xinyin025/jcefbuild
1
0
Fork 0
mirror of https://github.com/jcefmaven/jcefbuild.git synced 2025-09-17 21:06:38 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Initial attempt for Apple code signing

Browse Source
This commit is contained in:
FriwiDev 2022-02-18 13:49:30 +01:00
parent 2a714372ab
commit d9e5fe14ea
5 changed files with 106 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
.github/workflows/build-macosx-amd64.yml vendored
View File

@ -22,11 +22,36 @@ jobs:
run: | run: |
chmod +x scripts/install_macos_dependencies.sh chmod +x scripts/install_macos_dependencies.sh
./scripts/install_macos_dependencies.sh ./scripts/install_macos_dependencies.sh
- name: Install Apple certificate
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_BUILD_CERTIFICATE_BASE64 }}
P12_PASSWORD: ${{ secrets.APPLE_P12_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate from secrets
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode --output $CERTIFICATE_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
- -
name: Build name: Build
run: | run: |
chmod +x compile_macosx.sh chmod +x compile_macosx.sh
./compile_macosx.sh amd64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} ./compile_macosx.sh amd64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} ${{ secrets.APPLE_BUILD_CERTIFICATE_NAME }}
- name: Clean up keychain
if: ${{ always() }}
run: |
security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
- -
name: Export artifacts name: Export artifacts
uses: actions/upload-artifact@v2 uses: actions/upload-artifact@v2

13
compile_macosx.sh
View File

@ -2,16 +2,18 @@
if [ $# -lt 2 ] || [ $# -eq 3 ] if [ $# -lt 2 ] || [ $# -eq 3 ]
then then
echo "Usage: ./compile_macosx.sh <architecture> <buildType> [<gitrepo> <gitref>]" echo "Usage: ./compile_macosx.sh <architecture> <buildType> [<gitrepo> <gitref>] [<certname>]"
echo "" echo ""
echo "architecture: the target architecture to build for. Architectures are either amd64 or arm64." echo "architecture: the target architecture to build for. Architectures are either amd64 or arm64."
echo "buildType: either Release or Debug" echo "buildType: either Release or Debug"
echo "gitrepo: git repository url to clone" echo "gitrepo: git repository url to clone"
echo "gitref: the git commit id to pull" echo "gitref: the git commit id to pull"
echo "certname: the apple signing certificate name. Something like \"Developer ID Application: xxx\""
exit 1 exit 1
fi fi
cd "$( dirname "$0" )" cd "$( dirname "$0" )"
WORK_DIR=$(pwd)
TARGETARCH=$1 TARGETARCH=$1
BUILD_TYPE=$2 BUILD_TYPE=$2
@ -60,9 +62,16 @@ ninja -j4
cd ../tools cd ../tools
chmod +x make_distrib.sh chmod +x make_distrib.sh
./make_distrib.sh macosx64 ./make_distrib.sh macosx64
cd ..
#Perform code signing
cd binary_distrib/macosx64
if [ $# -gt 4 ]
then
./$WORK_DIR/macosx_codesign.sh $(pwd) $5
fi
#Pack binary_distrib #Pack binary_distrib
cd ../binary_distrib/macosx64
rm -rf ../../../out rm -rf ../../../out
mkdir ../../../out mkdir ../../../out
tar -czvf ../../../out/binary_distrib.tar.gz * tar -czvf ../../../out/binary_distrib.tar.gz *

16
entitlements/entitlements-browser.plist Executable file
View File

@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.device.bluetooth</key>
<true/>
<key>com.apple.security.device.camera</key>
<true/>
<key>com.apple.security.device.print</key>
<true/>
<key>com.apple.security.device.usb</key>
<true/>
</dict>
</plist>

12
entitlements/entitlements-helper.plist Executable file
View File

@ -0,0 +1,12 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.allow-jit</key>
<true/>
</dict>
</plist>

41
macosx_codesign.sh Executable file
View File

@ -0,0 +1,41 @@
#!/bin/bash
if [ $# -lt 2 ]
then
echo "Usage: ./macosxcodesign.sh <path> <certname> [<bundleid> <appleid> <applepwd>]"
echo ""
echo "path: the target path"
echo "certname: the apple signing certificate name. Something like \"Developer ID Application: xxx\""
exit 1
fi
#Set workdir local (for plist files)
cd "$( dirname "$0" )"
APP_DIR=$1/bin
APP_NAME=cef_app.app
FRAMEWORKS_DIR=Contents/Frameworks
FRAMEWORK_NAME=Chromium Embedded Framework.framework
ENTITLEMENTS_HELPER=entitlements/entitlements-helper.plist
ENTITLEMENTS_BROWSER=entitlements/entitlements-browser.plist
chmod -R 777 $APP_DIR/$APP_NAME
#Sign helpers
echo "Signing helpers..."
codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper.app"
codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (GPU).app"
codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (Plugin).app"
codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (Renderer).app"
#Sign libraries and framework
echo "Signing libraries and framework..."
codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME/Libraries/libEGL.dylib"
codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME/Libraries/libGLESv2.dylib"
codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME/Libraries/libswiftshader_libEGL.dylib"
codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME/Libraries/libswiftshader_libGLESv2.dylib"
codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME/Libraries/libvk_swiftshader.dylib"
codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME"
codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/Contents/Java/libjcef.dylib"
codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME"
echo "Done signing binaries"