From 69fcbde72f57796581570a90a425e96ffafa3dc9 Mon Sep 17 00:00:00 2001 From: Ozgur Ersoy Date: Mon, 14 Apr 2025 15:51:17 +0200 Subject: [PATCH] fix(workflows): enhance local signing workflow to support App Store Connect API key notarization and improve credential handling --- .gitea/workflows/test-local-signing.yml | 93 +++++++++++++++++++------ 1 file changed, 70 insertions(+), 23 deletions(-) diff --git a/.gitea/workflows/test-local-signing.yml b/.gitea/workflows/test-local-signing.yml index 6fde664c..fc68b735 100644 --- a/.gitea/workflows/test-local-signing.yml +++ b/.gitea/workflows/test-local-signing.yml @@ -264,36 +264,83 @@ jobs: env: APPLE_ID: ${{ secrets.APPLE_NOTARY_USER }} APP_PASSWORD: ${{ secrets.APPLE_NOTARY_PASSWORD }} + API_KEY_ID: ${{ secrets.APPLE_NOTARY_API_KEY_ID }} + API_ISSUER_ID: ${{ secrets.APPLE_NOTARY_API_ISSUER_ID }} + API_KEY: ${{ secrets.APPLE_NOTARY_API_KEY }} run: | echo "📤 Notarizing app..." - # Make sure we have required secrets - if [ -z "$APPLE_ID" ] || [ -z "$APP_PASSWORD" ] || [ -z "$APPLE_TEAM_ID" ]; then + # Check if we have API key credentials + if [ -n "$API_KEY_ID" ] && [ -n "$API_ISSUER_ID" ] && [ -n "$API_KEY" ]; then + echo "Using App Store Connect API key for notarization..." + + # Create directory for API key + mkdir -p ~/private_keys + echo "$API_KEY" > ~/private_keys/AuthKey_${API_KEY_ID}.p8 + + # Create zip for notarization + ZIP_PATH="TestApp-notarize.zip" + ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH" + + echo "Submitting for notarization with API key..." + xcrun notarytool submit "$ZIP_PATH" \ + --key ~/private_keys/AuthKey_${API_KEY_ID}.p8 \ + --key-id "$API_KEY_ID" \ + --issuer "$API_ISSUER_ID" \ + --wait + + # Staple the notarization ticket + echo "Stapling notarization ticket..." + xcrun stapler staple "$APP_PATH" + + # Verify notarization + echo "🔍 Verifying notarization..." + spctl --assess --verbose --type exec "$APP_PATH" + + echo "NOTARIZED=true" >> "$GITHUB_ENV" + + # Clean up + rm -rf ~/private_keys + + # Fall back to App-specific password if API key not available + elif [ -n "$APPLE_ID" ] && [ -n "$APP_PASSWORD" ] && [ -n "$APPLE_TEAM_ID" ]; then + echo "Using App-specific password for notarization..." + + # Create zip for notarization + ZIP_PATH="TestApp-notarize.zip" + ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH" + + echo "Submitting for notarization..." + xcrun notarytool submit "$ZIP_PATH" \ + --apple-id "$APPLE_ID" \ + --password "$APP_PASSWORD" \ + --team-id "$APPLE_TEAM_ID" \ + --wait + + # Staple the notarization ticket + echo "Stapling notarization ticket..." + xcrun stapler staple "$APP_PATH" + + # Verify notarization + echo "🔍 Verifying notarization..." + spctl --assess --verbose --type exec "$APP_PATH" + + echo "NOTARIZED=true" >> "$GITHUB_ENV" + else echo "⚠️ Missing notarization credentials. Skipping notarization." + echo "For App Store Connect API key method, set these secrets:" + echo " - APPLE_NOTARY_API_KEY_ID: Your API key ID" + echo " - APPLE_NOTARY_API_ISSUER_ID: Your API issuer ID" + echo " - APPLE_NOTARY_API_KEY: Your API key content (p8 file)" + echo "" + echo "For App-specific password method, set these secrets:" + echo " - APPLE_NOTARY_USER: Your Apple ID (email)" + echo " - APPLE_NOTARY_PASSWORD: Your app-specific password" + echo " - APPLE_TEAM_ID: Your Apple Developer team ID" + echo "NOTARIZED=false" >> "$GITHUB_ENV" exit 0 fi - - # Create zip for notarization - ZIP_PATH="TestApp-notarize.zip" - ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH" - - echo "Submitting for notarization..." - xcrun notarytool submit "$ZIP_PATH" \ - --apple-id "$APPLE_ID" \ - --password "$APP_PASSWORD" \ - --team-id "$APPLE_TEAM_ID" \ - --wait - - # Staple the notarization ticket - echo "Stapling notarization ticket..." - xcrun stapler staple "$APP_PATH" - - # Verify notarization - echo "🔍 Verifying notarization..." - spctl --assess --verbose --type exec "$APP_PATH" - - echo "NOTARIZED=true" >> "$GITHUB_ENV" shell: bash - name: Package Signed App