diff --git a/.gitea/workflows/macos-build.yml b/.gitea/workflows/macos-build.yml index d1884d01..fe67aa07 100644 --- a/.gitea/workflows/macos-build.yml +++ b/.gitea/workflows/macos-build.yml @@ -555,6 +555,68 @@ jobs: echo "$DMG_QUARANTINE" echo "DMG_QUARANTINE_STATUS=present" >> $GITHUB_ENV fi + + # Now mount the DMG and check the app inside + echo "🔍 Mounting DMG to check app inside..." + DMG_MOUNT_POINT=$(mktemp -d) + + # Mount the DMG + hdiutil attach "$DMG_PATH" -mountpoint "$DMG_MOUNT_POINT" -nobrowse + + if [ $? -eq 0 ]; then + # Find the app inside the DMG + DMG_APP_PATH=$(find "$DMG_MOUNT_POINT" -maxdepth 1 -name "*.app" | head -1) + + if [ -n "$DMG_APP_PATH" ]; then + echo "Found app in DMG: $DMG_APP_PATH" + + # Check quarantine attributes on the app inside DMG + DMG_APP_QUARANTINE=$(xattr -l "$DMG_APP_PATH" | grep -i "quarantine" || echo "None") + + if [ "$DMG_APP_QUARANTINE" == "None" ]; then + echo "✅ No quarantine attributes found on app inside DMG (good)" + echo "DMG_APP_QUARANTINE_STATUS=clean" >> $GITHUB_ENV + else + echo "⚠️ Warning: Quarantine attributes found on the app inside DMG:" + echo "$DMG_APP_QUARANTINE" + echo "DMG_APP_QUARANTINE_STATUS=present" >> $GITHUB_ENV + fi + + # Check for provenance attribute on app inside DMG + DMG_APP_PROVENANCE=$(xattr -l "$DMG_APP_PATH" | grep -i "com.apple.provenance" || echo "None") + + if [ "$DMG_APP_PROVENANCE" != "None" ]; then + echo "✅ Provenance attribute found on app inside DMG (indicates successful notarization)" + echo "DMG_APP_PROVENANCE_STATUS=present" >> $GITHUB_ENV + else + echo "⚠️ Warning: No provenance attribute found on app inside DMG" + echo "DMG_APP_PROVENANCE_STATUS=missing" >> $GITHUB_ENV + fi + + # Run spctl to check Gatekeeper assessment on the app inside DMG + echo "🛡️ Checking Gatekeeper assessment on app inside DMG..." + SPCTL_RESULT=$(spctl --assess --verbose --type exec "$DMG_APP_PATH" 2>&1 || echo "Failed") + + if echo "$SPCTL_RESULT" | grep -q "accepted"; then + echo "✅ App inside DMG passes Gatekeeper assessment" + echo "DMG_APP_GATEKEEPER_STATUS=accepted" >> $GITHUB_ENV + else + echo "⚠️ Warning: App inside DMG may not pass Gatekeeper assessment:" + echo "$SPCTL_RESULT" + echo "DMG_APP_GATEKEEPER_STATUS=rejected" >> $GITHUB_ENV + fi + else + echo "⚠️ No app found inside DMG" + echo "DMG_APP_STATUS=missing" >> $GITHUB_ENV + fi + + # Unmount the DMG + hdiutil detach "$DMG_MOUNT_POINT" -force + rm -rf "$DMG_MOUNT_POINT" + else + echo "⚠️ Failed to mount DMG" + echo "DMG_MOUNT_STATUS=failed" >> $GITHUB_ENV + fi fi fi @@ -611,7 +673,7 @@ jobs: # Quarantine Status if [ -n "${{ env.QUARANTINE_STATUS }}" ]; then echo "" - echo "🛡️ Quarantine & Security Status:" + echo "🛡️ Original App Security Status:" if [ "${{ env.QUARANTINE_STATUS }}" == "clean" ]; then echo " ✅ No quarantine attributes (good)" elif [ "${{ env.QUARANTINE_STATUS }}" == "present" ]; then @@ -640,6 +702,43 @@ jobs: elif [ "${{ env.DMG_QUARANTINE_STATUS }}" == "present" ]; then echo " ⚠️ DMG has quarantine attributes" fi + + # App inside DMG status + echo "" + echo "📱 App Inside DMG Status:" + + if [ "${{ env.DMG_APP_STATUS }}" == "missing" ]; then + echo " ❌ No app found inside DMG" + elif [ "${{ env.DMG_MOUNT_STATUS }}" == "failed" ]; then + echo " ❌ Could not mount DMG to check app" + else + # Quarantine status of app inside DMG + if [ "${{ env.DMG_APP_QUARANTINE_STATUS }}" == "clean" ]; then + echo " ✅ App inside DMG has no quarantine attributes (good)" + elif [ "${{ env.DMG_APP_QUARANTINE_STATUS }}" == "present" ]; then + echo " ⚠️ App inside DMG has quarantine attributes" + else + echo " ❓ App inside DMG quarantine status unknown" + fi + + # Provenance status of app inside DMG + if [ "${{ env.DMG_APP_PROVENANCE_STATUS }}" == "present" ]; then + echo " ✅ App inside DMG has provenance attribute (good)" + elif [ "${{ env.DMG_APP_PROVENANCE_STATUS }}" == "missing" ]; then + echo " ⚠️ App inside DMG is missing provenance attribute" + else + echo " ❓ App inside DMG provenance status unknown" + fi + + # Gatekeeper assessment + if [ "${{ env.DMG_APP_GATEKEEPER_STATUS }}" == "accepted" ]; then + echo " ✅ App inside DMG passes Gatekeeper assessment" + elif [ "${{ env.DMG_APP_GATEKEEPER_STATUS }}" == "rejected" ]; then + echo " ⚠️ App inside DMG fails Gatekeeper assessment" + else + echo " ❓ App inside DMG Gatekeeper status unknown" + fi + fi elif [ "${{ env.DMG_STATUS }}" == "failed" ]; then echo " ❌ DMG creation failed" elif [ "${{ steps.package.outputs.dmg_created }}" == "true" ]; then diff --git a/Config/DefaultEngine.ini b/Config/DefaultEngine.ini index be5fb5f9..6edf73c5 100644 --- a/Config/DefaultEngine.ini +++ b/Config/DefaultEngine.ini @@ -369,8 +369,5 @@ CodeSigningIdentity="" CodeSigningPrefix=com.luckyrobots ApplicationDisplayName=LuckyWorld ShippingSpecificMacEntitlements=(FilePath="../LuckyWorld.entitlements") -bUseAutomaticCodeSigning=False -bMacSignToRunLocally=False -MacSigningIdentity=Developer ID Application -CodeSigningTeam=937UD94CX2 +