Add notarization to test build

2025-09-17 12:56:37 +08:00 · 2022-02-25 14:23:16 +01:00 · 2022-02-25 14:23:16 +01:00 · 6ae380809b
commit 6ae380809b
parent 2e95840055
4 changed files with 95 additions and 7 deletions
--- a/.github/workflows/build-macosx-amd64.yml
+++ b/.github/workflows/build-macosx-amd64.yml
@ -47,7 +47,7 @@ jobs:
        name: Build
        run: |
          chmod +x compile_macosx.sh
-          ./compile_macosx.sh amd64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} "${{ secrets.APPLE_BUILD_CERTIFICATE_NAME }}"
+          ./compile_macosx.sh amd64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} "${{ secrets.APPLE_BUILD_CERTIFICATE_NAME }}" "${{ secrets.APPLE_TEAM_NAME }}" "${{ secrets.APPLE_ID }}" "${{ secrets.APPLE_PASSWORD }}"
      - name: Clean up keychain
        if: ${{ always() }}
        run: |
--- a/compile_macosx.sh
+++ b/compile_macosx.sh
@ -2,13 +2,16 @@

 if [ $# -lt 2 ] || [ $# -eq 3 ]
  then
-    echo "Usage: ./compile_macosx.sh <architecture> <buildType> [<gitrepo> <gitref>] [<certname>]"
+    echo "Usage: ./compile_macosx.sh <architecture> <buildType> [<gitrepo> <gitref>] [<certname> <teamname> <appleid> <applepwd>]"
    echo ""
    echo "architecture: the target architecture to build for. Architectures are either amd64 or arm64."
    echo "buildType: either Release or Debug"
    echo "gitrepo: git repository url to clone"
    echo "gitref: the git commit id to pull"
-    echo "certname: the apple signing certificate name. Something like \"Developer ID Application: xxx\""
+    echo "certname: the apple signing certificate name. Something like \"Developer ID Application: xxx (yyy)\""
+    echo "teamname: the apple team name. 10-digit id yyy from the cert name."
+    echo "appleid: your apple developer id"
+    echo "applepwd: your apple developer id password"
    exit 1
 fi

@ -69,7 +72,7 @@ cd binary_distrib/macosx64
 if [ $# -gt 4 ]
  then
    chmod +x $WORK_DIR/macosx_codesign.sh
-    bash $WORK_DIR/macosx_codesign.sh $(pwd) $5
+    bash $WORK_DIR/macosx_codesign.sh $(pwd) $5 $6 $7 $8
 fi

 #Pack binary_distrib
--- a/macosx_codesign.sh
+++ b/macosx_codesign.sh
@ -1,11 +1,14 @@
 #!/bin/bash

-if [ $# -lt 2 ]
+if [ $# -lt 5 ]
  then
-    echo "Usage: ./macosxcodesign.sh <path> <certname>"
+    echo "Usage: ./macosx_codesign.sh <path> <certname> <teamname> <appleid> <applepwd>"
    echo ""
    echo "path: the absolute(!) target path"
-    echo "certname: the apple signing certificate name. Something like \"Developer ID Application: xxx\""
+    echo "certname: the apple signing certificate name. Something like \"Developer ID Application: xxx (yyy)\""
+    echo "teamname: the apple team name. 10-digit id yyy from the cert name."
+    echo "appleid: your apple developer id"
+    echo "applepwd: your apple developer id password"
    exit 1
 fi

@ -19,13 +22,18 @@ ENTITLEMENTS_HELPER=entitlements/entitlements-helper.plist
 ENTITLEMENTS_BROWSER=entitlements/entitlements-browser.plist

 chmod -R 777 $APP_DIR/$APP_NAME
+chmod +x macosx_notarize.sh

 #Sign helpers
 echo "Signing helpers..."
 codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper.app"
+bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper.app" $2 $3 org.jcef.jcef.helper $4 $5
 codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (GPU).app"
+bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (GPU).app" $2 $3 org.jcef.jcef.helper.gpu $4 $5
 codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (Plugin).app"
+bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (Plugin).app" $2 $3 org.jcef.jcef.helper.plugin $4 $5
 codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (Renderer).app"
+bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (Renderer).app" $2 $3 org.jcef.jcef.helper.renderer $4 $5

 #Sign libraries and framework
 echo "Signing libraries and framework..."
@ -35,7 +43,9 @@ codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign
 codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME/Libraries/libswiftshader_libGLESv2.dylib"
 codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME/Libraries/libvk_swiftshader.dylib"
 codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME"
+bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME" $2 $3 org.cef.framework $4 $5
 codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/Contents/Java/libjcef.dylib"
 codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME"
+bash macosx_notarize.sh "$APP_DIR/$APP_NAME" $2 $3 org.jcef.jcef $4 $5

 echo "Done signing binaries"
--- a/macosx_notarize.sh
+++ b/macosx_notarize.sh
@ -0,0 +1,75 @@
+#!/bin/bash
+
+#Contents partly stolen from https://scriptingosx.com/2019/09/notarize-a-command-line-tool/
+#Will need updating for XCode 13+
+
+if [ $# -lt 6 ]
+  then
+    echo "Usage: ./macosx_notarize.sh <path> <certname> <teamname> <bundleid> <appleid> <applepwd>"
+    echo ""
+    echo "path: the absolute(!) target path"
+    echo "certname: the apple signing certificate name. Something like \"Developer ID Application: xxx (yyy)\""
+    echo "teamname: the apple team name. 10-digit id yyy from the cert name."
+    echo "bundleid: the bundle id of the artifact"
+    echo "appleid: your apple developer id"
+    echo "applepwd: your apple developer id password"
+    exit 1
+fi
+
+echo "##########################################################"
+echo "Notarizing $1... This may take a while."
+
+APP_DIR="$( dirname "$1" )"
+APP_NAME="$( basename "$1" )"
+ZIP_PATH=$1.zip
+
+cd $APP_DIR
+echo "Creating zip"
+zip -r $APP_NAME.zip $APP_NAME
+
+echo "Uploading $ZIP_PATH for notarization"
+requestUUID=$(xcrun altool --notarize-app \
+                           --primary-bundle-id "$4" \
+                           --username "$5" \
+                           --password "$6" \
+                           --asc-provider "$3" \
+                           --file "$1.zip" 2>&1 \
+                  | awk '/RequestUUID/ { print $NF; }')
+                               
+echo "Notarization RequestUUID: $requestUUID"
+
+if [[ $requestUUID == "" ]]; then 
+        echo "Could not upload for notarization"
+        exit 1
+fi
+
+# wait for status to be not "in progress" any more
+request_status="in progress"
+while [[ "$request_status" == "in progress" ]]; do
+    echo -n "waiting... "
+    sleep 10
+    request_status=$(xcrun altool --notarization-info "$requestUUID" \
+                              --username "$5" \
+                              --password "$6" 2>&1 \
+                 | awk -F ': ' '/Status:/ { print $2; }' )
+    echo "$request_status"
+done
+
+# print status information
+xcrun altool --notarization-info "$requestUUID" \
+             --username "$5" \
+             --password "$6"
+echo
+
+if [[ $request_status != "success" ]]; then
+    echo "Could not notarize!"
+    exit 1
+fi
+
+# staple
+xcrun stapler staple "$1"
+
+# clean up
+rm -f $APP_NAME.zip
+
+echo "##########################################################"