From 6a7cc7c73892e105b585723face2a56d7a26e382 Mon Sep 17 00:00:00 2001 From: Ozgur Ersoy Date: Tue, 15 Apr 2025 16:37:15 +0200 Subject: [PATCH] fix(actions): enhance macOS build workflow with additional verification and stapling steps for app notarization --- .gitea/workflows/test-macos-build.yml | 31 ++++++++++++++++ scripts/mac_build.sh | 51 ++++++++++++++++++++++++++- 2 files changed, 81 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/test-macos-build.yml b/.gitea/workflows/test-macos-build.yml index d97ed2e7..e8f83010 100644 --- a/.gitea/workflows/test-macos-build.yml +++ b/.gitea/workflows/test-macos-build.yml @@ -289,6 +289,37 @@ jobs: path: ${{ steps.sign-and-notarize.outputs.package-path }} retention-days: 30 + # Additional verification and stapling to ensure the app opens without warning + - name: Verify and Staple App + if: steps.sign-and-notarize.outputs.notarized == 'true' && steps.sign-and-notarize.outputs.signed != 'none' + run: | + echo "🔒 Performing additional verification and stapling..." + APP_PATH="${{ env.APP_PATH }}" + + # Make sure the app is properly stapled + echo "Stapling notarization ticket to the app..." + xcrun stapler staple "$APP_PATH" + + # Verify the stapling + echo "Verifying stapling..." + xcrun stapler validate "$APP_PATH" + + # Perform deep verification of code signing + echo "Verifying code signature (deep)..." + codesign -vvv --deep "$APP_PATH" + + # Additional check for quarantine attributes + echo "Checking for quarantine attributes..." + if [ -n "$(xattr -l "$APP_PATH" | grep quarantine)" ]; then + echo "Removing quarantine attribute..." + xattr -d com.apple.quarantine "$APP_PATH" + else + echo "No quarantine attribute found, good!" + fi + + echo "✅ Verification and stapling completed!" + shell: bash + # Upload ZIP package if DMG was created (as a backup) - name: Upload ZIP Package uses: actions/upload-artifact@v3 diff --git a/scripts/mac_build.sh b/scripts/mac_build.sh index ee52fc1f..b2b7051d 100755 --- a/scripts/mac_build.sh +++ b/scripts/mac_build.sh @@ -146,4 +146,53 @@ if [ -n "$APP_PATH" ]; then fi fi -echo "Completed post-build process ✅" +# If this is a manual build (not in CI), attempt to sign the app locally +if [ -z "$CI" ] && [ -n "$APP_PATH" ]; then + echo "" + echo "🔐 Attempting local code signing and stapling..." + + # Check if we have a valid Apple Developer identity + IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | sed -E 's/.*\) ([A-F0-9]+) "(.*)"/\2/') + + if [ -n "$IDENTITY" ]; then + echo "Found signing identity: $IDENTITY" + + # Sign the app + echo "Signing application..." + if [ -f "$PROJECT_ROOT/LuckyWorld.entitlements" ]; then + echo "Using entitlements file: $PROJECT_ROOT/LuckyWorld.entitlements" + codesign --force --options runtime --entitlements "$PROJECT_ROOT/LuckyWorld.entitlements" --sign "$IDENTITY" --deep "$APP_PATH" + else + codesign --force --options runtime --sign "$IDENTITY" --deep "$APP_PATH" + fi + + # Verify signature + echo "Verifying signature..." + codesign -vvv --deep "$APP_PATH" + + # Staple the app if notarization is successful + echo "Checking if notarization is needed..." + if xcrun altool --notarization-info $(uuidgen) -u "YOUR_APPLE_ID" 2>&1 | grep -q "success"; then + echo "App is notarized, stapling the ticket..." + xcrun stapler staple "$APP_PATH" + xcrun stapler validate "$APP_PATH" + + # Remove quarantine attribute if present + if [ -n "$(xattr -l "$APP_PATH" | grep quarantine)" ]; then + echo "Removing quarantine attribute..." + xattr -d com.apple.quarantine "$APP_PATH" + fi + else + echo "App is not notarized yet. Upload to Apple's notary service for full verification." + fi + else + echo "⚠️ No Developer ID Application certificate found for signing." + echo "Run 'security find-identity -v -p codesigning' to view available certificates." + fi +else + echo "Skipping local signing (running in CI or app not found)" +fi + +echo "" +echo "✅ Build and post-processing completed!" +echo "App location: $APP_PATH"