diff --git a/.github/workflows/build-macosx-amd64.yml b/.github/workflows/build-macosx-amd64.yml index 3f66aba..546c031 100644 --- a/.github/workflows/build-macosx-amd64.yml +++ b/.github/workflows/build-macosx-amd64.yml @@ -47,7 +47,7 @@ jobs: name: Build run: | chmod +x compile_macosx.sh - ./compile_macosx.sh amd64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} "${{ secrets.APPLE_BUILD_CERTIFICATE_NAME }}" + ./compile_macosx.sh amd64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} "${{ secrets.APPLE_BUILD_CERTIFICATE_NAME }}" "${{ secrets.APPLE_TEAM_NAME }}" "${{ secrets.APPLE_ID }}" "${{ secrets.APPLE_PASSWORD }}" - name: Clean up keychain if: ${{ always() }} run: | diff --git a/compile_macosx.sh b/compile_macosx.sh index 74e6ee5..90e3894 100755 --- a/compile_macosx.sh +++ b/compile_macosx.sh @@ -2,13 +2,16 @@ if [ $# -lt 2 ] || [ $# -eq 3 ] then - echo "Usage: ./compile_macosx.sh [ ] []" + echo "Usage: ./compile_macosx.sh [ ] [ ]" echo "" echo "architecture: the target architecture to build for. Architectures are either amd64 or arm64." echo "buildType: either Release or Debug" echo "gitrepo: git repository url to clone" echo "gitref: the git commit id to pull" - echo "certname: the apple signing certificate name. Something like \"Developer ID Application: xxx\"" + echo "certname: the apple signing certificate name. Something like \"Developer ID Application: xxx (yyy)\"" + echo "teamname: the apple team name. 10-digit id yyy from the cert name." + echo "appleid: your apple developer id" + echo "applepwd: your apple developer id password" exit 1 fi @@ -69,7 +72,7 @@ cd binary_distrib/macosx64 if [ $# -gt 4 ] then chmod +x $WORK_DIR/macosx_codesign.sh - bash $WORK_DIR/macosx_codesign.sh $(pwd) $5 + bash $WORK_DIR/macosx_codesign.sh $(pwd) $5 $6 $7 $8 fi #Pack binary_distrib diff --git a/macosx_codesign.sh b/macosx_codesign.sh index 4779474..a03e6cb 100755 --- a/macosx_codesign.sh +++ b/macosx_codesign.sh @@ -1,11 +1,14 @@ #!/bin/bash -if [ $# -lt 2 ] +if [ $# -lt 5 ] then - echo "Usage: ./macosxcodesign.sh " + echo "Usage: ./macosx_codesign.sh " echo "" echo "path: the absolute(!) target path" - echo "certname: the apple signing certificate name. Something like \"Developer ID Application: xxx\"" + echo "certname: the apple signing certificate name. Something like \"Developer ID Application: xxx (yyy)\"" + echo "teamname: the apple team name. 10-digit id yyy from the cert name." + echo "appleid: your apple developer id" + echo "applepwd: your apple developer id password" exit 1 fi @@ -19,13 +22,18 @@ ENTITLEMENTS_HELPER=entitlements/entitlements-helper.plist ENTITLEMENTS_BROWSER=entitlements/entitlements-browser.plist chmod -R 777 $APP_DIR/$APP_NAME +chmod +x macosx_notarize.sh #Sign helpers echo "Signing helpers..." codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper.app" +bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper.app" $2 $3 org.jcef.jcef.helper $4 $5 codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (GPU).app" +bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (GPU).app" $2 $3 org.jcef.jcef.helper.gpu $4 $5 codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (Plugin).app" +bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (Plugin).app" $2 $3 org.jcef.jcef.helper.plugin $4 $5 codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (Renderer).app" +bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (Renderer).app" $2 $3 org.jcef.jcef.helper.renderer $4 $5 #Sign libraries and framework echo "Signing libraries and framework..." @@ -35,7 +43,9 @@ codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME/Libraries/libswiftshader_libGLESv2.dylib" codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME/Libraries/libvk_swiftshader.dylib" codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME" +bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME" $2 $3 org.cef.framework $4 $5 codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/Contents/Java/libjcef.dylib" codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME" +bash macosx_notarize.sh "$APP_DIR/$APP_NAME" $2 $3 org.jcef.jcef $4 $5 echo "Done signing binaries" diff --git a/macosx_notarize.sh b/macosx_notarize.sh new file mode 100755 index 0000000..149a29a --- /dev/null +++ b/macosx_notarize.sh @@ -0,0 +1,75 @@ +#!/bin/bash + +#Contents partly stolen from https://scriptingosx.com/2019/09/notarize-a-command-line-tool/ +#Will need updating for XCode 13+ + +if [ $# -lt 6 ] + then + echo "Usage: ./macosx_notarize.sh " + echo "" + echo "path: the absolute(!) target path" + echo "certname: the apple signing certificate name. Something like \"Developer ID Application: xxx (yyy)\"" + echo "teamname: the apple team name. 10-digit id yyy from the cert name." + echo "bundleid: the bundle id of the artifact" + echo "appleid: your apple developer id" + echo "applepwd: your apple developer id password" + exit 1 +fi + +echo "##########################################################" +echo "Notarizing $1... This may take a while." + +APP_DIR="$( dirname "$1" )" +APP_NAME="$( basename "$1" )" +ZIP_PATH=$1.zip + +cd $APP_DIR +echo "Creating zip" +zip -r $APP_NAME.zip $APP_NAME + +echo "Uploading $ZIP_PATH for notarization" +requestUUID=$(xcrun altool --notarize-app \ + --primary-bundle-id "$4" \ + --username "$5" \ + --password "$6" \ + --asc-provider "$3" \ + --file "$1.zip" 2>&1 \ + | awk '/RequestUUID/ { print $NF; }') + +echo "Notarization RequestUUID: $requestUUID" + +if [[ $requestUUID == "" ]]; then + echo "Could not upload for notarization" + exit 1 +fi + +# wait for status to be not "in progress" any more +request_status="in progress" +while [[ "$request_status" == "in progress" ]]; do + echo -n "waiting... " + sleep 10 + request_status=$(xcrun altool --notarization-info "$requestUUID" \ + --username "$5" \ + --password "$6" 2>&1 \ + | awk -F ': ' '/Status:/ { print $2; }' ) + echo "$request_status" +done + +# print status information +xcrun altool --notarization-info "$requestUUID" \ + --username "$5" \ + --password "$6" +echo + +if [[ $request_status != "success" ]]; then + echo "Could not notarize!" + exit 1 +fi + +# staple +xcrun stapler staple "$1" + +# clean up +rm -f $APP_NAME.zip + +echo "##########################################################"