diff options
author | Jan Holthuis <jan.holthuis@ruhr-uni-bochum.de> | 2020-12-29 01:38:28 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-12-29 01:38:28 +0100 |
commit | 0ab9386eb107ac8de3a52e3f58eb9b68eb4545d8 (patch) | |
tree | bb17be5a6eeb4e848da31677aa0637930f6ca8cd | |
parent | 2b0af622f3fe99829d9a639f33f7ec0b45a24f60 (diff) | |
parent | 0c688066ec7ae17842e8160350041ab05994d351 (diff) |
Merge pull request #3490 from mixxxdj/macos_notorize
notarize & staple macOS builds
-rw-r--r-- | .github/workflows/build.yml | 10 | ||||
-rwxr-xr-x | packaging/macos/sign_notarize_staple.sh | 52 |
2 files changed, 59 insertions, 3 deletions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 568054d84a..6c2dcb6d29 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -276,10 +276,14 @@ jobs: cpack -G External $CPACK_ARGS working-directory: build - - name: "[macOS] Sign Package" + - name: "[macOS] Sign, Notarize, and Staple Package" if: runner.os == 'macOS' && env.MACOS_CODESIGN_OPENSSL_PASSWORD != null && env.MACOS_CODESIGN_CERTIFICATE_PASSWORD != null - run: codesign --verbose=4 --options runtime --sign "${APPLE_CODESIGN_IDENTITY}" --entitlements ../packaging/macos/entitlements.plist *.dmg - working-directory: build + run: packaging/macos/sign_notarize_staple.sh build/*.dmg + env: + APPLE_ID_USERNAME: rryan@mixxx.org + APPLE_BUNDLE_ID: org.mixxx.mixxx + APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_APP_SPECIFIC_PASSWORD }} + ASC_PROVIDER: FLYL4D545V - name: "[Windows] Sign Package" if: runner.os == 'Windows' && env.WINDOWS_CODESIGN_CERTIFICATE_PATH != null && env.WINDOWS_CODESIGN_CERTIFICATE_PASSWORD != null diff --git a/packaging/macos/sign_notarize_staple.sh b/packaging/macos/sign_notarize_staple.sh new file mode 100755 index 0000000000..b24e3cad57 --- /dev/null +++ b/packaging/macos/sign_notarize_staple.sh @@ -0,0 +1,52 @@ +#!/bin/bash + +DMG_FILE="${1}" +[ -z "${DMG_FILE}" ] && echo "Pass DMG file name as first argument." >&2 && exit 1 +[ -z "${APPLE_CODESIGN_IDENTITY}" ] && echo "Please set the $APPLE_CODESIGN_IDENTITY env var." >&2 && exit 1 +[ -z "${APPLE_BUNDLE_ID}" ] && echo "Please set the $APPLE_BUNDLE_ID env var." >&2 && exit 1 +[ -z "${APPLE_ID_USERNAME}" ] && echo "Please set the $APPLE_ID_USERNAME env var." >&2 && exit 1 +[ -z "${APPLE_APP_SPECIFIC_PASSWORD}" ] && echo "Please set the $APPLE_APP_SPECIFIC_PASSWORD env var." >&2 && exit 1 +[ -z "${ASC_PROVIDER}" ] && echo "Please set the $ASC_PROVIDER env var." >&2 && exit 1 + +echo "Signing $DMG_FILE" +codesign --verbose=4 --options runtime \ + --sign "${APPLE_CODESIGN_IDENTITY}" "$(dirname "$0")/entitlements.plist" "${DMG_FILE}" + +echo "Notarizing $DMG_FILE" +xcrun altool --notarize-app --primary-bundle-id "${APPLE_BUNDLE_ID}" --username "${APPLE_ID_USERNAME}" \ + --password "${APPLE_APP_SPECIFIC_PASSWORD}" --asc-provider "${ASC_PROVIDER}" --file "${DMG_FILE}" \ + --output-format xml > notarize_result.plist +UUID="$(/usr/libexec/PlistBuddy -c 'Print notarization-upload:RequestUUID' notarize_result.plist)" +echo "Notorization UUID: $UUID" +rm notarize_result.plist + +# wait for confirmation that notarization finished +while true; do + xcrun altool --notarization-info "$UUID" \ + --username "${APPLE_ID_USERNAME}" --password "${APPLE_APP_SPECIFIC_PASSWORD}" \ + --output-format xml > notarize_status.plist + + # shellcheck disable=SC2181 + if [ "$?" != "0" ]; then + echo "Notarization failed:" + cat notarize_status.plist + curl "$(/usr/libexec/PlistBuddy -c 'Print notarization-info:LogFileURL' notarize_status.plist)" + exit 1 + fi + + NOTARIZATION_STATUS="$(/usr/libexec/PlistBuddy -c 'Print notarization-info:Status' notarize_status.plist)" + if [ "${NOTARIZATION_STATUS}" == "in progress" ]; then + echo "Waiting another 10 seconds for notarization to complete" + sleep 10 + elif [ "${NOTARIZATION_STATUS}" == "success" ]; then + echo "Notarization succeeded" + break + else + echo "Notarization status: ${NOTARIZATION_STATUS}" + fi +done + +rm notarize_status.plist + +echo "Stapling $DMG_FILE" +xcrun stapler staple -q "${DMG_FILE}" |