diff --git a/.gitea/workflows/test-local-signing.yml b/.gitea/workflows/test-local-signing.yml index f13a6c29..05015389 100644 --- a/.gitea/workflows/test-local-signing.yml +++ b/.gitea/workflows/test-local-signing.yml @@ -2,8 +2,8 @@ name: Test Local Signing on: workflow_dispatch: # Manual trigger - # push: - # branches: [ozgur/build] + push: + branches: [ozgur/build] jobs: test-local-signing: @@ -62,7 +62,7 @@ jobs: CFBundleExecutable TestApp CFBundleIdentifier - com.luckyworld.testapp + com.luckyrobots.luckyworld.testapp CFBundleName TestApp CFBundlePackageType @@ -85,144 +85,164 @@ jobs: echo "๐Ÿ” App bundle contents:" ls -la "$TEST_APP_DIR" + + # Store app path as environment variable + echo "APP_PATH=$(pwd)/TestApp.app" >> "$GITHUB_ENV" shell: bash - - name: Self-Sign App for Testing + - name: Setup Certificate + env: + CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }} + CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }} + APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} run: | - echo "๐Ÿ” Self-signing app for testing..." + echo "๐Ÿ” Setting up certificate..." - # Create a self-signed certificate for testing - echo "๐Ÿ”‘ Creating self-signed certificate..." + # Create a temporary directory for certificates + CERT_DIR="$HOME/certificates" + mkdir -p "$CERT_DIR" - # Generate key and certificate - openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ - -keyout TestKey.key -out TestCert.crt \ - -subj "/CN=Test Signing/O=LuckyWorld/C=TR" + # Decode the certificate to a p12 file + echo "$CERTIFICATE_BASE64" | base64 --decode > "$CERT_DIR/certificate.p12" - # Sign the app with ad-hoc identity - echo "๐Ÿ” Signing app with ad-hoc identity..." - codesign --force --sign - --timestamp --options runtime --entitlements LuckyWorld.entitlements TestApp.app + # Check certificate format + echo "๐Ÿ“‘ Certificate format check:" + file "$CERT_DIR/certificate.p12" - # Verify signing - echo "๐Ÿ” Verifying signature..." - codesign -vvv --deep --strict TestApp.app + # Create keychain + KEYCHAIN_PATH="$CERT_DIR/app-signing.keychain-db" + KEYCHAIN_PASSWORD="$(openssl rand -base64 12)" - # Check entitlements - echo "๐Ÿ” Checking entitlements..." - codesign -d --entitlements - TestApp.app + # Delete existing keychain if it exists + security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true + + # Create new keychain + security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" + security set-keychain-settings -t 3600 -u -l "$KEYCHAIN_PATH" + security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" + + # Add to search list and make default + security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"') + security default-keychain -s "$KEYCHAIN_PATH" + + # Import certificate + echo "๐Ÿ”‘ Importing developer certificate..." + security import "$CERT_DIR/certificate.p12" -k "$KEYCHAIN_PATH" -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign + + # Set partition list for codesign to access keychain + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" + + # Verify certificate + echo "๐Ÿ” Verifying certificate..." + security find-identity -v -p codesigning "$KEYCHAIN_PATH" + + # Store keychain variables for later steps + echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV" + echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV" + echo "APPLE_TEAM_ID=$APPLE_TEAM_ID" >> "$GITHUB_ENV" + + # Cleanup + rm -f "$CERT_DIR/certificate.p12" shell: bash - - name: Create Sign and Notarize Script (Developer Reference) + - name: Sign with Developer ID run: | - echo "๐Ÿ“ Creating reference script for actual code signing..." + echo "๐Ÿ” Signing app with Developer ID certificate..." - cat > sign_and_notarize.sh << 'EOF' - #!/bin/bash - # Sign and notarize macOS application - # This script is a reference for using a real Developer ID certificate + # Make sure keychain is unlocked + security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - # Configuration (replace with your values) - APP_PATH="YourApp.app" - TEAM_ID="YOUR_TEAM_ID" - BUNDLE_ID="com.yourdomain.yourapp" - ENTITLEMENTS_PATH="YourApp.entitlements" - APPLE_ID="your_apple_id@example.com" - APP_PASSWORD="your_app_specific_password" - - # Step 1: Check for Developer ID Application certificate - echo "Checking for Developer ID Application certificate..." - IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}') + # Get the Developer ID Application identity + IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}') if [ -z "$IDENTITY" ]; then - echo "Error: No Developer ID Application certificate found" - echo "Please create a Developer ID Application certificate in your Apple Developer account" - echo "and install it in your keychain" + echo "โŒ Error: No valid Developer ID Application identity found" + echo "Please check if your certificate is valid and properly imported" exit 1 fi echo "Using identity: $IDENTITY" - # Step 2: Sign the app - echo "Signing app..." - codesign --force --options runtime --entitlements "$ENTITLEMENTS_PATH" \ - --sign "$IDENTITY" --timestamp "$APP_PATH" + # Sign the app bundle + echo "Signing app bundle..." + codesign --force --deep --verbose --options runtime --entitlements LuckyWorld.entitlements --sign "$IDENTITY" --timestamp "$APP_PATH" - # Step 3: Verify signing - echo "Verifying signature..." + # Verify signing + echo "๐Ÿ” Verifying signature..." codesign -vvv --deep --strict "$APP_PATH" - # Step 4: Create zip for notarization - echo "Creating zip for notarization..." - zip_path="/tmp/app_for_notarization.zip" - ditto -c -k --keepParent "$APP_PATH" "$zip_path" + # Check entitlements + echo "๐Ÿ” Checking entitlements..." + codesign -d --entitlements - "$APP_PATH" + shell: bash + + - name: Notarize App + if: success() + env: + APPLE_ID: ${{ secrets.APPLE_NOTARY_USER }} + APP_PASSWORD: ${{ secrets.APPLE_NOTARY_PASSWORD }} + run: | + echo "๐Ÿ“ค Notarizing app..." + + # Make sure we have required secrets + if [ -z "$APPLE_ID" ] || [ -z "$APP_PASSWORD" ] || [ -z "$APPLE_TEAM_ID" ]; then + echo "โš ๏ธ Missing notarization credentials. Skipping notarization." + echo "NOTARIZED=false" >> "$GITHUB_ENV" + exit 0 + fi + + # Create zip for notarization + ZIP_PATH="TestApp-notarize.zip" + ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH" - # Step 5: Submit for notarization echo "Submitting for notarization..." - xcrun notarytool submit "$zip_path" \ + xcrun notarytool submit "$ZIP_PATH" \ --apple-id "$APPLE_ID" \ --password "$APP_PASSWORD" \ - --team-id "$TEAM_ID" \ + --team-id "$APPLE_TEAM_ID" \ --wait - # Step 6: Staple the notarization ticket + # Staple the notarization ticket echo "Stapling notarization ticket..." xcrun stapler staple "$APP_PATH" - # Step 7: Verify notarization - echo "Verifying notarization..." + # Verify notarization + echo "๐Ÿ” Verifying notarization..." spctl --assess --verbose --type exec "$APP_PATH" - echo "โœ… App successfully signed and notarized!" - EOF - - chmod +x sign_and_notarize.sh - echo "โœ… Created reference script for actual code signing" + echo "NOTARIZED=true" >> "$GITHUB_ENV" shell: bash - - name: Documentation for Certificate Requirements + - name: Package Signed App run: | - echo "๐Ÿ“‹ Requirements for code signing with Developer ID Application certificate:" - echo "" - echo "1. You must have a paid Apple Developer account" - echo "2. You need to create a Developer ID Application certificate in Apple Developer Portal" - echo "3. The certificate must be exported with its private key in p12 format" - echo "4. The certificate must be properly imported into keychain with proper access controls" - echo "5. For production, you should use the xcrun notarytool to notarize your app" - echo "" - echo "Common issues:" - echo "- The p12 file doesn't contain a private key" - echo "- The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type)" - echo "- The certificate has expired" - echo "- The certificate was revoked" - echo "- Keychain access restrictions are preventing access to the private key" - echo "" - echo "For testing purposes, you can sign with ad-hoc identity (as demonstrated in this workflow)" - echo "For production, follow the steps in the reference script created in this workflow" + echo "๐Ÿ“ฆ Packaging signed app..." - # Print this information in a file for reference - echo "๐Ÿ“‹ Requirements for code signing with Developer ID Application certificate:" > signing_requirements.txt - echo "" >> signing_requirements.txt - echo "1. You must have a paid Apple Developer account" >> signing_requirements.txt - echo "2. You need to create a Developer ID Application certificate in Apple Developer Portal" >> signing_requirements.txt - echo "3. The certificate must be exported with its private key in p12 format" >> signing_requirements.txt - echo "4. The certificate must be properly imported into keychain with proper access controls" >> signing_requirements.txt - echo "5. For production, you should use the xcrun notarytool to notarize your app" >> signing_requirements.txt - echo "" >> signing_requirements.txt - echo "Common issues:" >> signing_requirements.txt - echo "- The p12 file doesn't contain a private key" >> signing_requirements.txt - echo "- The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type)" >> signing_requirements.txt - echo "- The certificate has expired" >> signing_requirements.txt - echo "- The certificate was revoked" >> signing_requirements.txt - echo "- Keychain access restrictions are preventing access to the private key" >> signing_requirements.txt - echo "" >> signing_requirements.txt - echo "For testing purposes, you can sign with ad-hoc identity (as demonstrated in this workflow)" >> signing_requirements.txt - echo "For production, follow the steps in the reference script created in this workflow" >> signing_requirements.txt + if [ "${NOTARIZED:-false}" == "true" ]; then + ZIP_FILE="TestApp-Signed-Notarized.zip" + echo "Creating distribution package with notarized app..." + else + ZIP_FILE="TestApp-Signed.zip" + echo "Creating distribution package with signed app..." + fi + + # Create zip package + ditto -c -k --keepParent "$APP_PATH" "$ZIP_FILE" + + echo "โœ… Created package: $ZIP_FILE" shell: bash + - name: Upload Artifact + uses: actions/upload-artifact@v3 + with: + name: LuckyWorld-Signed-App + path: TestApp-*.zip + retention-days: 7 + - name: Cleanup if: always() run: | echo "๐Ÿงน Cleaning up..." - rm -rf TestApp.app TestKey.key TestCert.crt || true + rm -rf TestApp.app TestApp-*.zip || true + security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true echo "โœ… Cleanup complete" shell: bash \ No newline at end of file diff --git a/.gitea/workflows/test-macos-build.yml b/.gitea/workflows/test-macos-build.yml index 02b1bf3d..48c376d7 100644 --- a/.gitea/workflows/test-macos-build.yml +++ b/.gitea/workflows/test-macos-build.yml @@ -2,8 +2,8 @@ name: Test macOS Build Action on: workflow_dispatch: # Manual trigger only for testing - push: - branches: [ozgur/build] + # push: + # branches: [ozgur/build] jobs: test-macos-build: @@ -21,9 +21,6 @@ jobs: if [ -f "LuckyWorld.entitlements" ]; then echo "Using existing LuckyWorld.entitlements file" ENTITLEMENTS_FILE="LuckyWorld.entitlements" - elif [ -f "LuckyRobots.entitlements" ]; then - echo "Using existing LuckyRobots.entitlements file" - ENTITLEMENTS_FILE="LuckyRobots.entitlements" else echo "Creating default entitlements file as LuckyWorld.entitlements" # Create entitlements file line by line instead of heredoc @@ -74,55 +71,6 @@ jobs: echo "WORKSPACE_DIR=$WORKSPACE_DIR" >> "$GITHUB_ENV" shell: bash - - name: Debug Certificate Import (Test) - env: - CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }} - CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }} - APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} - run: | - set -e # Fail on any error - - echo "Current working directory: $(pwd)" - echo "Checking for .app bundles in Saved directory..." - find ./Saved -type d -name "*.app" || echo "No app bundles found." - - echo "Decoding certificate..." - CERT_DIR="$HOME/certificates" - mkdir -p "$CERT_DIR" - CERT_PATH="$CERT_DIR/developer_certificate.p12" - echo "$CERTIFICATE_BASE64" | base64 --decode > "$CERT_PATH" - - echo "Decoded certificate size: $(wc -c < "$CERT_PATH") bytes" - echo "Type: $(file "$CERT_PATH")" - - echo "Creating and configuring custom keychain..." - CUSTOM_KEYCHAIN="$CERT_DIR/build.keychain" - CUSTOM_PASSWORD="temppassword123" - - security create-keychain -p "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN" - security set-keychain-settings "$CUSTOM_KEYCHAIN" - security unlock-keychain -p "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN" - - echo "Setting only this keychain as active..." - security list-keychains -s "$CUSTOM_KEYCHAIN" - security default-keychain -s "$CUSTOM_KEYCHAIN" - - echo "Importing certificate..." - security import "$CERT_PATH" -P "$CERTIFICATE_PASSWORD" -k "$CUSTOM_KEYCHAIN" -T /usr/bin/codesign - - echo "Granting access to codesign..." - security set-key-partition-list -S apple-tool:,apple: -s -k "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN" - - echo "Verifying imported identities..." - security find-identity -v -p codesigning "$CUSTOM_KEYCHAIN" - - echo "Setting environment variables for future steps..." - echo "KEYCHAIN_PATH=$CUSTOM_KEYCHAIN" >> "$GITHUB_ENV" - echo "KEYCHAIN_PASSWORD=$CUSTOM_PASSWORD" >> "$GITHUB_ENV" - echo "DIRECT_SIGNING_AVAILABLE=true" >> "$GITHUB_ENV" - echo "APPLE_TEAM=$APPLE_TEAM_ID" >> "$GITHUB_ENV" - shell: bash - # Step 2: Build for macOS - name: Build for macOS run: | @@ -343,83 +291,6 @@ jobs: chmod +x sign_and_notarize_production.sh echo "โœ… Created reference script for production code signing" shell: bash - - # Step 7: Documentation for Certificate Requirements - - name: Certificate Requirements Documentation - run: | - echo "๐Ÿ“‹ Requirements for code signing with Developer ID Application certificate:" - echo "" - echo "1. You must have a paid Apple Developer account" - echo "2. You need to create a Developer ID Application certificate in Apple Developer Portal" - echo "3. The certificate must be exported with its private key in p12 format" - echo "4. The certificate must be properly imported into keychain with proper access controls" - echo "5. For production, you should use the xcrun notarytool to notarize your app" - echo "" - echo "Common issues:" - echo "- The p12 file doesn't contain a private key" - echo "- The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type)" - echo "- The certificate has expired" - echo "- The certificate was revoked" - echo "- Keychain access restrictions are preventing access to the private key" - echo "" - echo "For testing CI/CD pipeline: Use ad-hoc signing (as demonstrated in this workflow)" - echo "For production: Follow the steps in the reference script sign_and_notarize_production.sh" - - # Print this information in a file for reference - cat > code_signing_requirements.md << EOF - # macOS Code Signing Requirements - - ## Requirements - 1. You must have a paid Apple Developer account - 2. You need to create a Developer ID Application certificate in Apple Developer Portal - 3. The certificate must be exported with its private key in p12 format - 4. The certificate must be properly imported into keychain with proper access controls - 5. For production, you should use the xcrun notarytool to notarize your app - - ## Common Issues - - The p12 file doesn't contain a private key - - The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type) - - The certificate has expired - - The certificate was revoked - - Keychain access restrictions are preventing access to the private key - - ## Workflow - - For testing CI/CD pipeline: Use ad-hoc signing (as demonstrated in this workflow) - - For production: Follow the steps in the reference script sign_and_notarize_production.sh - EOF - - echo "โœ… Created code signing requirements documentation" - shell: bash - - # Step 8: Package macOS App (For Testing) - - name: Package macOS App (Test Only) - run: | - echo "๐Ÿ“ฆ Packaging ad-hoc signed app bundle for testing..." - - # Create zip package with clear test indication - ZIP_FILE="PackagedReleases/LuckyWorld-macOS-TEST-ONLY.zip" - (cd "$(dirname "$APP_PATH")" && zip -r "${WORKSPACE_DIR}/$ZIP_FILE" "$(basename "$APP_PATH")") - - echo "โœ… Created test package: $ZIP_FILE" - echo "โš ๏ธ NOTE: This package is signed with ad-hoc identity for TESTING ONLY" - echo "โš ๏ธ It will NOT pass Gatekeeper on macOS and is NOT suitable for distribution" - - # Create README file to accompany the zip - cat > "PackagedReleases/README-TEST-BUILD.txt" << EOF - # LuckyWorld macOS Test Build - - This build is signed with an ad-hoc signature for TESTING PURPOSES ONLY. - - IMPORTANT: - - This app will NOT pass Gatekeeper on macOS - - It is NOT suitable for distribution to users - - Use the production signing script for creating distributable builds - - For production builds, follow the instructions in code_signing_requirements.md - EOF - - echo "โœ… Created README for test build" - shell: bash # Step 9: Upload test artifact - name: Upload Test Build Artifact