Merge pull request #3490 from mixxxdj/macos_notorize

notarize & staple macOS builds

2 files changed, 59 insertions, 3 deletions

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 568054d84a..6c2dcb6d29 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -276,10 +276,14 @@ jobs:
         cpack -G External $CPACK_ARGS
       working-directory: build
 
-    - name: "[macOS] Sign Package"
+    - name: "[macOS] Sign, Notarize, and Staple Package"
       if: runner.os == 'macOS' && env.MACOS_CODESIGN_OPENSSL_PASSWORD != null && env.MACOS_CODESIGN_CERTIFICATE_PASSWORD != null
-      run: codesign --verbose=4 --options runtime --sign "${APPLE_CODESIGN_IDENTITY}" --entitlements ../packaging/macos/entitlements.plist *.dmg
-      working-directory: build
+      run: packaging/macos/sign_notarize_staple.sh build/*.dmg
+      env:
+        APPLE_ID_USERNAME: rryan@mixxx.org
+        APPLE_BUNDLE_ID: org.mixxx.mixxx
+        APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_APP_SPECIFIC_PASSWORD }}
+        ASC_PROVIDER: FLYL4D545V
 
     - name: "[Windows] Sign Package"
       if: runner.os == 'Windows' && env.WINDOWS_CODESIGN_CERTIFICATE_PATH != null && env.WINDOWS_CODESIGN_CERTIFICATE_PASSWORD != null
diff --git a/packaging/macos/sign_notarize_staple.sh b/packaging/macos/sign_notarize_staple.sh
new file mode 100755
index 0000000000..b24e3cad57
--- /dev/null
+++ b/packaging/macos/sign_notarize_staple.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+DMG_FILE="${1}"
+[ -z "${DMG_FILE}" ] && echo "Pass DMG file name as first argument." >&2 && exit 1
+[ -z "${APPLE_CODESIGN_IDENTITY}" ] && echo "Please set the $APPLE_CODESIGN_IDENTITY env var." >&2 && exit 1
+[ -z "${APPLE_BUNDLE_ID}" ] && echo "Please set the $APPLE_BUNDLE_ID env var." >&2 && exit 1
+[ -z "${APPLE_ID_USERNAME}" ] && echo "Please set the $APPLE_ID_USERNAME env var." >&2 && exit 1
+[ -z "${APPLE_APP_SPECIFIC_PASSWORD}" ] && echo "Please set the $APPLE_APP_SPECIFIC_PASSWORD env var." >&2 && exit 1
+[ -z "${ASC_PROVIDER}" ] && echo "Please set the $ASC_PROVIDER env var." >&2 && exit 1
+
+echo "Signing $DMG_FILE"
+codesign --verbose=4 --options runtime \
+    --sign "${APPLE_CODESIGN_IDENTITY}" "$(dirname "$0")/entitlements.plist" "${DMG_FILE}"
+
+echo "Notarizing $DMG_FILE"
+xcrun altool --notarize-app --primary-bundle-id "${APPLE_BUNDLE_ID}" --username "${APPLE_ID_USERNAME}" \
+    --password "${APPLE_APP_SPECIFIC_PASSWORD}" --asc-provider "${ASC_PROVIDER}" --file "${DMG_FILE}" \
+    --output-format xml > notarize_result.plist
+UUID="$(/usr/libexec/PlistBuddy -c 'Print notarization-upload:RequestUUID' notarize_result.plist)"
+echo "Notorization UUID: $UUID"
+rm notarize_result.plist
+
+# wait for confirmation that notarization finished
+while true; do
+    xcrun altool --notarization-info "$UUID" \
+    --username "${APPLE_ID_USERNAME}" --password "${APPLE_APP_SPECIFIC_PASSWORD}" \
+    --output-format xml > notarize_status.plist
+
+    # shellcheck disable=SC2181
+    if [ "$?" != "0" ]; then
+        echo "Notarization failed:"
+        cat notarize_status.plist
+        curl "$(/usr/libexec/PlistBuddy -c 'Print notarization-info:LogFileURL' notarize_status.plist)"
+        exit 1
+    fi
+
+    NOTARIZATION_STATUS="$(/usr/libexec/PlistBuddy -c 'Print notarization-info:Status' notarize_status.plist)"
+    if [ "${NOTARIZATION_STATUS}" == "in progress" ]; then
+        echo "Waiting another 10 seconds for notarization to complete"
+        sleep 10
+    elif [ "${NOTARIZATION_STATUS}" == "success" ]; then
+        echo "Notarization succeeded"
+        break
+    else
+        echo "Notarization status: ${NOTARIZATION_STATUS}"
+    fi
+done
+
+rm notarize_status.plist
+
+echo "Stapling $DMG_FILE"
+xcrun stapler staple -q "${DMG_FILE}"