Initial attempt for Apple code signing

.github/workflows/build-macosx-amd64.yml

@@ -22,11 +22,36 @@ jobs:
         run: |
           chmod +x scripts/install_macos_dependencies.sh
           ./scripts/install_macos_dependencies.sh
+      - name: Install Apple certificate
+        env:
+          BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_BUILD_CERTIFICATE_BASE64 }}
+          P12_PASSWORD: ${{ secrets.APPLE_P12_PASSWORD }}
+          KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
+        run: |
+          # create variables
+          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+
+          # import certificate from secrets
+          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode --output $CERTIFICATE_PATH
+
+          # create temporary keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+          # import certificate to keychain
+          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
       -
         name: Build
         run: |
           chmod +x compile_macosx.sh
-          ./compile_macosx.sh amd64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }}
+          ./compile_macosx.sh amd64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} ${{ secrets.APPLE_BUILD_CERTIFICATE_NAME }}
+      - name: Clean up keychain
+        if: ${{ always() }}
+        run: |
+          security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
       -
         name: Export artifacts
         uses: actions/upload-artifact@v2

compile_macosx.sh

@@ -2,16 +2,18 @@
 
 if [ $# -lt 2 ] || [ $# -eq 3 ]
   then
-    echo "Usage: ./compile_macosx.sh <architecture> <buildType> [<gitrepo> <gitref>]"
+    echo "Usage: ./compile_macosx.sh <architecture> <buildType> [<gitrepo> <gitref>] [<certname>]"
     echo ""
     echo "architecture: the target architecture to build for. Architectures are either amd64 or arm64."
     echo "buildType: either Release or Debug"
     echo "gitrepo: git repository url to clone"
     echo "gitref: the git commit id to pull"
+    echo "certname: the apple signing certificate name. Something like \"Developer ID Application: xxx\""
     exit 1
 fi
 
 cd "$( dirname "$0" )"
+WORK_DIR=$(pwd)
 
 TARGETARCH=$1
 BUILD_TYPE=$2
@@ -60,9 +62,16 @@ ninja -j4
 cd ../tools
 chmod +x make_distrib.sh
 ./make_distrib.sh macosx64
+cd ..
+
+#Perform code signing
+cd binary_distrib/macosx64
+if [ $# -gt 4 ]
+  then
+    ./$WORK_DIR/macosx_codesign.sh $(pwd) $5
+fi
 
 #Pack binary_distrib
-cd ../binary_distrib/macosx64
 rm -rf ../../../out
 mkdir ../../../out
 tar -czvf ../../../out/binary_distrib.tar.gz *

entitlements/entitlements-browser.plist

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+   <key>com.apple.security.device.audio-input</key>
+   <true/>
+   <key>com.apple.security.device.bluetooth</key>
+   <true/>
+   <key>com.apple.security.device.camera</key>
+   <true/>
+   <key>com.apple.security.device.print</key>
+   <true/>
+   <key>com.apple.security.device.usb</key>
+   <true/>
+</dict>
+</plist>

entitlements/entitlements-helper.plist

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+   <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+   <true/>
+   <key>com.apple.security.cs.disable-library-validation</key>
+   <true/>
+   <key>com.apple.security.cs.allow-jit</key>
+   <true/>
+</dict>
+</plist>

macosx_codesign.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+
+if [ $# -lt 2 ]
+  then
+    echo "Usage: ./macosxcodesign.sh <path> <certname> [<bundleid> <appleid> <applepwd>]"
+    echo ""
+    echo "path: the target path"
+    echo "certname: the apple signing certificate name. Something like \"Developer ID Application: xxx\""
+    exit 1
+fi
+
+#Set workdir local (for plist files)
+cd "$( dirname "$0" )"
+APP_DIR=$1/bin
+APP_NAME=cef_app.app
+FRAMEWORKS_DIR=Contents/Frameworks
+FRAMEWORK_NAME=Chromium Embedded Framework.framework
+ENTITLEMENTS_HELPER=entitlements/entitlements-helper.plist
+ENTITLEMENTS_BROWSER=entitlements/entitlements-browser.plist
+
+chmod -R 777 $APP_DIR/$APP_NAME
+
+#Sign helpers
+echo "Signing helpers..."
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper.app"
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (GPU).app"
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (Plugin).app"
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (Renderer).app"
+
+#Sign libraries and framework
+echo "Signing libraries and framework..."
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME/Libraries/libEGL.dylib"
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME/Libraries/libGLESv2.dylib"
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME/Libraries/libswiftshader_libEGL.dylib"
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME/Libraries/libswiftshader_libGLESv2.dylib"
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME/Libraries/libvk_swiftshader.dylib"
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME"
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/Contents/Java/libjcef.dylib"
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME"
+
+echo "Done signing binaries"