diff --git a/.gitea/actions/macos-build/action.yml b/.gitea/actions/macos-build/action.yml index 75a6351e..1621494a 100644 --- a/.gitea/actions/macos-build/action.yml +++ b/.gitea/actions/macos-build/action.yml @@ -61,6 +61,15 @@ runs: # Create output directory mkdir -p PackagedReleases + # Download Apple root certificates + echo "Downloading Apple Developer certificates..." + curl -s -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer + curl -s -o DeveloperIDG2.cer https://www.apple.com/certificateauthority/DeveloperIDG2.cer + + # Import Apple root certificates + security import AppleWWDRCAG3.cer -k /Library/Keychains/System.keychain + security import DeveloperIDG2.cer -k /Library/Keychains/System.keychain + # Decode the base64 certificate echo "Setting up certificate..." echo $APPLE_CERTIFICATE_BASE64 | base64 --decode > certificate.p12 @@ -73,7 +82,7 @@ runs: security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" security import certificate.p12 -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" - security list-keychain -d user -s "$KEYCHAIN_PATH" + security list-keychain -d user -s "$KEYCHAIN_PATH" /Library/Keychains/System.keychain # Find app bundle APP_PATH=$(find Builds -type d -name "*.app" | head -1) @@ -81,8 +90,25 @@ runs: if [ -n "$APP_PATH" ]; then echo "Signing app bundle: $APP_PATH" - # Sign the application - /usr/bin/codesign --force --options runtime --sign "Developer ID Application: $APPLE_TEAM_ID" --deep --entitlements "./LuckyRobots.entitlements" "$APP_PATH" + # First, handle problematic libraries separately (specifically libmujoco) + find "$APP_PATH" -name "libmujoco*.dylib" | while read DYLIB; do + echo "Pre-signing library: $DYLIB" + codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$DYLIB" + done + + # Now sign all other dylibs + find "$APP_PATH" -name "*.dylib" -o -name "*.framework" | while read LIB; do + echo "Signing library: $LIB" + codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$LIB" + done + + # Now sign the application itself + echo "Signing main application bundle..." + /usr/bin/codesign --force --options runtime --deep --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" --entitlements "./LuckyRobots.entitlements" "$APP_PATH" + + # Verify signature + echo "Verifying signature..." + codesign --verify --verbose "$APP_PATH" # Create a temporary file for notarization NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip" @@ -124,8 +150,15 @@ runs: MAIN_BUILD_DIR=$(find Builds -mindepth 1 -maxdepth 1 -type d | head -1) if [ -n "$MAIN_BUILD_DIR" ]; then echo "Found main build directory: $MAIN_BUILD_DIR" - # Try to sign this directory instead - /usr/bin/codesign --force --options runtime --sign "Developer ID Application: $APPLE_TEAM_ID" --deep --entitlements "./LuckyRobots.entitlements" "$MAIN_BUILD_DIR" + + # Sign libraries first + find "$MAIN_BUILD_DIR" -name "*.dylib" -o -name "*.framework" | while read LIB; do + echo "Signing library: $LIB" + codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$LIB" + done + + # Then sign main directory + /usr/bin/codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" --deep --entitlements "./LuckyRobots.entitlements" "$MAIN_BUILD_DIR" # Package it DIR_NAME=$(basename "$MAIN_BUILD_DIR") @@ -141,7 +174,7 @@ runs: ls -la PackagedReleases/ # Clean up - rm -f certificate.p12 + rm -f certificate.p12 AppleWWDRCAG3.cer DeveloperIDG2.cer security delete-keychain "$KEYCHAIN_PATH" shell: bash