LuckyRobots/LuckyWorld
14
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects 1 Releases 13 Wiki Activity

fix(workflows): enhance macOS build workflow by adding Apple root certificate downloads and improving app signing process
Some checks failed
Unreal Engine Build / macos-build (push) Failing after 28m6s
Details
Unreal Engine Build / windows-build (push) Has been cancelled
Details
Unreal Engine Build / linux-build (push) Has been cancelled
Details
Unreal Engine Build / create-release (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Ozgur 2025-04-13 10:55:07 +02:00
parent d2e8757535
commit b10423339d
No known key found for this signature in database
GPG Key ID: 66CDF27505A35546
1 changed files with 39 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
.gitea/actions/macos-build/action.yml
View File

@ -61,6 +61,15 @@ runs:
# Create output directory # Create output directory
mkdir -p PackagedReleases mkdir -p PackagedReleases
# Download Apple root certificates
echo "Downloading Apple Developer certificates..."
curl -s -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
curl -s -o DeveloperIDG2.cer https://www.apple.com/certificateauthority/DeveloperIDG2.cer
# Import Apple root certificates
security import AppleWWDRCAG3.cer -k /Library/Keychains/System.keychain
security import DeveloperIDG2.cer -k /Library/Keychains/System.keychain
# Decode the base64 certificate # Decode the base64 certificate
echo "Setting up certificate..." echo "Setting up certificate..."
echo $APPLE_CERTIFICATE_BASE64 | base64 --decode > certificate.p12 echo $APPLE_CERTIFICATE_BASE64 | base64 --decode > certificate.p12
@ -73,7 +82,7 @@ runs:
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security import certificate.p12 -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" security import certificate.p12 -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
security list-keychain -d user -s "$KEYCHAIN_PATH" security list-keychain -d user -s "$KEYCHAIN_PATH" /Library/Keychains/System.keychain
# Find app bundle # Find app bundle
APP_PATH=$(find Builds -type d -name "*.app" | head -1) APP_PATH=$(find Builds -type d -name "*.app" | head -1)
@ -81,8 +90,25 @@ runs:
if [ -n "$APP_PATH" ]; then if [ -n "$APP_PATH" ]; then
echo "Signing app bundle: $APP_PATH" echo "Signing app bundle: $APP_PATH"
# Sign the application # First, handle problematic libraries separately (specifically libmujoco)
/usr/bin/codesign --force --options runtime --sign "Developer ID Application: $APPLE_TEAM_ID" --deep --entitlements "./LuckyRobots.entitlements" "$APP_PATH" find "$APP_PATH" -name "libmujoco*.dylib" | while read DYLIB; do
echo "Pre-signing library: $DYLIB"
codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$DYLIB"
done
# Now sign all other dylibs
find "$APP_PATH" -name "*.dylib" -o -name "*.framework" | while read LIB; do
echo "Signing library: $LIB"
codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$LIB"
done
# Now sign the application itself
echo "Signing main application bundle..."
/usr/bin/codesign --force --options runtime --deep --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" --entitlements "./LuckyRobots.entitlements" "$APP_PATH"
# Verify signature
echo "Verifying signature..."
codesign --verify --verbose "$APP_PATH"
# Create a temporary file for notarization # Create a temporary file for notarization
NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip" NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip"
@ -124,8 +150,15 @@ runs:
MAIN_BUILD_DIR=$(find Builds -mindepth 1 -maxdepth 1 -type d | head -1) MAIN_BUILD_DIR=$(find Builds -mindepth 1 -maxdepth 1 -type d | head -1)
if [ -n "$MAIN_BUILD_DIR" ]; then if [ -n "$MAIN_BUILD_DIR" ]; then
echo "Found main build directory: $MAIN_BUILD_DIR" echo "Found main build directory: $MAIN_BUILD_DIR"
# Try to sign this directory instead
/usr/bin/codesign --force --options runtime --sign "Developer ID Application: $APPLE_TEAM_ID" --deep --entitlements "./LuckyRobots.entitlements" "$MAIN_BUILD_DIR" # Sign libraries first
find "$MAIN_BUILD_DIR" -name "*.dylib" -o -name "*.framework" | while read LIB; do
echo "Signing library: $LIB"
codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$LIB"
done
# Then sign main directory
/usr/bin/codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" --deep --entitlements "./LuckyRobots.entitlements" "$MAIN_BUILD_DIR"
# Package it # Package it
DIR_NAME=$(basename "$MAIN_BUILD_DIR") DIR_NAME=$(basename "$MAIN_BUILD_DIR")
@ -141,7 +174,7 @@ runs:
ls -la PackagedReleases/ ls -la PackagedReleases/
# Clean up # Clean up
rm -f certificate.p12 rm -f certificate.p12 AppleWWDRCAG3.cer DeveloperIDG2.cer
security delete-keychain "$KEYCHAIN_PATH" security delete-keychain "$KEYCHAIN_PATH"
shell: bash shell: bash