From 4b7123d9e18b53f070f2b9211eb36b859082030c Mon Sep 17 00:00:00 2001 From: Ozgur Ersoy Date: Wed, 16 Apr 2025 21:21:17 +0200 Subject: [PATCH] fix(actions): enhance macOS notarization workflow by refining signing identity handling, improving logging for certificate extraction, and optimizing signing process for various file types --- .gitea/workflows/test-macos-build.yml | 27 ++++++------- scripts/sign_all.sh | 57 +++++++++++++++++++++------ 2 files changed, 57 insertions(+), 27 deletions(-) diff --git a/.gitea/workflows/test-macos-build.yml b/.gitea/workflows/test-macos-build.yml index d3c6f5a2..a29dc422 100644 --- a/.gitea/workflows/test-macos-build.yml +++ b/.gitea/workflows/test-macos-build.yml @@ -389,25 +389,24 @@ jobs: # Verify certificate exists IDENTITY_INFO=$(security find-identity -v "$KEYCHAIN_NAME") - EXACT_IDENTITY=$(echo "$IDENTITY_INFO" | grep "Developer ID Application" | head -1 | sed -E 's/.*"(Developer ID Application: .*)"/\1/') + debug_log "$IDENTITY_INFO" - if [[ -z "$EXACT_IDENTITY" ]]; then - debug_log "ERROR: No Developer ID Application certificate found in keychain" - debug_log "$IDENTITY_INFO" - echo "SIGNING_RESULT=false" >> $GITHUB_ENV - exit 1 - fi - - debug_log "Found signing identity: $EXACT_IDENTITY" - SIGNING_IDENTITY="$EXACT_IDENTITY" - - # Get hash ID if available for direct signing + # Directly extract hash to avoid ambiguity if [[ "$IDENTITY_INFO" =~ ([0-9A-F]{40}) ]]; then HASH_ID="${BASH_REMATCH[1]}" debug_log "Using certificate hash: $HASH_ID" + SIGNING_IDENTITY="$HASH_ID" # Use hash directly else - HASH_ID="" - debug_log "No certificate hash found, using identity name" + # Try to extract certificate name if hash not found + EXACT_IDENTITY=$(echo "$IDENTITY_INFO" | grep "Developer ID Application" | head -1 | sed -E 's/.*"(Developer ID Application: .*)"/\1/') + if [[ -z "$EXACT_IDENTITY" ]]; then + debug_log "ERROR: No Developer ID Application certificate found in keychain" + debug_log "$IDENTITY_INFO" + echo "SIGNING_RESULT=false" >> $GITHUB_ENV + exit 1 + fi + debug_log "Using certificate identity: $EXACT_IDENTITY" + SIGNING_IDENTITY="$EXACT_IDENTITY" fi # Check entitlements file and validate it diff --git a/scripts/sign_all.sh b/scripts/sign_all.sh index fd4ea574..19cab6ea 100644 --- a/scripts/sign_all.sh +++ b/scripts/sign_all.sh @@ -6,27 +6,49 @@ APP_PATH="$2" ENTITLEMENTS_PATH="$3" CRASH_ENTITLEMENTS_PATH="$4" +# Sertifika hash'ini ayıkla (varsa) +CERT_HASH=$(echo "$SIGNING_IDENTITY" | grep -o '[0-9A-F]\{40\}') +if [ -n "$CERT_HASH" ]; then + echo "📝 Using certificate hash: $CERT_HASH" + SIGNING_ID="$CERT_HASH" +else + echo "📝 Using certificate identity: $SIGNING_IDENTITY" + SIGNING_ID="$SIGNING_IDENTITY" +fi + echo "📝 Comprehensive signing starting..." echo "App Path: $APP_PATH" -echo "Signing Identity: $SIGNING_IDENTITY" +echo "Signing Identity: $SIGNING_ID" echo "Entitlements: $ENTITLEMENTS_PATH" echo "CrashReporter Entitlements: $CRASH_ENTITLEMENTS_PATH" -# Step 1: Tüm dylib dosyalarını imzala +# Step 1: Tüm dylib dosyalarını imzala (küçük gruplar halinde) echo "🔍 Signing all dylib files..." -find "$APP_PATH" -name "*.dylib" -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY" +find "$APP_PATH" -name "*.dylib" | while read -r dylib; do + echo "Signing: $dylib" + codesign --force --options runtime --timestamp --sign "$SIGNING_ID" "$dylib" || echo "⚠️ Failed to sign: $dylib" +done # Step 2: Tüm .so dosyalarını imzala echo "🔍 Signing all .so files..." -find "$APP_PATH" -name "*.so" -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY" +find "$APP_PATH" -name "*.so" | while read -r so; do + echo "Signing: $so" + codesign --force --options runtime --timestamp --sign "$SIGNING_ID" "$so" || echo "⚠️ Failed to sign: $so" +done # Step 3: Tüm yürütülebilir dosyaları imzala echo "🔍 Signing all executable files..." -find "$APP_PATH" -type f -perm +111 -not -path "*.framework/*" -not -name "*.dylib" -not -name "*.so" -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY" +find "$APP_PATH" -type f -perm +111 -not -path "*.framework/*" -not -name "*.dylib" -not -name "*.so" | while read -r exe; do + echo "Signing: $exe" + codesign --force --options runtime --timestamp --sign "$SIGNING_ID" "$exe" || echo "⚠️ Failed to sign: $exe" +done # Step 4: Tüm framework'leri imzala echo "🔍 Signing all frameworks..." -find "$APP_PATH" -path "*.framework" -type d -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing framework: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY" +find "$APP_PATH" -path "*.framework" -type d | while read -r framework; do + echo "Signing framework: $framework" + codesign --force --options runtime --timestamp --sign "$SIGNING_ID" "$framework" || echo "⚠️ Failed to sign: $framework" +done # Step 5: CrashReportClient'ı özel olarak imzala echo "🔍 Looking for CrashReportClient.app..." @@ -39,11 +61,14 @@ if [ -n "$CRASH_REPORTER_PATHS" ]; then echo "🔐 Special signing for CrashReportClient: $CRASH_REPORTER" # CrashReporter içindeki executable'ları imzala - find "$CRASH_REPORTER" -type f -perm +111 -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing CrashReporter binary: {}"; codesign --force --options runtime --timestamp --entitlements "$2" --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY" "$CRASH_ENTITLEMENTS_PATH" + find "$CRASH_REPORTER" -type f -perm +111 | while read -r crash_exe; do + echo "Signing CrashReporter binary: $crash_exe" + codesign --force --options runtime --timestamp --entitlements "$CRASH_ENTITLEMENTS_PATH" --sign "$SIGNING_ID" "$crash_exe" || echo "⚠️ Failed to sign: $crash_exe" + done # CrashReporter bundle'ı imzala echo "Signing CrashReporter bundle: $CRASH_REPORTER" - codesign --force --deep --options runtime --timestamp --entitlements "$CRASH_ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$CRASH_REPORTER" || echo "⚠️ Failed to sign CrashReportClient bundle" + codesign --force --deep --options runtime --timestamp --entitlements "$CRASH_ENTITLEMENTS_PATH" --sign "$SIGNING_ID" "$CRASH_REPORTER" || echo "⚠️ Failed to sign CrashReportClient bundle" # İmzayı doğrula echo "Verifying CrashReportClient signature..." @@ -60,7 +85,7 @@ if [ -n "$BOOST_LIBS" ]; then echo "✅ Found Boost libs, specifically signing them..." for lib in $BOOST_LIBS; do echo "Signing boost lib: $lib" - codesign --force --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$lib" || echo "⚠️ Failed to sign: $lib" + codesign --force --options runtime --timestamp --sign "$SIGNING_ID" "$lib" || echo "⚠️ Failed to sign: $lib" done else echo "⚠️ No Boost libraries found" @@ -75,7 +100,10 @@ if [ -n "$THIRD_PARTY_PATHS" ]; then for THIRD_PARTY in $THIRD_PARTY_PATHS; do echo "Processing ThirdParty directory: $THIRD_PARTY" - find "$THIRD_PARTY" -name "*.dylib" -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing ThirdParty lib: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY" + find "$THIRD_PARTY" -name "*.dylib" | while read -r engine_lib; do + echo "Signing ThirdParty lib: $engine_lib" + codesign --force --options runtime --timestamp --sign "$SIGNING_ID" "$engine_lib" || echo "⚠️ Failed to sign: $engine_lib" + done done else echo "⚠️ No ThirdParty directories found" @@ -90,7 +118,10 @@ if [ -n "$PLUGIN_PATHS" ]; then for PLUGIN_PATH in $PLUGIN_PATHS; do echo "Processing Plugin directory: $PLUGIN_PATH" - find "$PLUGIN_PATH" -name "*.dylib" -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing Plugin lib: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY" + find "$PLUGIN_PATH" -name "*.dylib" | while read -r plugin_lib; do + echo "Signing Plugin lib: $plugin_lib" + codesign --force --options runtime --timestamp --sign "$SIGNING_ID" "$plugin_lib" || echo "⚠️ Failed to sign: $plugin_lib" + done done else echo "⚠️ No Plugin directories found" @@ -101,13 +132,13 @@ echo "🔍 Signing nested app bundles..." find "$APP_PATH" -path "*.app" -type d | grep -v CrashReportClient | while read -r nested_app; do if [ "$nested_app" != "$APP_PATH" ]; then echo "Signing nested app: $nested_app" - codesign --force --deep --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$nested_app" || echo "⚠️ Failed to sign: $nested_app" + codesign --force --deep --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_ID" "$nested_app" || echo "⚠️ Failed to sign: $nested_app" fi done # Step 10: Ana uygulamayı imzala echo "🔐 Final signing of the main app bundle..." -codesign --force --deep --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$APP_PATH" || { echo "❌ ERROR: Main app signing failed"; exit 1; } +codesign --force --deep --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_ID" "$APP_PATH" || { echo "❌ ERROR: Main app signing failed"; exit 1; } # İmzalamayı doğrula echo "🔍 Verifying main app signature..."