fix(actions): enhance macOS build workflow with detailed app status checks inside DMG for improved security and reliability
Some checks failed
Test macOS Build Action / test-macos-build (push) Has been cancelled
Some checks failed
Test macOS Build Action / test-macos-build (push) Has been cancelled
This commit is contained in:
parent
6a92b453e8
commit
5f89ada7e6
@ -555,6 +555,68 @@ jobs:
|
||||
echo "$DMG_QUARANTINE"
|
||||
echo "DMG_QUARANTINE_STATUS=present" >> $GITHUB_ENV
|
||||
fi
|
||||
|
||||
# Now mount the DMG and check the app inside
|
||||
echo "🔍 Mounting DMG to check app inside..."
|
||||
DMG_MOUNT_POINT=$(mktemp -d)
|
||||
|
||||
# Mount the DMG
|
||||
hdiutil attach "$DMG_PATH" -mountpoint "$DMG_MOUNT_POINT" -nobrowse
|
||||
|
||||
if [ $? -eq 0 ]; then
|
||||
# Find the app inside the DMG
|
||||
DMG_APP_PATH=$(find "$DMG_MOUNT_POINT" -maxdepth 1 -name "*.app" | head -1)
|
||||
|
||||
if [ -n "$DMG_APP_PATH" ]; then
|
||||
echo "Found app in DMG: $DMG_APP_PATH"
|
||||
|
||||
# Check quarantine attributes on the app inside DMG
|
||||
DMG_APP_QUARANTINE=$(xattr -l "$DMG_APP_PATH" | grep -i "quarantine" || echo "None")
|
||||
|
||||
if [ "$DMG_APP_QUARANTINE" == "None" ]; then
|
||||
echo "✅ No quarantine attributes found on app inside DMG (good)"
|
||||
echo "DMG_APP_QUARANTINE_STATUS=clean" >> $GITHUB_ENV
|
||||
else
|
||||
echo "⚠️ Warning: Quarantine attributes found on the app inside DMG:"
|
||||
echo "$DMG_APP_QUARANTINE"
|
||||
echo "DMG_APP_QUARANTINE_STATUS=present" >> $GITHUB_ENV
|
||||
fi
|
||||
|
||||
# Check for provenance attribute on app inside DMG
|
||||
DMG_APP_PROVENANCE=$(xattr -l "$DMG_APP_PATH" | grep -i "com.apple.provenance" || echo "None")
|
||||
|
||||
if [ "$DMG_APP_PROVENANCE" != "None" ]; then
|
||||
echo "✅ Provenance attribute found on app inside DMG (indicates successful notarization)"
|
||||
echo "DMG_APP_PROVENANCE_STATUS=present" >> $GITHUB_ENV
|
||||
else
|
||||
echo "⚠️ Warning: No provenance attribute found on app inside DMG"
|
||||
echo "DMG_APP_PROVENANCE_STATUS=missing" >> $GITHUB_ENV
|
||||
fi
|
||||
|
||||
# Run spctl to check Gatekeeper assessment on the app inside DMG
|
||||
echo "🛡️ Checking Gatekeeper assessment on app inside DMG..."
|
||||
SPCTL_RESULT=$(spctl --assess --verbose --type exec "$DMG_APP_PATH" 2>&1 || echo "Failed")
|
||||
|
||||
if echo "$SPCTL_RESULT" | grep -q "accepted"; then
|
||||
echo "✅ App inside DMG passes Gatekeeper assessment"
|
||||
echo "DMG_APP_GATEKEEPER_STATUS=accepted" >> $GITHUB_ENV
|
||||
else
|
||||
echo "⚠️ Warning: App inside DMG may not pass Gatekeeper assessment:"
|
||||
echo "$SPCTL_RESULT"
|
||||
echo "DMG_APP_GATEKEEPER_STATUS=rejected" >> $GITHUB_ENV
|
||||
fi
|
||||
else
|
||||
echo "⚠️ No app found inside DMG"
|
||||
echo "DMG_APP_STATUS=missing" >> $GITHUB_ENV
|
||||
fi
|
||||
|
||||
# Unmount the DMG
|
||||
hdiutil detach "$DMG_MOUNT_POINT" -force
|
||||
rm -rf "$DMG_MOUNT_POINT"
|
||||
else
|
||||
echo "⚠️ Failed to mount DMG"
|
||||
echo "DMG_MOUNT_STATUS=failed" >> $GITHUB_ENV
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -611,7 +673,7 @@ jobs:
|
||||
# Quarantine Status
|
||||
if [ -n "${{ env.QUARANTINE_STATUS }}" ]; then
|
||||
echo ""
|
||||
echo "🛡️ Quarantine & Security Status:"
|
||||
echo "🛡️ Original App Security Status:"
|
||||
if [ "${{ env.QUARANTINE_STATUS }}" == "clean" ]; then
|
||||
echo " ✅ No quarantine attributes (good)"
|
||||
elif [ "${{ env.QUARANTINE_STATUS }}" == "present" ]; then
|
||||
@ -640,6 +702,43 @@ jobs:
|
||||
elif [ "${{ env.DMG_QUARANTINE_STATUS }}" == "present" ]; then
|
||||
echo " ⚠️ DMG has quarantine attributes"
|
||||
fi
|
||||
|
||||
# App inside DMG status
|
||||
echo ""
|
||||
echo "📱 App Inside DMG Status:"
|
||||
|
||||
if [ "${{ env.DMG_APP_STATUS }}" == "missing" ]; then
|
||||
echo " ❌ No app found inside DMG"
|
||||
elif [ "${{ env.DMG_MOUNT_STATUS }}" == "failed" ]; then
|
||||
echo " ❌ Could not mount DMG to check app"
|
||||
else
|
||||
# Quarantine status of app inside DMG
|
||||
if [ "${{ env.DMG_APP_QUARANTINE_STATUS }}" == "clean" ]; then
|
||||
echo " ✅ App inside DMG has no quarantine attributes (good)"
|
||||
elif [ "${{ env.DMG_APP_QUARANTINE_STATUS }}" == "present" ]; then
|
||||
echo " ⚠️ App inside DMG has quarantine attributes"
|
||||
else
|
||||
echo " ❓ App inside DMG quarantine status unknown"
|
||||
fi
|
||||
|
||||
# Provenance status of app inside DMG
|
||||
if [ "${{ env.DMG_APP_PROVENANCE_STATUS }}" == "present" ]; then
|
||||
echo " ✅ App inside DMG has provenance attribute (good)"
|
||||
elif [ "${{ env.DMG_APP_PROVENANCE_STATUS }}" == "missing" ]; then
|
||||
echo " ⚠️ App inside DMG is missing provenance attribute"
|
||||
else
|
||||
echo " ❓ App inside DMG provenance status unknown"
|
||||
fi
|
||||
|
||||
# Gatekeeper assessment
|
||||
if [ "${{ env.DMG_APP_GATEKEEPER_STATUS }}" == "accepted" ]; then
|
||||
echo " ✅ App inside DMG passes Gatekeeper assessment"
|
||||
elif [ "${{ env.DMG_APP_GATEKEEPER_STATUS }}" == "rejected" ]; then
|
||||
echo " ⚠️ App inside DMG fails Gatekeeper assessment"
|
||||
else
|
||||
echo " ❓ App inside DMG Gatekeeper status unknown"
|
||||
fi
|
||||
fi
|
||||
elif [ "${{ env.DMG_STATUS }}" == "failed" ]; then
|
||||
echo " ❌ DMG creation failed"
|
||||
elif [ "${{ steps.package.outputs.dmg_created }}" == "true" ]; then
|
||||
|
||||
@ -369,8 +369,5 @@ CodeSigningIdentity=""
|
||||
CodeSigningPrefix=com.luckyrobots
|
||||
ApplicationDisplayName=LuckyWorld
|
||||
ShippingSpecificMacEntitlements=(FilePath="../LuckyWorld.entitlements")
|
||||
bUseAutomaticCodeSigning=False
|
||||
bMacSignToRunLocally=False
|
||||
MacSigningIdentity=Developer ID Application
|
||||
CodeSigningTeam=937UD94CX2
|
||||
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user