From c9b2170d8004cef338fada3fc9d83ae85c5a270a Mon Sep 17 00:00:00 2001 From: Ozgur Ersoy Date: Mon, 14 Apr 2025 14:45:43 +0200 Subject: [PATCH] fix(workflows): update macOS build workflow to enable push triggers and enhance documentation for code signing requirements --- .gitea/workflows/test-local-signing.yml | 4 +- .gitea/workflows/test-macos-build.yml | 189 ++++++++++++++++++++---- 2 files changed, 161 insertions(+), 32 deletions(-) diff --git a/.gitea/workflows/test-local-signing.yml b/.gitea/workflows/test-local-signing.yml index cb4103b5..f13a6c29 100644 --- a/.gitea/workflows/test-local-signing.yml +++ b/.gitea/workflows/test-local-signing.yml @@ -2,8 +2,8 @@ name: Test Local Signing on: workflow_dispatch: # Manual trigger - push: - branches: [ozgur/build] + # push: + # branches: [ozgur/build] jobs: test-local-signing: diff --git a/.gitea/workflows/test-macos-build.yml b/.gitea/workflows/test-macos-build.yml index f179daf4..02b1bf3d 100644 --- a/.gitea/workflows/test-macos-build.yml +++ b/.gitea/workflows/test-macos-build.yml @@ -2,8 +2,8 @@ name: Test macOS Build Action on: workflow_dispatch: # Manual trigger only for testing - # push: - # branches: [ozgur/build] + push: + branches: [ozgur/build] jobs: test-macos-build: @@ -254,45 +254,174 @@ jobs: echo "Signing app bundle: $APP_PATH" echo "Using entitlements file: $ENTITLEMENTS_FILE" - # === TEST MODE: Using -SIGNED TEST ONLY- === # - echo "⚠️ CERTIFICATE IMPORT FAILED: Using test-only signing approach" - echo "This is for testing the workflow only and will NOT produce a valid signed build" + # Sign the app with ad-hoc identity + echo "🔏 Signing app with ad-hoc identity..." + /usr/bin/codesign --force --sign - --timestamp --options runtime --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" "$APP_PATH" - # For testing ONLY - using `-` identity (ad-hoc signing) - # This doesn't require a certificate but won't pass notarization - echo "🔍 Test-signing the app with ad-hoc identity..." - /usr/bin/codesign --force --deep --verbose --sign "-" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" "$APP_PATH" || true + # Verify signing + echo "🔍 Verifying signature..." + codesign -vvv --deep --strict "$APP_PATH" - echo "✅ Test signing completed. Note: This is NOT a properly signed app!" + # Check entitlements + echo "🔍 Checking entitlements..." + codesign -d --entitlements - "$APP_PATH" + + echo "✅ Ad-hoc signing completed for testing purposes" echo "NEEDS_REAL_CERT=true" >> "$GITHUB_ENV" - - # Recommendation for production - echo "⚠️ IMPORTANT: For production builds, please ensure your certificate is correctly configured." - echo "⚠️ Check the following:" - echo " 1. Certificate format is correct (PKCS#12)" - echo " 2. Certificate password is correct" - echo " 3. Team ID matches the certificate" shell: bash - # Step 6: Skip Notarization (since we're not properly signed) + # Step 6: Create Reference Script for Production Signing + - name: Create Production Signing Reference + run: | + echo "📝 Creating reference script for production code signing..." + + cat > sign_and_notarize_production.sh << 'EOF' + #!/bin/bash + # Sign and notarize macOS application + # This script is a reference for using a real Developer ID certificate + + # Configuration (replace with your values) + APP_PATH="LuckyWorld-Mac-Shipping.app" # Your app path + TEAM_ID="${APPLE_TEAM_ID}" # Your Apple Team ID + BUNDLE_ID="com.luckyworld.game" # Your app bundle ID + ENTITLEMENTS_PATH="LuckyWorld.entitlements" # Your entitlements file + APPLE_ID="${APPLE_NOTARY_USER}" # Your Apple ID + APP_PASSWORD="${APPLE_NOTARY_PASSWORD}" # Your app-specific password + + # Step 1: Check for Developer ID Application certificate + echo "Checking for Developer ID Application certificate..." + IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}') + + if [ -z "$IDENTITY" ]; then + echo "Error: No Developer ID Application certificate found" + echo "Please create a Developer ID Application certificate in your Apple Developer account" + echo "and install it in your keychain" + exit 1 + fi + + echo "Using identity: $IDENTITY" + + # Step 2: Sign the app + echo "Signing app..." + codesign --force --options runtime --entitlements "$ENTITLEMENTS_PATH" \ + --sign "$IDENTITY" --timestamp "$APP_PATH" + + # Step 3: Verify signing + echo "Verifying signature..." + codesign -vvv --deep --strict "$APP_PATH" + + # Step 4: Create zip for notarization + echo "Creating zip for notarization..." + ZIP_PATH="${APP_PATH%.app}-notarize.zip" + ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH" + + # Step 5: Submit for notarization + echo "Submitting for notarization..." + xcrun notarytool submit "$ZIP_PATH" \ + --apple-id "$APPLE_ID" \ + --password "$APP_PASSWORD" \ + --team-id "$TEAM_ID" \ + --wait + + # Step 6: Staple the notarization ticket + echo "Stapling notarization ticket..." + xcrun stapler staple "$APP_PATH" + + # Step 7: Verify notarization + echo "Verifying notarization..." + spctl --assess --verbose --type exec "$APP_PATH" + + # Step 8: Create final distribution zip + echo "Creating final distribution zip..." + FINAL_ZIP="${APP_PATH%.app}-macOS-Signed.zip" + ditto -c -k --keepParent "$APP_PATH" "$FINAL_ZIP" + + echo "✅ App successfully signed and notarized!" + echo "Final package: $FINAL_ZIP" + EOF + + chmod +x sign_and_notarize_production.sh + echo "✅ Created reference script for production code signing" + shell: bash + + # Step 7: Documentation for Certificate Requirements + - name: Certificate Requirements Documentation + run: | + echo "📋 Requirements for code signing with Developer ID Application certificate:" + echo "" + echo "1. You must have a paid Apple Developer account" + echo "2. You need to create a Developer ID Application certificate in Apple Developer Portal" + echo "3. The certificate must be exported with its private key in p12 format" + echo "4. The certificate must be properly imported into keychain with proper access controls" + echo "5. For production, you should use the xcrun notarytool to notarize your app" + echo "" + echo "Common issues:" + echo "- The p12 file doesn't contain a private key" + echo "- The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type)" + echo "- The certificate has expired" + echo "- The certificate was revoked" + echo "- Keychain access restrictions are preventing access to the private key" + echo "" + echo "For testing CI/CD pipeline: Use ad-hoc signing (as demonstrated in this workflow)" + echo "For production: Follow the steps in the reference script sign_and_notarize_production.sh" + + # Print this information in a file for reference + cat > code_signing_requirements.md << EOF + # macOS Code Signing Requirements + + ## Requirements + 1. You must have a paid Apple Developer account + 2. You need to create a Developer ID Application certificate in Apple Developer Portal + 3. The certificate must be exported with its private key in p12 format + 4. The certificate must be properly imported into keychain with proper access controls + 5. For production, you should use the xcrun notarytool to notarize your app + + ## Common Issues + - The p12 file doesn't contain a private key + - The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type) + - The certificate has expired + - The certificate was revoked + - Keychain access restrictions are preventing access to the private key + + ## Workflow + - For testing CI/CD pipeline: Use ad-hoc signing (as demonstrated in this workflow) + - For production: Follow the steps in the reference script sign_and_notarize_production.sh + EOF + + echo "✅ Created code signing requirements documentation" + shell: bash + + # Step 8: Package macOS App (For Testing) - name: Package macOS App (Test Only) run: | - echo "⚠️ SKIPPING NOTARIZATION - test build only" - echo "Packaging unsigned test app bundle: $APP_PATH" + echo "📦 Packaging ad-hoc signed app bundle for testing..." - # Create zip package - (cd "$(dirname "$APP_PATH")" && zip -r "${WORKSPACE_DIR}/PackagedReleases/LuckyWorld-macOS-UNSIGNED-TEST.zip" "$(basename "$APP_PATH")") + # Create zip package with clear test indication + ZIP_FILE="PackagedReleases/LuckyWorld-macOS-TEST-ONLY.zip" + (cd "$(dirname "$APP_PATH")" && zip -r "${WORKSPACE_DIR}/$ZIP_FILE" "$(basename "$APP_PATH")") - echo "Created test package: PackagedReleases/LuckyWorld-macOS-UNSIGNED-TEST.zip" - echo "NOTE: This package is NOT properly signed and will NOT pass Gatekeeper!" + echo "✅ Created test package: $ZIP_FILE" + echo "⚠️ NOTE: This package is signed with ad-hoc identity for TESTING ONLY" + echo "⚠️ It will NOT pass Gatekeeper on macOS and is NOT suitable for distribution" - echo "Debug certificate summary:" - echo "- Check if your p12 file is valid" - echo "- Verify certificate password in secrets" - echo "- Confirm Apple Developer Team ID is correct" + # Create README file to accompany the zip + cat > "PackagedReleases/README-TEST-BUILD.txt" << EOF + # LuckyWorld macOS Test Build + + This build is signed with an ad-hoc signature for TESTING PURPOSES ONLY. + + IMPORTANT: + - This app will NOT pass Gatekeeper on macOS + - It is NOT suitable for distribution to users + - Use the production signing script for creating distributable builds + + For production builds, follow the instructions in code_signing_requirements.md + EOF + + echo "✅ Created README for test build" shell: bash - # Step 7: Upload test artifact + # Step 9: Upload test artifact - name: Upload Test Build Artifact uses: actions/upload-artifact@v3 if: success() @@ -301,7 +430,7 @@ jobs: path: PackagedReleases/LuckyWorld-macOS-UNSIGNED-TEST.zip retention-days: 7 - # Step 8: Cleanup + # Step 10: Cleanup - name: Cleanup if: always() run: |