Fix entitlement location

.github/workflows/build-all.yml

@@ -242,11 +242,43 @@ jobs:
         run: |
           chmod +x scripts/install_macos_dependencies.sh
           ./scripts/install_macos_dependencies.sh
+      - name: Install Apple certificate
+        env:
+          BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_BUILD_CERTIFICATE_BASE64 }}
+          P12_PASSWORD: ${{ secrets.APPLE_P12_PASSWORD }}
+          KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
+          APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
+          APPLE_API_KEY_NAME: ${{ secrets.APPLE_API_KEY_NAME }}
+        run: |
+          # create variables
+          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+
+          # import certificate from secrets
+          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode --output $CERTIFICATE_PATH
+
+          # create temporary keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+          # import certificate to keychain
+          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH -T /usr/bin/codesign
+          security list-keychain -d user -s $KEYCHAIN_PATH
+          
+          # import api key from secrets
+          mkdir "${HOME}/private_keys"
+          echo -n "$APPLE_API_KEY_BASE64" | base64 --decode --output "${HOME}/private_keys/AuthKey_$APPLE_API_KEY_NAME.p8"
       -
         name: Build
         run: |
           chmod +x compile_macosx.sh
-          ./compile_macosx.sh amd64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }}
+          ./compile_macosx.sh amd64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} "${{ secrets.APPLE_BUILD_CERTIFICATE_NAME }}" ${{ secrets.APPLE_TEAM_NAME }} ${{ secrets.APPLE_API_KEY_NAME }} ${{ secrets.APPLE_API_KEY_ISSUER }}
+      - name: Clean up keychain
+        if: ${{ always() }}
+        run: |
+          security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
+          rm -rf "${HOME}/private_keys"
       - name: Export distribution
         uses: actions/upload-release-asset@v1
         env:
@@ -277,11 +309,43 @@ jobs:
         run: |
           chmod +x scripts/install_macos_dependencies.sh
           ./scripts/install_macos_dependencies.sh
+      - name: Install Apple certificate
+        env:
+          BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_BUILD_CERTIFICATE_BASE64 }}
+          P12_PASSWORD: ${{ secrets.APPLE_P12_PASSWORD }}
+          KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
+          APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
+          APPLE_API_KEY_NAME: ${{ secrets.APPLE_API_KEY_NAME }}
+        run: |
+          # create variables
+          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+
+          # import certificate from secrets
+          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode --output $CERTIFICATE_PATH
+
+          # create temporary keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+          # import certificate to keychain
+          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH -T /usr/bin/codesign
+          security list-keychain -d user -s $KEYCHAIN_PATH
+          
+          # import api key from secrets
+          mkdir "${HOME}/private_keys"
+          echo -n "$APPLE_API_KEY_BASE64" | base64 --decode --output "${HOME}/private_keys/AuthKey_$APPLE_API_KEY_NAME.p8"
       -
         name: Build
         run: |
           chmod +x compile_macosx.sh
-          ./compile_macosx.sh arm64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }}
+          ./compile_macosx.sh arm64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} "${{ secrets.APPLE_BUILD_CERTIFICATE_NAME }}" ${{ secrets.APPLE_TEAM_NAME }} ${{ secrets.APPLE_API_KEY_NAME }} ${{ secrets.APPLE_API_KEY_ISSUER }}
+      - name: Clean up keychain
+        if: ${{ always() }}
+        run: |
+          security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
+          rm -rf "${HOME}/private_keys"
       - name: Export distribution
         uses: actions/upload-release-asset@v1
         env:

.github/workflows/build-macosx-amd64.yml

@@ -22,11 +22,43 @@ jobs:
         run: |
           chmod +x scripts/install_macos_dependencies.sh
           ./scripts/install_macos_dependencies.sh
+      - name: Install Apple certificate
+        env:
+          BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_BUILD_CERTIFICATE_BASE64 }}
+          P12_PASSWORD: ${{ secrets.APPLE_P12_PASSWORD }}
+          KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
+          APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
+          APPLE_API_KEY_NAME: ${{ secrets.APPLE_API_KEY_NAME }}
+        run: |
+          # create variables
+          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+
+          # import certificate from secrets
+          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode --output $CERTIFICATE_PATH
+
+          # create temporary keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+          # import certificate to keychain
+          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH -T /usr/bin/codesign
+          security list-keychain -d user -s $KEYCHAIN_PATH
+          
+          # import api key from secrets
+          mkdir "${HOME}/private_keys"
+          echo -n "$APPLE_API_KEY_BASE64" | base64 --decode --output "${HOME}/private_keys/AuthKey_$APPLE_API_KEY_NAME.p8"
       -
         name: Build
         run: |
           chmod +x compile_macosx.sh
-          ./compile_macosx.sh amd64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }}
+          ./compile_macosx.sh amd64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} "${{ secrets.APPLE_BUILD_CERTIFICATE_NAME }}" ${{ secrets.APPLE_TEAM_NAME }} ${{ secrets.APPLE_API_KEY_NAME }} ${{ secrets.APPLE_API_KEY_ISSUER }}
+      - name: Clean up keychain
+        if: ${{ always() }}
+        run: |
+          security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
+          rm -rf "${HOME}/private_keys"
       -
         name: Export artifacts
         uses: actions/upload-artifact@v2

.github/workflows/build-macosx-arm64.yml

@@ -22,11 +22,43 @@ jobs:
         run: |
           chmod +x scripts/install_macos_dependencies.sh
           ./scripts/install_macos_dependencies.sh
+      - name: Install Apple certificate
+        env:
+          BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_BUILD_CERTIFICATE_BASE64 }}
+          P12_PASSWORD: ${{ secrets.APPLE_P12_PASSWORD }}
+          KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
+          APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
+          APPLE_API_KEY_NAME: ${{ secrets.APPLE_API_KEY_NAME }}
+        run: |
+          # create variables
+          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+
+          # import certificate from secrets
+          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode --output $CERTIFICATE_PATH
+
+          # create temporary keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+          # import certificate to keychain
+          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH -T /usr/bin/codesign
+          security list-keychain -d user -s $KEYCHAIN_PATH
+          
+          # import api key from secrets
+          mkdir "${HOME}/private_keys"
+          echo -n "$APPLE_API_KEY_BASE64" | base64 --decode --output "${HOME}/private_keys/AuthKey_$APPLE_API_KEY_NAME.p8"
       -
         name: Build
         run: |
           chmod +x compile_macosx.sh
-          ./compile_macosx.sh arm64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }}
+          ./compile_macosx.sh arm64 Release ${{ github.event.inputs.repo }} ${{ github.event.inputs.ref }} "${{ secrets.APPLE_BUILD_CERTIFICATE_NAME }}" ${{ secrets.APPLE_TEAM_NAME }} ${{ secrets.APPLE_API_KEY_NAME }} ${{ secrets.APPLE_API_KEY_ISSUER }}
+      - name: Clean up keychain
+        if: ${{ always() }}
+        run: |
+          security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
+          rm -rf "${HOME}/private_keys"
       -
         name: Export artifacts
         uses: actions/upload-artifact@v2

.gitignore

@@ -1,3 +1,4 @@
+jcef
 out
 release_gen/*.txt
 release_gen/*.md

DockerfileLinux

@@ -1,5 +1,7 @@
 FROM friwidev/jcefdocker:linux-latest AS stage
 
+LABEL jcefbuild=true
+
 #Declare build type argument (Release or Debug)
 ARG BUILD_TYPE
 
@@ -30,5 +32,7 @@ RUN ./run_linux.sh
 #Export built files
 FROM scratch AS export-stage
 COPY --from=stage /jcef/binary_distrib.tar.gz .
-
-
+COPY --from=stage /jcef/target target
+COPY --from=stage /jcef/third_party third_party
+COPY --from=stage /jcef/buildtools buildtools
+COPY --from=stage /jcef/jcef_build jcef_build

DockerfileLinuxARMPrebuild

@@ -3,6 +3,8 @@
 
 FROM friwidev/jcefdocker:linux-latest AS stage
 
+LABEL jcefbuild=true
+
 #Declare build type argument (Release or Debug)
 ARG BUILD_TYPE
 

compile_linux.sh

@@ -19,20 +19,60 @@ mkdir out
 mkdir out/linux32
 touch out/linux32/prebuilt.txt
 
+#Remove binary distribution if there was one built before (saves transfer of it to docker context)
+rm -rf jcef/binary_distrib
+
+#Cache build image to not download it again each time (speedup for local builds)
+docker pull friwidev/jcefdocker:linux-latest
+
 #Execute buildx with linux dockerfile and output to current directory
 if [ $# -eq 2 ]
   then
     if [ $1 == "arm/v6" ]
       then
         rm -rf out/linux32
-        docker buildx build --platform=linux/386 --build-arg TARGETARCH=386 --build-arg BUILD_TYPE=$2 --build-arg REPO=https://bitbucket.org/chromiumembedded/java-cef.git --build-arg REF=master --file DockerfileLinuxARMPrebuild --output out .
+        docker buildx build --no-cache --progress=plain --platform=linux/386 --build-arg TARGETARCH=386 --build-arg BUILD_TYPE=$2 --build-arg REPO=https://bitbucket.org/chromiumembedded/java-cef.git --build-arg REF=master --file DockerfileLinuxARMPrebuild --output out .
     fi
-    docker buildx build --platform=linux/$1 --build-arg TARGETARCH=$1 --build-arg BUILD_TYPE=$2 --build-arg REPO=https://bitbucket.org/chromiumembedded/java-cef.git --build-arg REF=master --file DockerfileLinux --output out .
+    docker buildx build --no-cache --progress=plain --platform=linux/$1 --build-arg TARGETARCH=$1 --build-arg BUILD_TYPE=$2 --build-arg REPO=https://bitbucket.org/chromiumembedded/java-cef.git --build-arg REF=master --file DockerfileLinux --output out .
 else
     if [ $1 == "arm/v6" ]
       then
         rm -rf out/linux32
-        docker buildx build --platform=linux/386 --build-arg TARGETARCH=386 --build-arg BUILD_TYPE=$2 --build-arg REPO=$3 --build-arg REF=$4 --file DockerfileLinuxARMPrebuild --output out .
+        docker buildx build --no-cache --progress=plain --platform=linux/386 --build-arg TARGETARCH=386 --build-arg BUILD_TYPE=$2 --build-arg REPO=$3 --build-arg REF=$4 --file DockerfileLinuxARMPrebuild --output out .
     fi
-    docker buildx build --platform=linux/$1 --build-arg TARGETARCH=$1 --build-arg BUILD_TYPE=$2 --build-arg REPO=$3 --build-arg REF=$4 --file DockerfileLinux --output out .
+    docker buildx build --no-cache --progress=plain --platform=linux/$1 --build-arg TARGETARCH=$1 --build-arg BUILD_TYPE=$2 --build-arg REPO=$3 --build-arg REF=$4 --file DockerfileLinux --output out .
 fi
+docker builder prune -f --filter "label=jcefbuild=true"
+
+#Cleanup output dir
+rm -rf out/linux32
+rm -f out/third_party/cef/*.bz2 out/third_party/cef/*.sha1
+
+# Check if the cef download was performed. If so, move third_party dir to jcef dir
+export downloaded=0
+for f in out/third_party/cef/cef_binary_*; do
+    test -d "$f" || continue
+    #We found a matching dir
+    export downloaded=1
+    break
+done
+if [ "$downloaded" -eq "1" ]; then
+    rm -rf jcef/third_party
+    mv out/third_party jcef
+else
+    rm -rf out/third_party
+fi
+
+# Check if the clang download was performed. If so, move it to jcef dir
+if [ -f "out/buildtools/clang-format" ]; then
+    rm -rf jcef/tools/buildtools/linux64
+    mv out/buildtools jcef/tools/buildtools/linux64
+fi
+
+#Move jcef_build
+rm -rf jcef/jcef_build
+mv out/jcef_build jcef/jcef_build
+
+#Move target to binary_distrib
+rm -rf jcef/binary_distrib
+mv out/target jcef/binary_distrib

compile_macosx.sh

@@ -2,16 +2,21 @@
 
 if [ $# -lt 2 ] || [ $# -eq 3 ]
   then
-    echo "Usage: ./compile_macosx.sh <architecture> <buildType> [<gitrepo> <gitref>]"
+    echo "Usage: ./compile_macosx.sh <architecture> <buildType> [<gitrepo> <gitref>] [<certname> <teamname> <applekeyid> <applekeyissuer>]"
     echo ""
     echo "architecture: the target architecture to build for. Architectures are either amd64 or arm64."
     echo "buildType: either Release or Debug"
     echo "gitrepo: git repository url to clone"
     echo "gitref: the git commit id to pull"
+    echo "certname: the apple signing certificate name. Something like \"Developer ID Application: xxx (yyy)\""
+    echo "teamname: the apple team name. 10-digit id yyy from the cert name."
+    echo "applekeyid: your apple api key id"
+    echo "applekeyissuer: uuid of your apple api key issuer"
     exit 1
 fi
 
 cd "$( dirname "$0" )"
+WORK_DIR=$(pwd)
 
 TARGETARCH=$1
 BUILD_TYPE=$2
@@ -42,7 +47,10 @@ fi
 # Create and enter the `jcef_build` directory.
 # The `jcef_build` directory name is required by other JCEF tooling
 # and should not be changed.
-mkdir jcef_build && cd jcef_build
+if [ ! -d "jcef_build" ]; then
+    mkdir jcef_build
+fi
+cd jcef_build
 
 # MacOS: Generate amd64/arm64 Makefiles.
 if [ ${TARGETARCH} == 'amd64' ]; then
@@ -57,9 +65,17 @@ ninja -j4
 cd ../tools
 chmod +x make_distrib.sh
 ./make_distrib.sh macosx64
+cd ..
+
+#Perform code signing
+cd binary_distrib/macosx64
+if [ $# -gt 4 ]
+  then
+    chmod +x $WORK_DIR/macosx_codesign.sh
+    bash $WORK_DIR/macosx_codesign.sh $(pwd) "$5" $6 $7 $8
+fi
 
 #Pack binary_distrib
-cd ../binary_distrib/macosx64
 rm -rf ../../../out
 mkdir ../../../out
 tar -czvf ../../../out/binary_distrib.tar.gz *

entitlements/entitlements-browser.plist

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+   <key>com.apple.security.device.audio-input</key>
+   <true/>
+   <key>com.apple.security.device.bluetooth</key>
+   <true/>
+   <key>com.apple.security.device.camera</key>
+   <true/>
+   <key>com.apple.security.device.print</key>
+   <true/>
+   <key>com.apple.security.device.usb</key>
+   <true/>
+</dict>
+</plist>

entitlements/entitlements-helper.plist

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+   <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+   <true/>
+   <key>com.apple.security.cs.disable-library-validation</key>
+   <true/>
+   <key>com.apple.security.cs.allow-jit</key>
+   <true/>
+</dict>
+</plist>

macosx_codesign.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+
+if [ $# -lt 5 ]
+  then
+    echo "Usage: ./macosx_codesign.sh <path> <certname> <teamname> <applekeyid> <applekeyissuer>"
+    echo ""
+    echo "path: the absolute(!) target path"
+    echo "certname: the apple signing certificate name. Something like \"Developer ID Application: xxx (yyy)\""
+    echo "teamname: the apple team name. 10-digit id yyy from the cert name."
+    echo "applekeyid: your apple api key id"
+    echo "applekeyissuer: uuid of your apple api key issuer"
+    exit 1
+fi
+
+#Set workdir local (for plist files)
+cd "$( dirname "$0" )"
+APP_DIR=$1/bin
+APP_NAME=jcef_app.app
+FRAMEWORKS_DIR=Contents/Frameworks
+FRAMEWORK_NAME=Chromium\ Embedded\ Framework.framework
+ENTITLEMENTS_HELPER=entitlements/entitlements-helper.plist
+ENTITLEMENTS_BROWSER=entitlements/entitlements-browser.plist
+
+chmod -R 777 $APP_DIR/$APP_NAME
+chmod +x macosx_notarize.sh
+chmod +x macosx_codesign_zip.sh
+
+#Sign helpers
+echo "Signing helpers..."
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper.app"
+bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper.app" "$2" $3 org.jcef.jcef.helper $4 $5
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (GPU).app"
+bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (GPU).app" "$2" $3 org.jcef.jcef.helper.gpu $4 $5
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (Plugin).app"
+bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (Plugin).app" "$2" $3 org.jcef.jcef.helper.plugin $4 $5
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_HELPER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (Renderer).app"
+bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/jcef Helper (Renderer).app" "$2" $3 org.jcef.jcef.helper.renderer $4 $5
+
+#Sign libraries and framework
+echo "Signing libraries and framework..."
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME/Libraries/libEGL.dylib"
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME/Libraries/libGLESv2.dylib"
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME/Libraries/libswiftshader_libEGL.dylib"
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME/Libraries/libswiftshader_libGLESv2.dylib"
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME/Libraries/libvk_swiftshader.dylib"
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME"
+bash macosx_notarize.sh "$APP_DIR/$APP_NAME/$FRAMEWORKS_DIR/$FRAMEWORK_NAME" "$2" $3 org.cef.framework $4 $5
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME/Contents/Java/libjcef.dylib"
+bash macosx_codesign_zip.sh "$APP_DIR/$APP_NAME/Contents/Java/gluegen-rt-natives-macosx-universal.jar" "natives/macosx-universal/libgluegen_rt.dylib" "$2"
+bash macosx_codesign_zip.sh "$APP_DIR/$APP_NAME/Contents/Java/jogl-all-natives-macosx-universal.jar" "natives/macosx-universal/libnativewindow_awt.dylib" "$2"
+bash macosx_codesign_zip.sh "$APP_DIR/$APP_NAME/Contents/Java/jogl-all-natives-macosx-universal.jar" "natives/macosx-universal/libnativewindow_macosx.dylib" "$2"
+bash macosx_codesign_zip.sh "$APP_DIR/$APP_NAME/Contents/Java/jogl-all-natives-macosx-universal.jar" "natives/macosx-universal/libjogl_mobile.dylib" "$2"
+bash macosx_codesign_zip.sh "$APP_DIR/$APP_NAME/Contents/Java/jogl-all-natives-macosx-universal.jar" "natives/macosx-universal/libnewt_head.dylib" "$2"
+bash macosx_codesign_zip.sh "$APP_DIR/$APP_NAME/Contents/Java/jogl-all-natives-macosx-universal.jar" "natives/macosx-universal/libjogl_desktop.dylib" "$2"
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$2" --timestamp --verbose "$APP_DIR/$APP_NAME"
+bash macosx_notarize.sh "$APP_DIR/$APP_NAME" "$2" $3 org.jcef.jcef $4 $5
+
+echo "Done signing binaries"

macosx_codesign_zip.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+if [ $# -lt 3 ]
+  then
+    echo "Usage: ./macosx_codesign_zip.sh <path> <zippath> <certname>"
+    echo ""
+    echo "path: the absolute(!) target path"
+    echo "zippath: the path inside the zip"
+    echo "certname: the apple signing certificate name. Something like \"Developer ID Application: xxx (yyy)\""
+    exit 1
+fi
+
+#Set workdir local
+cd "$( dirname "$0" )"
+ENTITLEMENTS_BROWSER=entitlements/entitlements-browser.plist
+
+mkdir tmp
+unzip "$1" "$2" -d tmp
+codesign --force --options runtime --entitlements "$ENTITLEMENTS_BROWSER" --sign "$3" --timestamp --verbose "tmp/$2"
+cd tmp
+zip --update "$1" "$2"
+cd ..
+rm -rf tmp

macosx_notarize.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+#Contents partly stolen from https://scriptingosx.com/2019/09/notarize-a-command-line-tool/
+#Will need updating for XCode 13+
+
+if [ $# -lt 6 ]
+  then
+    echo "Usage: ./macosx_notarize.sh <path> <certname> <teamname> <bundleid> <applekeyid> <applekeyissuer>"
+    echo ""
+    echo "path: the absolute(!) target path"
+    echo "certname: the apple signing certificate name. Something like \"Developer ID Application: xxx (yyy)\""
+    echo "teamname: the apple team name. 10-digit id yyy from the cert name."
+    echo "bundleid: the bundle id of the artifact"
+    echo "applekeyid: your apple api key id"
+    echo "applekeyissuer: uuid of your apple api key issuer"
+    exit 1
+fi
+
+echo "##########################################################"
+echo "Notarizing $1... This may take a while."
+
+APP_DIR="$( dirname "$1" )"
+APP_NAME="$( basename "$1" )"
+ZIP_PATH=$1.zip
+
+cd $APP_DIR
+echo "Creating zip"
+zip -r "$APP_NAME.zip" "$APP_NAME"
+
+echo "Uploading $ZIP_PATH for notarization"
+requestUUID=$(xcrun altool --notarize-app \
+                           --type macos \
+                           --primary-bundle-id "$4" \
+                           --apiKey "$5" \
+                           --apiIssuer "$6" \
+                           --file "$1.zip" 2>&1 \
+                  | awk '/RequestUUID/ { print $NF; }')
+#                          --asc-provider "$3" \
+
+echo "Notarization RequestUUID: $requestUUID"
+
+# clean up zip
+rm -f "$APP_NAME.zip"
+
+if [[ $requestUUID == "" ]]; then 
+        echo "Could not upload for notarization"
+        exit 1
+fi
+
+# wait for status to be not "in progress" any more
+request_status="in progress"
+while [[ "$request_status" == "in progress" ]]; do
+    echo -n "waiting... "
+    sleep 60
+    request_status=$(xcrun altool --notarization-info "$requestUUID" \
+                              --apiKey "$5" \
+                              --apiIssuer "$6" 2>&1 \
+                 | awk -F ': ' '/Status:/ { print $2; }' )
+    echo "$request_status"
+done
+
+# print status information
+xcrun altool --notarization-info "$requestUUID" \
+             --apiKey "$5" \
+             --apiIssuer "$6"
+echo
+
+if [[ $request_status != "success" ]]; then
+    echo "Could not notarize!"
+    exit 1
+fi
+
+# staple
+xcrun stapler staple "$1"
+
+echo "##########################################################"

scripts/run_linux.sh

@@ -26,7 +26,7 @@ if [ ! -f "/jcef/README.md" ]; then
 else
     echo "Found existing files to build"
     cd /jcef
-fi
+fi  
 
 #CMakeLists patching
 python3 /builder/patch_cmake.py CMakeLists.txt /builder/CMakeLists.txt.patch
@@ -34,7 +34,19 @@ python3 /builder/patch_cmake.py CMakeLists.txt /builder/CMakeLists.txt.patch
 # Create and enter the `jcef_build` directory.
 # The `jcef_build` directory name is required by other JCEF tooling
 # and should not be changed.
-mkdir jcef_build && cd jcef_build
+if [ ! -d "jcef_build" ]; then
+    mkdir jcef_build
+fi
+cd jcef_build
+
+# Check if the download was already performed. If so, we wont send it outside of the container at the end
+export already_downloaded=0
+for f in ../third_party/cef/cef_binary_*; do
+    test -d "$f" || continue
+    #We found a matching dir
+    export already_downloaded=1
+    break
+done
 
 # Linux: Generate 32/64-bit Unix Makefiles.
 cmake -G "Ninja" -DPROJECT_ARCH=${TARGETARCH} -DCMAKE_BUILD_TYPE=${BUILD_TYPE} ..
@@ -77,4 +89,16 @@ else
     #Replace natives on armv6
     if [ ${TARGETARCH} == 'arm/v6' ]; then (rm bin/gluegen-rt-natives* && rm bin/jogl-all-natives* && cp /natives/gluegen-rt-natives-linux-armv6hf.jar bin && cp /natives/jogl-all-natives-linux-armv6hf.jar bin) fi
 fi
+
+#Export binaries
 tar -czvf ../../binary_distrib.tar.gz *
+mkdir ../../target
+mv * ../../target
+
+#Do not export third_party if already exported (it is quite large)
+if [ "$already_downloaded" -eq "1" ]; then
+    rm -rf ../../third_party/*
+fi
+
+#Export clang
+mv ../../tools/buildtools/linux64 ../../buildtools

scripts/run_linux_prebuild.sh

@@ -28,7 +28,10 @@ fi
 # Create and enter the `jcef_build` directory.
 # The `jcef_build` directory name is required by other JCEF tooling
 # and should not be changed.
-mkdir jcef_build && cd jcef_build
+if [ ! -d "jcef_build" ]; then
+    mkdir jcef_build
+fi
+cd jcef_build
 
 #Compile JCEF java classes
 cd ../tools