LuckyRobots/LuckyWorld
15
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects 1 Releases 13 Wiki Activity

fix(actions): enhance macOS notarization workflow by adding security verifications and automation permissions
Some checks failed
Test macOS Build Action / test-macos-build (push) Failing after 28m26s
Details

Browse Source
This commit is contained in:
Ozgur 2025-04-16 00:17:18 +02:00
parent b13286877a
commit 7ef0376181
No known key found for this signature in database
GPG Key ID: 66CDF27505A35546
3 changed files with 90 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
.gitea/actions/macos-notarize/action.yml
View File

@ -1,6 +1,6 @@
name: "macOS Sign and Notarize" name: "macOS Sign and Notarize"
description: "Signs and notarizes macOS applications with Developer ID certificate" description: "Signs and notarizes macOS applications with Developer ID certificate"
author: moersoy" author: moersoy
inputs: inputs:
app-path: app-path:
@ -674,6 +674,11 @@ runs:
ditto -c -k --keepParent "${{ inputs.app-path }}" "$ZIP_FILE" ditto -c -k --keepParent "${{ inputs.app-path }}" "$ZIP_FILE"
echo "✅ Created ZIP package: $ZIP_FILE" echo "✅ Created ZIP package: $ZIP_FILE"
# Verify stapling on the app before packaging
echo "🔍 Verifying app notarization and stapling..."
xcrun stapler validate "${{ inputs.app-path }}" || echo "⚠️ App stapling verification failed"
spctl -a -vvv --type exec "${{ inputs.app-path }}" || echo "⚠️ App notarization verification failed"
# Check if we can create DMG (hdiutil is available) # Check if we can create DMG (hdiutil is available)
if command -v hdiutil &> /dev/null; then if command -v hdiutil &> /dev/null; then
# Create DMG package (much better for distribution) # Create DMG package (much better for distribution)
@ -687,8 +692,54 @@ runs:
# Optional: Add README or instructions # Optional: Add README or instructions
echo "# Installation Instructions\n\nDrag the application to your Applications folder to install." > "$DMG_TMP_DIR/README.txt" echo "# Installation Instructions\n\nDrag the application to your Applications folder to install." > "$DMG_TMP_DIR/README.txt"
# Create DMG file with the app # Create a helper script to remove quarantine attribute
echo "Creating helper script to remove quarantine attribute..."
mkdir -p "$DMG_TMP_DIR/scripts"
cat > "$DMG_TMP_DIR/scripts/remove_quarantine.sh" << 'EOF'
#!/bin/bash
APP_PATH="/Applications/$(basename "$0" | sed 's/remove_quarantine_//')"
if [ -d "$APP_PATH" ]; then
echo "Removing quarantine attribute from $APP_PATH"
xattr -dr com.apple.quarantine "$APP_PATH"
echo "✅ Quarantine attribute removed"
osascript -e "display notification \"Quarantine attribute removed from $APP_PATH\" with title \"Installation Complete\""
else
echo "❌ Application not found at $APP_PATH"
osascript -e "display notification \"Application not found at $APP_PATH\" with title \"Installation Failed\""
fi
EOF
# Make the script executable and name it based on the app
chmod +x "$DMG_TMP_DIR/scripts/remove_quarantine.sh"
cp "$DMG_TMP_DIR/scripts/remove_quarantine.sh" "$DMG_TMP_DIR/scripts/remove_quarantine_$(basename "${{ inputs.app-path }}")"
# Try to use create-dmg if available, otherwise fall back to hdiutil
if command -v create-dmg &> /dev/null; then
echo "Using create-dmg for better DMG creation..."
# Decide which keychain to use for getting identity
if [ "${{ steps.setup-cert.outputs.use_system_cert }}" = "true" ]; then
echo "Using system keychain identity"
IDENTITY_HASH=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | awk '{print $2}')
else
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
IDENTITY_HASH=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | awk '{print $2}')
fi
create-dmg \
--volname "${APP_NAME}" \
--codesign-identity "$IDENTITY_HASH" \
--app-drop-link 450 200 \
--hide-extension "$(basename "${{ inputs.app-path }}")" \
--add-file "README.txt" 200 200 \
--add-file "scripts" 200 300 \
--no-internet-enable \
"$DMG_FILE" \
"$DMG_TMP_DIR"
else
# Fall back to hdiutil
hdiutil create -volname "${APP_NAME}" -srcfolder "$DMG_TMP_DIR" -ov -format UDZO "$DMG_FILE" hdiutil create -volname "${APP_NAME}" -srcfolder "$DMG_TMP_DIR" -ov -format UDZO "$DMG_FILE"
fi
if [ -f "$DMG_FILE" ]; then if [ -f "$DMG_FILE" ]; then
echo "✅ Created DMG package: $DMG_FILE" echo "✅ Created DMG package: $DMG_FILE"
@ -751,6 +802,10 @@ runs:
echo "Verifying DMG stapling..." echo "Verifying DMG stapling..."
xcrun stapler validate "$DMG_FILE" xcrun stapler validate "$DMG_FILE"
# Additional verification of DMG security
echo "Performing additional security verification of DMG..."
spctl --assess --verbose=4 --type open "$DMG_FILE" || echo "⚠️ DMG security verification warning"
echo "DMG is now fully signed, notarized, and stapled!" echo "DMG is now fully signed, notarized, and stapled!"
else else
echo "⚠️ DMG notarization may have failed or is still in progress." echo "⚠️ DMG notarization may have failed or is still in progress."
@ -783,6 +838,10 @@ runs:
echo "Verifying DMG stapling..." echo "Verifying DMG stapling..."
xcrun stapler validate "$DMG_FILE" xcrun stapler validate "$DMG_FILE"
# Additional verification of DMG security
echo "Performing additional security verification of DMG..."
spctl --assess --verbose=4 --type open "$DMG_FILE" || echo "⚠️ DMG security verification warning"
echo "DMG is now fully signed, notarized, and stapled!" echo "DMG is now fully signed, notarized, and stapled!"
else else
echo "⚠️ DMG notarization may have failed or is still in progress." echo "⚠️ DMG notarization may have failed or is still in progress."
@ -814,6 +873,26 @@ runs:
echo "::set-output name=package-path::$ZIP_FILE" echo "::set-output name=package-path::$ZIP_FILE"
fi fi
# Final verification of all artifacts
echo "🔍 Final verification of all distribution artifacts..."
if [ -f "$ZIP_FILE" ]; then
echo "Verifying ZIP package integrity..."
ditto -v -x "$ZIP_FILE" /tmp/verify_app_extraction || echo "⚠️ ZIP extraction test failed"
rm -rf /tmp/verify_app_extraction
fi
if [ -f "$DMG_FILE" ]; then
echo "Verifying DMG file signature..."
codesign -vvv "$DMG_FILE" || echo "⚠️ DMG signature verification failed"
# Check if DMG was notarized successfully
if [ "${{ steps.notarize.outputs.notarized }}" = "true" ]; then
echo "Verifying DMG stapling..."
xcrun stapler validate "$DMG_FILE" || echo "⚠️ DMG stapling verification failed"
fi
fi
- name: Cleanup - name: Cleanup
if: always() if: always()
shell: bash shell: bash

4
.gitea/workflows/test-local-signing.yml
View File

@ -32,6 +32,10 @@ jobs:
<true/> <true/>
<key>com.apple.security.device.camera</key> <key>com.apple.security.device.camera</key>
<true/> <true/>
<key>com.apple.security.automation.apple-events</key>
<true/>
<key>com.apple.security.get-task-allow</key>
<true/>
</dict> </dict>
</plist> </plist>
EOF EOF

4
LuckyWorld.entitlements
View File

@ -22,5 +22,9 @@
<true/> <true/>
<key>com.apple.security.network.client</key> <key>com.apple.security.network.client</key>
<true/> <true/>
<key>com.apple.security.automation.apple-events</key>
<true/>
<key>com.apple.security.get-task-allow</key>
<true/>
</dict> </dict>
</plist> </plist>