LuckyRobots/LuckyWorld
15
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects 1 Releases 13 Wiki Activity

fix(actions): streamline macOS notarization workflow by implementing a comprehensive signing script with improved logging, error handling, and verification of required paths
Some checks failed
Test macOS Build Action / test-macos-build (push) Failing after 27m55s
Details

Browse Source
This commit is contained in:
Ozgur 2025-04-16 20:50:07 +02:00
parent 61269efe0c
commit 460505a497
No known key found for this signature in database
GPG Key ID: 66CDF27505A35546
3 changed files with 158 additions and 157 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

181
.gitea/workflows/test-macos-build.yml
View File

@ -432,173 +432,40 @@ jobs:
debug_log "No entitlements file found at $ENTITLEMENTS_PATH, will sign without entitlements"
fi
# First remove existing signatures (optional but helps with clean state)
debug_log "Removing existing signatures..."
codesign --remove-signature "$APP_PATH" || true
# Prepare script and crash entitlements paths
SCRIPT_PATH="./scripts/sign_all.sh"
CRASH_ENTITLEMENTS_PATH="./scripts/crash_entitlements.plist"
debug_log "Beginning comprehensive signing process for all components..."
# Ensure script is executable
chmod +x "$SCRIPT_PATH"
# Path for entitlements flag (conditional)
ENTITLEMENTS_FLAG=""
if [ "$USE_ENTITLEMENTS" = true ]; then
ENTITLEMENTS_FLAG="--entitlements \"$ENTITLEMENTS_PATH\""
# Log paths
debug_log "Sign script path: $SCRIPT_PATH"
debug_log "Crash entitlements path: $CRASH_ENTITLEMENTS_PATH"
# Verify files exist
if [[ ! -f "$SCRIPT_PATH" ]]; then
debug_log "ERROR: Sign script not found at $SCRIPT_PATH"
ls -la "$(dirname "$SCRIPT_PATH")" | tee -a "$DEBUG_LOG_PATH"
echo "SIGNING_RESULT=false" >> $GITHUB_ENV
exit 1
fi
# Step 1: First sign all dylib files (especially third-party libraries)
debug_log "Signing all dynamic libraries (*.dylib)..."
find "$APP_PATH" -name "*.dylib" | while read -r dylib; do
debug_log "Signing: $dylib"
if [ "$USE_ENTITLEMENTS" = true ]; then
codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$dylib" || debug_log "⚠️ Failed to sign: $dylib"
else
codesign --force --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$dylib" || debug_log "⚠️ Failed to sign: $dylib"
fi
done
# Step 2: Sign all .so files
debug_log "Signing all shared objects (*.so)..."
find "$APP_PATH" -name "*.so" | while read -r so; do
debug_log "Signing: $so"
if [ "$USE_ENTITLEMENTS" = true ]; then
codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$so" || debug_log "⚠️ Failed to sign: $so"
else
codesign --force --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$so" || debug_log "⚠️ Failed to sign: $so"
fi
done
# Step 3: Sign all executables (files with execute permission)
debug_log "Signing all executable files..."
find "$APP_PATH" -type f -perm +111 -not -path "*.framework/*" -not -name "*.dylib" -not -name "*.so" | while read -r exe; do
debug_log "Signing executable: $exe"
if [ "$USE_ENTITLEMENTS" = true ]; then
codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$exe" || debug_log "⚠️ Failed to sign: $exe"
else
codesign --force --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$exe" || debug_log "⚠️ Failed to sign: $exe"
fi
done
# Step 4: Sign all frameworks
debug_log "Signing frameworks..."
find "$APP_PATH" -path "*.framework" -type d | while read -r framework; do
debug_log "Signing framework: $framework"
if [ "$USE_ENTITLEMENTS" = true ]; then
codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$framework" || debug_log "⚠️ Failed to sign: $framework"
else
codesign --force --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$framework" || debug_log "⚠️ Failed to sign: $framework"
fi
done
# Step 5: Special treatment for CrashReportClient.app (important for notarization)
debug_log "Looking for CrashReportClient.app..."
CRASH_REPORTER=$(find "$APP_PATH" -path "*CrashReportClient.app" -type d)
if [ -n "$CRASH_REPORTER" ]; then
debug_log "Found CrashReportClient at: $CRASH_REPORTER"
debug_log "Special signing for CrashReportClient.app..."
# Sign each component inside CrashReportClient
find "$CRASH_REPORTER" -type f -perm +111 | while read -r crash_exe; do
debug_log "Signing CrashReportClient binary: $crash_exe"
if [ "$USE_ENTITLEMENTS" = true ]; then
codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$crash_exe" || debug_log "⚠️ Failed to sign CrashReportClient binary: $crash_exe"
else
codesign --force --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$crash_exe" || debug_log "⚠️ Failed to sign CrashReportClient binary: $crash_exe"
fi
done
# Sign the entire CrashReportClient.app
debug_log "Signing CrashReportClient.app bundle..."
if [ "$USE_ENTITLEMENTS" = true ]; then
codesign --force --deep --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$CRASH_REPORTER" || debug_log "⚠️ Failed to sign CrashReportClient.app bundle"
else
codesign --force --deep --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$CRASH_REPORTER" || debug_log "⚠️ Failed to sign CrashReportClient.app bundle"
fi
# Verify CrashReportClient signature
debug_log "Verifying CrashReportClient signature..."
codesign -vvv "$CRASH_REPORTER" || debug_log "⚠️ CrashReportClient signature verification failed"
else
debug_log "No CrashReportClient.app found"
if [[ ! -f "$CRASH_ENTITLEMENTS_PATH" ]]; then
debug_log "ERROR: Crash entitlements not found at $CRASH_ENTITLEMENTS_PATH"
ls -la "$(dirname "$CRASH_ENTITLEMENTS_PATH")" | tee -a "$DEBUG_LOG_PATH"
echo "SIGNING_RESULT=false" >> $GITHUB_ENV
exit 1
fi
# Step 6: Sign any other nested app bundles
debug_log "Signing any other nested app bundles..."
find "$APP_PATH" -path "*.app" -type d | grep -v CrashReportClient | while read -r nested_app; do
if [ "$nested_app" != "$APP_PATH" ]; then
debug_log "Signing nested app: $nested_app"
if [ "$USE_ENTITLEMENTS" = true ]; then
codesign --force --deep --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$nested_app" || debug_log "⚠️ Failed to sign nested app: $nested_app"
else
codesign --force --deep --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$nested_app" || debug_log "⚠️ Failed to sign nested app: $nested_app"
fi
fi
done
# Run comprehensive signing script
debug_log "Running comprehensive signing script..."
"$SCRIPT_PATH" "$SIGNING_IDENTITY" "$APP_PATH" "$ENTITLEMENTS_PATH" "$CRASH_ENTITLEMENTS_PATH" 2>&1 | tee -a "$DEBUG_LOG_PATH"
SIGN_RESULT=${PIPESTATUS[0]}
# Step 7: Special attention to UE Engine libraries (often problematic)
debug_log "Special focus on Engine libraries..."
for engine_lib_path in "$APP_PATH/Contents/UE/Engine/Binaries/ThirdParty" "$APP_PATH/Contents/UE/Engine/Plugins"; do
if [ -d "$engine_lib_path" ]; then
debug_log "Processing libraries in: $engine_lib_path"
find "$engine_lib_path" -name "*.dylib" | while read -r engine_lib; do
debug_log "Signing engine library: $engine_lib"
if [ "$USE_ENTITLEMENTS" = true ]; then
codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$engine_lib" || debug_log "⚠️ Failed to sign: $engine_lib"
else
codesign --force --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$engine_lib" || debug_log "⚠️ Failed to sign: $engine_lib"
fi
done
fi
done
# Step 8: Special focus on Boost and Mujoco libraries
debug_log "Special focus on project-specific libraries..."
for project_lib_path in "$APP_PATH/Contents/UE/LuckyWorld/Binaries/Mac"; do
if [ -d "$project_lib_path" ]; then
debug_log "Processing libraries in: $project_lib_path"
find "$project_lib_path" -name "*.dylib" | while read -r project_lib; do
debug_log "Signing project library: $project_lib"
if [ "$USE_ENTITLEMENTS" = true ]; then
codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$project_lib" || debug_log "⚠️ Failed to sign: $project_lib"
else
codesign --force --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$project_lib" || debug_log "⚠️ Failed to sign: $project_lib"
fi
done
fi
done
# Step 9: Finally, sign the main app bundle (use hash ID if available, otherwise use identity name)
debug_log "Signing main app bundle with deep option..."
if [ "$USE_ENTITLEMENTS" = true ]; then
debug_log "Using entitlements file: $ENTITLEMENTS_PATH"
if [[ -n "$HASH_ID" ]]; then
codesign --force --deep --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$HASH_ID" "$APP_PATH"
else
codesign --force --deep --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$APP_PATH"
fi
else
debug_log "Signing without entitlements"
if [[ -n "$HASH_ID" ]]; then
codesign --force --deep --options runtime --timestamp --sign "$HASH_ID" "$APP_PATH"
else
codesign --force --deep --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$APP_PATH"
fi
fi
SIGN_RESULT=$?
if [ $SIGN_RESULT -eq 0 ]; then
debug_log "App signed successfully"
echo "SIGNING_RESULT=true" >> $GITHUB_ENV
# Verify signature
debug_log "Verifying app signature..."
codesign -dvv "$APP_PATH"
VERIFY_RESULT=$?
if [ $VERIFY_RESULT -eq 0 ]; then
debug_log "Signature verification successful"
else
debug_log "WARNING: Signature verification failed, app may not be properly signed"
# Continue anyway since the signing appeared to succeed
fi
else
debug_log "ERROR: App signing failed with exit code: $SIGN_RESULT"
echo "SIGNING_RESULT=false" >> $GITHUB_ENV

17
scripts/crash_entitlements.plist Normal file
View File

@ -0,0 +1,17 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.automation.apple-events</key>
<true/>
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
<!-- Not including get-task-allow permission -->
</dict>
</plist>

117
scripts/sign_all.sh Normal file
View File

@ -0,0 +1,117 @@
#!/bin/bash
# Parametreleri al
SIGNING_IDENTITY="$1"
APP_PATH="$2"
ENTITLEMENTS_PATH="$3"
CRASH_ENTITLEMENTS_PATH="$4"
echo "📝 Comprehensive signing starting..."
echo "App Path: $APP_PATH"
echo "Signing Identity: $SIGNING_IDENTITY"
echo "Entitlements: $ENTITLEMENTS_PATH"
echo "CrashReporter Entitlements: $CRASH_ENTITLEMENTS_PATH"
# Step 1: Tüm dylib dosyalarını imzala
echo "🔍 Signing all dylib files..."
find "$APP_PATH" -name "*.dylib" -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY"
# Step 2: Tüm .so dosyalarını imzala
echo "🔍 Signing all .so files..."
find "$APP_PATH" -name "*.so" -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY"
# Step 3: Tüm yürütülebilir dosyaları imzala
echo "🔍 Signing all executable files..."
find "$APP_PATH" -type f -perm +111 -not -path "*.framework/*" -not -name "*.dylib" -not -name "*.so" -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY"
# Step 4: Tüm framework'leri imzala
echo "🔍 Signing all frameworks..."
find "$APP_PATH" -path "*.framework" -type d -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing framework: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY"
# Step 5: CrashReportClient'ı özel olarak imzala
echo "🔍 Looking for CrashReportClient.app..."
CRASH_REPORTER_PATHS=$(find "$APP_PATH" -path "*CrashReportClient.app" -type d)
if [ -n "$CRASH_REPORTER_PATHS" ]; then
echo "✅ Found CrashReportClient apps:"
echo "$CRASH_REPORTER_PATHS"
for CRASH_REPORTER in $CRASH_REPORTER_PATHS; do
echo "🔐 Special signing for CrashReportClient: $CRASH_REPORTER"
# CrashReporter içindeki executable'ları imzala
find "$CRASH_REPORTER" -type f -perm +111 -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing CrashReporter binary: {}"; codesign --force --options runtime --timestamp --entitlements "$2" --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY" "$CRASH_ENTITLEMENTS_PATH"
# CrashReporter bundle'ı imzala
echo "Signing CrashReporter bundle: $CRASH_REPORTER"
codesign --force --deep --options runtime --timestamp --entitlements "$CRASH_ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$CRASH_REPORTER" || echo "⚠️ Failed to sign CrashReportClient bundle"
# İmzayı doğrula
echo "Verifying CrashReportClient signature..."
codesign -vvv "$CRASH_REPORTER" || echo "⚠️ CrashReporter signature verification failed"
done
else
echo "⚠️ No CrashReportClient.app found in $APP_PATH"
fi
# Step 6: Boost kütüphaneleri özellikle imzala
echo "🔍 Looking for Boost libraries..."
BOOST_LIBS=$(find "$APP_PATH" -path "*/UE/LuckyWorld/Binaries/Mac/*.dylib")
if [ -n "$BOOST_LIBS" ]; then
echo "✅ Found Boost libs, specifically signing them..."
for lib in $BOOST_LIBS; do
echo "Signing boost lib: $lib"
codesign --force --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$lib" || echo "⚠️ Failed to sign: $lib"
done
else
echo "⚠️ No Boost libraries found"
fi
# Step 7: Engine ThirdParty kütüphanelerini imzala
echo "🔍 Looking for Engine ThirdParty libraries..."
THIRD_PARTY_PATHS=$(find "$APP_PATH" -path "*/Engine/Binaries/ThirdParty" -type d)
if [ -n "$THIRD_PARTY_PATHS" ]; then
echo "✅ Found ThirdParty directories:"
echo "$THIRD_PARTY_PATHS"
for THIRD_PARTY in $THIRD_PARTY_PATHS; do
echo "Processing ThirdParty directory: $THIRD_PARTY"
find "$THIRD_PARTY" -name "*.dylib" -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing ThirdParty lib: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY"
done
else
echo "⚠️ No ThirdParty directories found"
fi
# Step 8: Plugin kütüphanelerini imzala
echo "🔍 Looking for Plugin libraries..."
PLUGIN_PATHS=$(find "$APP_PATH" -path "*/Engine/Plugins" -type d)
if [ -n "$PLUGIN_PATHS" ]; then
echo "✅ Found Plugin directories:"
echo "$PLUGIN_PATHS"
for PLUGIN_PATH in $PLUGIN_PATHS; do
echo "Processing Plugin directory: $PLUGIN_PATH"
find "$PLUGIN_PATH" -name "*.dylib" -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing Plugin lib: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY"
done
else
echo "⚠️ No Plugin directories found"
fi
# Step 9: Diğer nested app bundles imzala
echo "🔍 Signing nested app bundles..."
find "$APP_PATH" -path "*.app" -type d | grep -v CrashReportClient | while read -r nested_app; do
if [ "$nested_app" != "$APP_PATH" ]; then
echo "Signing nested app: $nested_app"
codesign --force --deep --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$nested_app" || echo "⚠️ Failed to sign: $nested_app"
fi
done
# Step 10: Ana uygulamayı imzala
echo "🔐 Final signing of the main app bundle..."
codesign --force --deep --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$APP_PATH" || { echo "❌ ERROR: Main app signing failed"; exit 1; }
# İmzalamayı doğrula
echo "🔍 Verifying main app signature..."
codesign -dvv "$APP_PATH" || { echo "❌ ERROR: Main app signature verification failed"; exit 1; }
echo "✅ Comprehensive signing completed successfully"
exit 0