diff --git a/.gitea/workflows/test-macos-build.yml b/.gitea/workflows/test-macos-build.yml index 6744ec7d..d3c6f5a2 100644 --- a/.gitea/workflows/test-macos-build.yml +++ b/.gitea/workflows/test-macos-build.yml @@ -432,173 +432,40 @@ jobs: debug_log "No entitlements file found at $ENTITLEMENTS_PATH, will sign without entitlements" fi - # First remove existing signatures (optional but helps with clean state) - debug_log "Removing existing signatures..." - codesign --remove-signature "$APP_PATH" || true + # Prepare script and crash entitlements paths + SCRIPT_PATH="./scripts/sign_all.sh" + CRASH_ENTITLEMENTS_PATH="./scripts/crash_entitlements.plist" - debug_log "Beginning comprehensive signing process for all components..." + # Ensure script is executable + chmod +x "$SCRIPT_PATH" - # Path for entitlements flag (conditional) - ENTITLEMENTS_FLAG="" - if [ "$USE_ENTITLEMENTS" = true ]; then - ENTITLEMENTS_FLAG="--entitlements \"$ENTITLEMENTS_PATH\"" + # Log paths + debug_log "Sign script path: $SCRIPT_PATH" + debug_log "Crash entitlements path: $CRASH_ENTITLEMENTS_PATH" + + # Verify files exist + if [[ ! -f "$SCRIPT_PATH" ]]; then + debug_log "ERROR: Sign script not found at $SCRIPT_PATH" + ls -la "$(dirname "$SCRIPT_PATH")" | tee -a "$DEBUG_LOG_PATH" + echo "SIGNING_RESULT=false" >> $GITHUB_ENV + exit 1 fi - # Step 1: First sign all dylib files (especially third-party libraries) - debug_log "Signing all dynamic libraries (*.dylib)..." - find "$APP_PATH" -name "*.dylib" | while read -r dylib; do - debug_log "Signing: $dylib" - if [ "$USE_ENTITLEMENTS" = true ]; then - codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$dylib" || debug_log "⚠️ Failed to sign: $dylib" - else - codesign --force --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$dylib" || debug_log "⚠️ Failed to sign: $dylib" - fi - done - - # Step 2: Sign all .so files - debug_log "Signing all shared objects (*.so)..." - find "$APP_PATH" -name "*.so" | while read -r so; do - debug_log "Signing: $so" - if [ "$USE_ENTITLEMENTS" = true ]; then - codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$so" || debug_log "⚠️ Failed to sign: $so" - else - codesign --force --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$so" || debug_log "⚠️ Failed to sign: $so" - fi - done - - # Step 3: Sign all executables (files with execute permission) - debug_log "Signing all executable files..." - find "$APP_PATH" -type f -perm +111 -not -path "*.framework/*" -not -name "*.dylib" -not -name "*.so" | while read -r exe; do - debug_log "Signing executable: $exe" - if [ "$USE_ENTITLEMENTS" = true ]; then - codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$exe" || debug_log "⚠️ Failed to sign: $exe" - else - codesign --force --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$exe" || debug_log "⚠️ Failed to sign: $exe" - fi - done - - # Step 4: Sign all frameworks - debug_log "Signing frameworks..." - find "$APP_PATH" -path "*.framework" -type d | while read -r framework; do - debug_log "Signing framework: $framework" - if [ "$USE_ENTITLEMENTS" = true ]; then - codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$framework" || debug_log "⚠️ Failed to sign: $framework" - else - codesign --force --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$framework" || debug_log "⚠️ Failed to sign: $framework" - fi - done - - # Step 5: Special treatment for CrashReportClient.app (important for notarization) - debug_log "Looking for CrashReportClient.app..." - CRASH_REPORTER=$(find "$APP_PATH" -path "*CrashReportClient.app" -type d) - if [ -n "$CRASH_REPORTER" ]; then - debug_log "Found CrashReportClient at: $CRASH_REPORTER" - debug_log "Special signing for CrashReportClient.app..." - - # Sign each component inside CrashReportClient - find "$CRASH_REPORTER" -type f -perm +111 | while read -r crash_exe; do - debug_log "Signing CrashReportClient binary: $crash_exe" - if [ "$USE_ENTITLEMENTS" = true ]; then - codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$crash_exe" || debug_log "⚠️ Failed to sign CrashReportClient binary: $crash_exe" - else - codesign --force --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$crash_exe" || debug_log "⚠️ Failed to sign CrashReportClient binary: $crash_exe" - fi - done - - # Sign the entire CrashReportClient.app - debug_log "Signing CrashReportClient.app bundle..." - if [ "$USE_ENTITLEMENTS" = true ]; then - codesign --force --deep --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$CRASH_REPORTER" || debug_log "⚠️ Failed to sign CrashReportClient.app bundle" - else - codesign --force --deep --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$CRASH_REPORTER" || debug_log "⚠️ Failed to sign CrashReportClient.app bundle" - fi - - # Verify CrashReportClient signature - debug_log "Verifying CrashReportClient signature..." - codesign -vvv "$CRASH_REPORTER" || debug_log "⚠️ CrashReportClient signature verification failed" - else - debug_log "No CrashReportClient.app found" + if [[ ! -f "$CRASH_ENTITLEMENTS_PATH" ]]; then + debug_log "ERROR: Crash entitlements not found at $CRASH_ENTITLEMENTS_PATH" + ls -la "$(dirname "$CRASH_ENTITLEMENTS_PATH")" | tee -a "$DEBUG_LOG_PATH" + echo "SIGNING_RESULT=false" >> $GITHUB_ENV + exit 1 fi - # Step 6: Sign any other nested app bundles - debug_log "Signing any other nested app bundles..." - find "$APP_PATH" -path "*.app" -type d | grep -v CrashReportClient | while read -r nested_app; do - if [ "$nested_app" != "$APP_PATH" ]; then - debug_log "Signing nested app: $nested_app" - if [ "$USE_ENTITLEMENTS" = true ]; then - codesign --force --deep --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$nested_app" || debug_log "⚠️ Failed to sign nested app: $nested_app" - else - codesign --force --deep --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$nested_app" || debug_log "⚠️ Failed to sign nested app: $nested_app" - fi - fi - done + # Run comprehensive signing script + debug_log "Running comprehensive signing script..." + "$SCRIPT_PATH" "$SIGNING_IDENTITY" "$APP_PATH" "$ENTITLEMENTS_PATH" "$CRASH_ENTITLEMENTS_PATH" 2>&1 | tee -a "$DEBUG_LOG_PATH" + SIGN_RESULT=${PIPESTATUS[0]} - # Step 7: Special attention to UE Engine libraries (often problematic) - debug_log "Special focus on Engine libraries..." - for engine_lib_path in "$APP_PATH/Contents/UE/Engine/Binaries/ThirdParty" "$APP_PATH/Contents/UE/Engine/Plugins"; do - if [ -d "$engine_lib_path" ]; then - debug_log "Processing libraries in: $engine_lib_path" - find "$engine_lib_path" -name "*.dylib" | while read -r engine_lib; do - debug_log "Signing engine library: $engine_lib" - if [ "$USE_ENTITLEMENTS" = true ]; then - codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$engine_lib" || debug_log "⚠️ Failed to sign: $engine_lib" - else - codesign --force --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$engine_lib" || debug_log "⚠️ Failed to sign: $engine_lib" - fi - done - fi - done - - # Step 8: Special focus on Boost and Mujoco libraries - debug_log "Special focus on project-specific libraries..." - for project_lib_path in "$APP_PATH/Contents/UE/LuckyWorld/Binaries/Mac"; do - if [ -d "$project_lib_path" ]; then - debug_log "Processing libraries in: $project_lib_path" - find "$project_lib_path" -name "*.dylib" | while read -r project_lib; do - debug_log "Signing project library: $project_lib" - if [ "$USE_ENTITLEMENTS" = true ]; then - codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$project_lib" || debug_log "⚠️ Failed to sign: $project_lib" - else - codesign --force --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$project_lib" || debug_log "⚠️ Failed to sign: $project_lib" - fi - done - fi - done - - # Step 9: Finally, sign the main app bundle (use hash ID if available, otherwise use identity name) - debug_log "Signing main app bundle with deep option..." - if [ "$USE_ENTITLEMENTS" = true ]; then - debug_log "Using entitlements file: $ENTITLEMENTS_PATH" - if [[ -n "$HASH_ID" ]]; then - codesign --force --deep --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$HASH_ID" "$APP_PATH" - else - codesign --force --deep --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$APP_PATH" - fi - else - debug_log "Signing without entitlements" - if [[ -n "$HASH_ID" ]]; then - codesign --force --deep --options runtime --timestamp --sign "$HASH_ID" "$APP_PATH" - else - codesign --force --deep --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$APP_PATH" - fi - fi - - SIGN_RESULT=$? if [ $SIGN_RESULT -eq 0 ]; then debug_log "App signed successfully" echo "SIGNING_RESULT=true" >> $GITHUB_ENV - - # Verify signature - debug_log "Verifying app signature..." - codesign -dvv "$APP_PATH" - VERIFY_RESULT=$? - - if [ $VERIFY_RESULT -eq 0 ]; then - debug_log "Signature verification successful" - else - debug_log "WARNING: Signature verification failed, app may not be properly signed" - # Continue anyway since the signing appeared to succeed - fi else debug_log "ERROR: App signing failed with exit code: $SIGN_RESULT" echo "SIGNING_RESULT=false" >> $GITHUB_ENV diff --git a/scripts/crash_entitlements.plist b/scripts/crash_entitlements.plist new file mode 100644 index 00000000..e437d0b4 --- /dev/null +++ b/scripts/crash_entitlements.plist @@ -0,0 +1,17 @@ + + + + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.disable-library-validation + + com.apple.security.automation.apple-events + + com.apple.security.cs.disable-executable-page-protection + + + + \ No newline at end of file diff --git a/scripts/sign_all.sh b/scripts/sign_all.sh new file mode 100644 index 00000000..fd4ea574 --- /dev/null +++ b/scripts/sign_all.sh @@ -0,0 +1,117 @@ +#!/bin/bash + +# Parametreleri al +SIGNING_IDENTITY="$1" +APP_PATH="$2" +ENTITLEMENTS_PATH="$3" +CRASH_ENTITLEMENTS_PATH="$4" + +echo "📝 Comprehensive signing starting..." +echo "App Path: $APP_PATH" +echo "Signing Identity: $SIGNING_IDENTITY" +echo "Entitlements: $ENTITLEMENTS_PATH" +echo "CrashReporter Entitlements: $CRASH_ENTITLEMENTS_PATH" + +# Step 1: Tüm dylib dosyalarını imzala +echo "🔍 Signing all dylib files..." +find "$APP_PATH" -name "*.dylib" -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY" + +# Step 2: Tüm .so dosyalarını imzala +echo "🔍 Signing all .so files..." +find "$APP_PATH" -name "*.so" -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY" + +# Step 3: Tüm yürütülebilir dosyaları imzala +echo "🔍 Signing all executable files..." +find "$APP_PATH" -type f -perm +111 -not -path "*.framework/*" -not -name "*.dylib" -not -name "*.so" -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY" + +# Step 4: Tüm framework'leri imzala +echo "🔍 Signing all frameworks..." +find "$APP_PATH" -path "*.framework" -type d -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing framework: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY" + +# Step 5: CrashReportClient'ı özel olarak imzala +echo "🔍 Looking for CrashReportClient.app..." +CRASH_REPORTER_PATHS=$(find "$APP_PATH" -path "*CrashReportClient.app" -type d) +if [ -n "$CRASH_REPORTER_PATHS" ]; then + echo "✅ Found CrashReportClient apps:" + echo "$CRASH_REPORTER_PATHS" + + for CRASH_REPORTER in $CRASH_REPORTER_PATHS; do + echo "🔐 Special signing for CrashReportClient: $CRASH_REPORTER" + + # CrashReporter içindeki executable'ları imzala + find "$CRASH_REPORTER" -type f -perm +111 -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing CrashReporter binary: {}"; codesign --force --options runtime --timestamp --entitlements "$2" --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY" "$CRASH_ENTITLEMENTS_PATH" + + # CrashReporter bundle'ı imzala + echo "Signing CrashReporter bundle: $CRASH_REPORTER" + codesign --force --deep --options runtime --timestamp --entitlements "$CRASH_ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$CRASH_REPORTER" || echo "⚠️ Failed to sign CrashReportClient bundle" + + # İmzayı doğrula + echo "Verifying CrashReportClient signature..." + codesign -vvv "$CRASH_REPORTER" || echo "⚠️ CrashReporter signature verification failed" + done +else + echo "⚠️ No CrashReportClient.app found in $APP_PATH" +fi + +# Step 6: Boost kütüphaneleri özellikle imzala +echo "🔍 Looking for Boost libraries..." +BOOST_LIBS=$(find "$APP_PATH" -path "*/UE/LuckyWorld/Binaries/Mac/*.dylib") +if [ -n "$BOOST_LIBS" ]; then + echo "✅ Found Boost libs, specifically signing them..." + for lib in $BOOST_LIBS; do + echo "Signing boost lib: $lib" + codesign --force --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$lib" || echo "⚠️ Failed to sign: $lib" + done +else + echo "⚠️ No Boost libraries found" +fi + +# Step 7: Engine ThirdParty kütüphanelerini imzala +echo "🔍 Looking for Engine ThirdParty libraries..." +THIRD_PARTY_PATHS=$(find "$APP_PATH" -path "*/Engine/Binaries/ThirdParty" -type d) +if [ -n "$THIRD_PARTY_PATHS" ]; then + echo "✅ Found ThirdParty directories:" + echo "$THIRD_PARTY_PATHS" + + for THIRD_PARTY in $THIRD_PARTY_PATHS; do + echo "Processing ThirdParty directory: $THIRD_PARTY" + find "$THIRD_PARTY" -name "*.dylib" -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing ThirdParty lib: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY" + done +else + echo "⚠️ No ThirdParty directories found" +fi + +# Step 8: Plugin kütüphanelerini imzala +echo "🔍 Looking for Plugin libraries..." +PLUGIN_PATHS=$(find "$APP_PATH" -path "*/Engine/Plugins" -type d) +if [ -n "$PLUGIN_PATHS" ]; then + echo "✅ Found Plugin directories:" + echo "$PLUGIN_PATHS" + + for PLUGIN_PATH in $PLUGIN_PATHS; do + echo "Processing Plugin directory: $PLUGIN_PATH" + find "$PLUGIN_PATH" -name "*.dylib" -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing Plugin lib: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY" + done +else + echo "⚠️ No Plugin directories found" +fi + +# Step 9: Diğer nested app bundles imzala +echo "🔍 Signing nested app bundles..." +find "$APP_PATH" -path "*.app" -type d | grep -v CrashReportClient | while read -r nested_app; do + if [ "$nested_app" != "$APP_PATH" ]; then + echo "Signing nested app: $nested_app" + codesign --force --deep --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$nested_app" || echo "⚠️ Failed to sign: $nested_app" + fi +done + +# Step 10: Ana uygulamayı imzala +echo "🔐 Final signing of the main app bundle..." +codesign --force --deep --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$APP_PATH" || { echo "❌ ERROR: Main app signing failed"; exit 1; } + +# İmzalamayı doğrula +echo "🔍 Verifying main app signature..." +codesign -dvv "$APP_PATH" || { echo "❌ ERROR: Main app signature verification failed"; exit 1; } + +echo "✅ Comprehensive signing completed successfully" +exit 0 \ No newline at end of file