diff --git a/.gitea/actions/macos-build/action.yml b/.gitea/actions/macos-build/action.yml index 4f2237eb..62c94c09 100644 --- a/.gitea/actions/macos-build/action.yml +++ b/.gitea/actions/macos-build/action.yml @@ -48,140 +48,79 @@ runs: ./scripts/mac_build.sh shell: bash - - name: Sign and Notarize macOS App + - name: Setup for Signing + id: setup-signing if: ${{ success() }} env: - APPLE_TEAM_ID: ${{ inputs.apple_team_id }} - APPLE_CERTIFICATE_BASE64: ${{ inputs.apple_certificate_base64 }} - APPLE_CERTIFICATE_PASSWORD: ${{ inputs.apple_certificate_password }} API_KEY_PATH: ${{ inputs.api_key_path }} - API_KEY_ID: ${{ inputs.api_key_id }} - API_KEY_ISSUER_ID: ${{ inputs.api_key_issuer_id }} run: | # Create output directory mkdir -p PackagedReleases - # Download Apple root certificates - echo "Downloading Apple Developer certificates..." - curl -s -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer - curl -s -o DeveloperIDG2.cer https://www.apple.com/certificateauthority/DeveloperIDG2.cer - - # Decode the base64 certificate - echo "Setting up certificate..." - echo $APPLE_CERTIFICATE_BASE64 | base64 --decode > certificate.p12 - - # Create keychain and import certificate - KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db - KEYCHAIN_PASSWORD=temporary - - security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" - security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - - # Import all certificates to our custom keychain - security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A - security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A - security import certificate.p12 -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" - - # Set keychain for signing - security list-keychain -d user -s "$KEYCHAIN_PATH" - security default-keychain -s "$KEYCHAIN_PATH" - - # Always trust our certificates - security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" + # Decode the API key from Base64 secret + echo "$API_KEY_PATH" | base64 --decode > api_key.p8 + echo "api_key_file=$(pwd)/api_key.p8" >> $GITHUB_OUTPUT # Find app bundle APP_PATH=$(find Builds -type d -name "*.app" | head -1) - if [ -n "$APP_PATH" ]; then - echo "Signing app bundle: $APP_PATH" - - # First, handle problematic libraries separately (specifically libmujoco) - find "$APP_PATH" -name "libmujoco*.dylib" | while read DYLIB; do - echo "Pre-signing library: $DYLIB" - codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$DYLIB" - done - - # Now sign all other dylibs - find "$APP_PATH" -name "*.dylib" -o -name "*.framework" | while read LIB; do - echo "Signing library: $LIB" - codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$LIB" - done - - # Now sign the application itself - echo "Signing main application bundle..." - /usr/bin/codesign --force --options runtime --deep --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" --entitlements "./LuckyRobots.entitlements" "$APP_PATH" - - # Verify signature - echo "Verifying signature..." - codesign --verify --verbose "$APP_PATH" - - # Create a temporary file for notarization - NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip" - ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH" - - # Decode the API key from Base64 secret - echo "$API_KEY_PATH" | base64 --decode > api_key.p8 - API_KEY_FILE="api_key.p8" - - # Submit for notarization using API key - echo "Submitting for notarization with API key..." - xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" --wait - - # Check notarization result - NOTARIZATION_INFO=$(xcrun notarytool history --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" | grep -E '(success|invalid)' | head -1) - - # Clean up the API key file - rm -f "$API_KEY_FILE" - - if echo "$NOTARIZATION_INFO" | grep -q "success"; then - echo "Notarization successful" - - # Staple the ticket to the application - xcrun stapler staple "$APP_PATH" - - # Package the notarized app - echo "Creating final package..." - APP_NAME=$(basename "$APP_PATH") - (cd $(dirname "$APP_PATH") && zip -r "../../PackagedReleases/LuckyRobots-macOS.zip" "$APP_NAME") - echo "Created packaged release: PackagedReleases/LuckyRobots-macOS.zip" - else - echo "Notarization failed: $NOTARIZATION_INFO" - exit 1 - fi - else - echo "No app bundle found for signing and notarization" - + if [ -z "$APP_PATH" ]; then # Look for a directory that might be a bundle but not named .app - MAIN_BUILD_DIR=$(find Builds -mindepth 1 -maxdepth 1 -type d | head -1) - if [ -n "$MAIN_BUILD_DIR" ]; then - echo "Found main build directory: $MAIN_BUILD_DIR" - - # Sign libraries first - find "$MAIN_BUILD_DIR" -name "*.dylib" -o -name "*.framework" | while read LIB; do - echo "Signing library: $LIB" - codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$LIB" - done - - # Then sign main directory - /usr/bin/codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" --deep --entitlements "./LuckyRobots.entitlements" "$MAIN_BUILD_DIR" - - # Package it - DIR_NAME=$(basename "$MAIN_BUILD_DIR") - (cd $(dirname "$MAIN_BUILD_DIR") && zip -r "../../PackagedReleases/LuckyRobots-macOS.zip" "$DIR_NAME") - echo "Created packaged release: PackagedReleases/LuckyRobots-macOS.zip" - else - echo "No main directory found, cannot sign or package" + APP_PATH=$(find Builds -mindepth 1 -maxdepth 1 -type d | head -1) + if [ -z "$APP_PATH" ]; then + echo "No build directory found, cannot continue" exit 1 fi fi + echo "Found app path: $APP_PATH" + echo "app_path=$APP_PATH" >> $GITHUB_OUTPUT + shell: bash + + - name: Sign macOS App + uses: lando/code-sign-action@v3 + id: sign-app + with: + file: ${{ steps.setup-signing.outputs.app_path }} + certificate-data: ${{ inputs.apple_certificate_base64 }} + certificate-password: ${{ inputs.apple_certificate_password }} + certificate-id: ${{ inputs.apple_team_id }} + options: --force --options runtime --deep --timestamp --entitlements ./LuckyRobots.entitlements + + - name: Notarize macOS App + run: | + # Create a temporary file for notarization + APP_PATH="${{ steps.setup-signing.outputs.app_path }}" + NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip" + ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH" + + API_KEY_FILE="${{ steps.setup-signing.outputs.api_key_file }}" + + # Submit for notarization using API key + echo "Submitting for notarization with API key..." + xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_FILE" --key-id "${{ inputs.api_key_id }}" --issuer "${{ inputs.api_key_issuer_id }}" --wait + + # Staple the ticket to the application + xcrun stapler staple "$APP_PATH" + + # Clean up the API key file + rm -f "$API_KEY_FILE" + rm -f "$NOTARIZE_APP_PATH" + shell: bash + + - name: Package macOS App + run: | + # Package the signed and notarized app + APP_PATH="${{ steps.setup-signing.outputs.app_path }}" + APP_NAME=$(basename "$APP_PATH") + DIR_PATH=$(dirname "$APP_PATH") + + echo "Creating final package..." + (cd "$DIR_PATH" && zip -r "../../PackagedReleases/LuckyRobots-macOS.zip" "$APP_NAME") + echo "Created packaged release: PackagedReleases/LuckyRobots-macOS.zip" + echo "Packaged releases:" ls -la PackagedReleases/ - - # Clean up - rm -f certificate.p12 AppleWWDRCAG3.cer DeveloperIDG2.cer - security delete-keychain "$KEYCHAIN_PATH" shell: bash - name: Upload macOS Build Artifact