arm64.yml index b0d32c3..e05eb48 100644 --- a/.github/workflows/build-macosx-arm64.yml +++ b/.github/workflows/build-macosx-arm64.yml @@ -22,11 +22,36 @@ jobs: run: | chmod +x scripts/install_macos_dependencies.sh ./scripts/install_macos_dependencies.sh + - name: Install Apple certificate + env: + BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_BUILD_CERTIFICATE_BASE64 }} + P12_PASSWORD: ${{ secrets.APPLE_P12_PASSWORD }} + KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} + run: | + # create variables + CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 + KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db + + # import certificate from secrets + echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode --output $CERTIFICATE_PATH + + # create temporary keychain + security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + security set-keychain-settings -lut 21600 $KEYCHAIN_PATH + security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + + # import certificate to keychain + security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH -T /usr/bin/codesign + security list-keychain -d user -s $KEYCHAIN_PATH - name: Build run: | chmod +x compile_macosx.sh - ./compile_macosx.sh arm64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} + ./compile_macosx.sh arm64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} "${{ secrets.APPLE_BUILD_CERTIFICATE_NAME }}" + - name: Clean up keychain + if: ${{ always() }} + run: | + security delete-keychain $RUNNER_TEMP/app-signing.keychain-db - name: Export artifacts uses: actions/upload-artifact@v2