LuckyRobots/LuckyWorld
15
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects 1 Releases 13 Wiki Activity

fix(actions): enhance macOS notarization workflow by refining signing identity handling, improving logging for certificate extraction, and optimizing signing process for various file types
All checks were successful
Test macOS Build Action / test-macos-build (push) Successful in 42m30s
Details

Browse Source
This commit is contained in:
Ozgur 2025-04-16 21:21:17 +02:00
parent 460505a497
commit 4b7123d9e1
No known key found for this signature in database
GPG Key ID: 66CDF27505A35546
2 changed files with 57 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
.gitea/workflows/test-macos-build.yml
View File

@ -389,25 +389,24 @@ jobs:
# Verify certificate exists # Verify certificate exists
IDENTITY_INFO=$(security find-identity -v "$KEYCHAIN_NAME") IDENTITY_INFO=$(security find-identity -v "$KEYCHAIN_NAME")
EXACT_IDENTITY=$(echo "$IDENTITY_INFO" | grep "Developer ID Application" | head -1 | sed -E 's/.*"(Developer ID Application: .*)"/\1/') debug_log "$IDENTITY_INFO"
# Directly extract hash to avoid ambiguity
if [[ "$IDENTITY_INFO" =~ ([0-9A-F]{40}) ]]; then
HASH_ID="${BASH_REMATCH[1]}"
debug_log "Using certificate hash: $HASH_ID"
SIGNING_IDENTITY="$HASH_ID" # Use hash directly
else
# Try to extract certificate name if hash not found
EXACT_IDENTITY=$(echo "$IDENTITY_INFO" | grep "Developer ID Application" | head -1 | sed -E 's/.*"(Developer ID Application: .*)"/\1/')
if [[ -z "$EXACT_IDENTITY" ]]; then if [[ -z "$EXACT_IDENTITY" ]]; then
debug_log "ERROR: No Developer ID Application certificate found in keychain" debug_log "ERROR: No Developer ID Application certificate found in keychain"
debug_log "$IDENTITY_INFO" debug_log "$IDENTITY_INFO"
echo "SIGNING_RESULT=false" >> $GITHUB_ENV echo "SIGNING_RESULT=false" >> $GITHUB_ENV
exit 1 exit 1
fi fi
debug_log "Using certificate identity: $EXACT_IDENTITY"
debug_log "Found signing identity: $EXACT_IDENTITY"
SIGNING_IDENTITY="$EXACT_IDENTITY" SIGNING_IDENTITY="$EXACT_IDENTITY"
# Get hash ID if available for direct signing
if [[ "$IDENTITY_INFO" =~ ([0-9A-F]{40}) ]]; then
HASH_ID="${BASH_REMATCH[1]}"
debug_log "Using certificate hash: $HASH_ID"
else
HASH_ID=""
debug_log "No certificate hash found, using identity name"
fi fi
# Check entitlements file and validate it # Check entitlements file and validate it

57
scripts/sign_all.sh
View File

@ -6,27 +6,49 @@ APP_PATH="$2"
ENTITLEMENTS_PATH="$3" ENTITLEMENTS_PATH="$3"
CRASH_ENTITLEMENTS_PATH="$4" CRASH_ENTITLEMENTS_PATH="$4"
# Sertifika hash'ini ayıkla (varsa)
CERT_HASH=$(echo "$SIGNING_IDENTITY" | grep -o '[0-9A-F]\{40\}')
if [ -n "$CERT_HASH" ]; then
echo "📝 Using certificate hash: $CERT_HASH"
SIGNING_ID="$CERT_HASH"
else
echo "📝 Using certificate identity: $SIGNING_IDENTITY"
SIGNING_ID="$SIGNING_IDENTITY"
fi
echo "📝 Comprehensive signing starting..." echo "📝 Comprehensive signing starting..."
echo "App Path: $APP_PATH" echo "App Path: $APP_PATH"
echo "Signing Identity: $SIGNING_IDENTITY" echo "Signing Identity: $SIGNING_ID"
echo "Entitlements: $ENTITLEMENTS_PATH" echo "Entitlements: $ENTITLEMENTS_PATH"
echo "CrashReporter Entitlements: $CRASH_ENTITLEMENTS_PATH" echo "CrashReporter Entitlements: $CRASH_ENTITLEMENTS_PATH"
# Step 1: Tüm dylib dosyalarını imzala # Step 1: Tüm dylib dosyalarını imzala (küçük gruplar halinde)
echo "🔍 Signing all dylib files..." echo "🔍 Signing all dylib files..."
find "$APP_PATH" -name "*.dylib" -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY" find "$APP_PATH" -name "*.dylib" | while read -r dylib; do
echo "Signing: $dylib"
codesign --force --options runtime --timestamp --sign "$SIGNING_ID" "$dylib" || echo "⚠️ Failed to sign: $dylib"
done
# Step 2: Tüm .so dosyalarını imzala # Step 2: Tüm .so dosyalarını imzala
echo "🔍 Signing all .so files..." echo "🔍 Signing all .so files..."
find "$APP_PATH" -name "*.so" -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY" find "$APP_PATH" -name "*.so" | while read -r so; do
echo "Signing: $so"
codesign --force --options runtime --timestamp --sign "$SIGNING_ID" "$so" || echo "⚠️ Failed to sign: $so"
done
# Step 3: Tüm yürütülebilir dosyaları imzala # Step 3: Tüm yürütülebilir dosyaları imzala
echo "🔍 Signing all executable files..." echo "🔍 Signing all executable files..."
find "$APP_PATH" -type f -perm +111 -not -path "*.framework/*" -not -name "*.dylib" -not -name "*.so" -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY" find "$APP_PATH" -type f -perm +111 -not -path "*.framework/*" -not -name "*.dylib" -not -name "*.so" | while read -r exe; do
echo "Signing: $exe"
codesign --force --options runtime --timestamp --sign "$SIGNING_ID" "$exe" || echo "⚠️ Failed to sign: $exe"
done
# Step 4: Tüm framework'leri imzala # Step 4: Tüm framework'leri imzala
echo "🔍 Signing all frameworks..." echo "🔍 Signing all frameworks..."
find "$APP_PATH" -path "*.framework" -type d -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing framework: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY" find "$APP_PATH" -path "*.framework" -type d | while read -r framework; do
echo "Signing framework: $framework"
codesign --force --options runtime --timestamp --sign "$SIGNING_ID" "$framework" || echo "⚠️ Failed to sign: $framework"
done
# Step 5: CrashReportClient'ı özel olarak imzala # Step 5: CrashReportClient'ı özel olarak imzala
echo "🔍 Looking for CrashReportClient.app..." echo "🔍 Looking for CrashReportClient.app..."
@ -39,11 +61,14 @@ if [ -n "$CRASH_REPORTER_PATHS" ]; then
echo "🔐 Special signing for CrashReportClient: $CRASH_REPORTER" echo "🔐 Special signing for CrashReportClient: $CRASH_REPORTER"
# CrashReporter içindeki executable'ları imzala # CrashReporter içindeki executable'ları imzala
find "$CRASH_REPORTER" -type f -perm +111 -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing CrashReporter binary: {}"; codesign --force --options runtime --timestamp --entitlements "$2" --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY" "$CRASH_ENTITLEMENTS_PATH" find "$CRASH_REPORTER" -type f -perm +111 | while read -r crash_exe; do
echo "Signing CrashReporter binary: $crash_exe"
codesign --force --options runtime --timestamp --entitlements "$CRASH_ENTITLEMENTS_PATH" --sign "$SIGNING_ID" "$crash_exe" || echo "⚠️ Failed to sign: $crash_exe"
done
# CrashReporter bundle'ı imzala # CrashReporter bundle'ı imzala
echo "Signing CrashReporter bundle: $CRASH_REPORTER" echo "Signing CrashReporter bundle: $CRASH_REPORTER"
codesign --force --deep --options runtime --timestamp --entitlements "$CRASH_ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$CRASH_REPORTER" || echo "⚠️ Failed to sign CrashReportClient bundle" codesign --force --deep --options runtime --timestamp --entitlements "$CRASH_ENTITLEMENTS_PATH" --sign "$SIGNING_ID" "$CRASH_REPORTER" || echo "⚠️ Failed to sign CrashReportClient bundle"
# İmzayı doğrula # İmzayı doğrula
echo "Verifying CrashReportClient signature..." echo "Verifying CrashReportClient signature..."
@ -60,7 +85,7 @@ if [ -n "$BOOST_LIBS" ]; then
echo "✅ Found Boost libs, specifically signing them..." echo "✅ Found Boost libs, specifically signing them..."
for lib in $BOOST_LIBS; do for lib in $BOOST_LIBS; do
echo "Signing boost lib: $lib" echo "Signing boost lib: $lib"
codesign --force --options runtime --timestamp --sign "$SIGNING_IDENTITY" "$lib" || echo "⚠️ Failed to sign: $lib" codesign --force --options runtime --timestamp --sign "$SIGNING_ID" "$lib" || echo "⚠️ Failed to sign: $lib"
done done
else else
echo "⚠️ No Boost libraries found" echo "⚠️ No Boost libraries found"
@ -75,7 +100,10 @@ if [ -n "$THIRD_PARTY_PATHS" ]; then
for THIRD_PARTY in $THIRD_PARTY_PATHS; do for THIRD_PARTY in $THIRD_PARTY_PATHS; do
echo "Processing ThirdParty directory: $THIRD_PARTY" echo "Processing ThirdParty directory: $THIRD_PARTY"
find "$THIRD_PARTY" -name "*.dylib" -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing ThirdParty lib: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY" find "$THIRD_PARTY" -name "*.dylib" | while read -r engine_lib; do
echo "Signing ThirdParty lib: $engine_lib"
codesign --force --options runtime --timestamp --sign "$SIGNING_ID" "$engine_lib" || echo "⚠️ Failed to sign: $engine_lib"
done
done done
else else
echo "⚠️ No ThirdParty directories found" echo "⚠️ No ThirdParty directories found"
@ -90,7 +118,10 @@ if [ -n "$PLUGIN_PATHS" ]; then
for PLUGIN_PATH in $PLUGIN_PATHS; do for PLUGIN_PATH in $PLUGIN_PATHS; do
echo "Processing Plugin directory: $PLUGIN_PATH" echo "Processing Plugin directory: $PLUGIN_PATH"
find "$PLUGIN_PATH" -name "*.dylib" -print0 | xargs -0 -L 1 -I{} bash -c 'echo "Signing Plugin lib: {}"; codesign --force --options runtime --timestamp --sign "$1" "{}" || echo "⚠️ Failed: {}"' -- "$SIGNING_IDENTITY" find "$PLUGIN_PATH" -name "*.dylib" | while read -r plugin_lib; do
echo "Signing Plugin lib: $plugin_lib"
codesign --force --options runtime --timestamp --sign "$SIGNING_ID" "$plugin_lib" || echo "⚠️ Failed to sign: $plugin_lib"
done
done done
else else
echo "⚠️ No Plugin directories found" echo "⚠️ No Plugin directories found"
@ -101,13 +132,13 @@ echo "🔍 Signing nested app bundles..."
find "$APP_PATH" -path "*.app" -type d | grep -v CrashReportClient | while read -r nested_app; do find "$APP_PATH" -path "*.app" -type d | grep -v CrashReportClient | while read -r nested_app; do
if [ "$nested_app" != "$APP_PATH" ]; then if [ "$nested_app" != "$APP_PATH" ]; then
echo "Signing nested app: $nested_app" echo "Signing nested app: $nested_app"
codesign --force --deep --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$nested_app" || echo "⚠️ Failed to sign: $nested_app" codesign --force --deep --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_ID" "$nested_app" || echo "⚠️ Failed to sign: $nested_app"
fi fi
done done
# Step 10: Ana uygulamayı imzala # Step 10: Ana uygulamayı imzala
echo "🔐 Final signing of the main app bundle..." echo "🔐 Final signing of the main app bundle..."
codesign --force --deep --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$APP_PATH" || { echo "❌ ERROR: Main app signing failed"; exit 1; } codesign --force --deep --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_ID" "$APP_PATH" || { echo "❌ ERROR: Main app signing failed"; exit 1; }
# İmzalamayı doğrula # İmzalamayı doğrula
echo "🔍 Verifying main app signature..." echo "🔍 Verifying main app signature..."