From d5b6c2507695de1ba3309c2e5fb46bbb8593711c Mon Sep 17 00:00:00 2001 From: Ozgur Ersoy Date: Sun, 13 Apr 2025 00:42:10 +0200 Subject: [PATCH] feat(workflows): add macOS app signing and notarization steps to build workflow --- .gitea/workflows/macos-build.yml | 73 ++++++++++++++++++++++++++++++++ LuckyRobots.entitlements | 18 ++++++++ 2 files changed, 91 insertions(+) create mode 100644 LuckyRobots.entitlements diff --git a/.gitea/workflows/macos-build.yml b/.gitea/workflows/macos-build.yml index babcda4b..e9b29696 100644 --- a/.gitea/workflows/macos-build.yml +++ b/.gitea/workflows/macos-build.yml @@ -72,6 +72,79 @@ jobs: echo "Packaged releases:" ls -la PackagedReleases/ + - name: Sign and Notarize macOS App + env: + APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} + CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }} + CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }} + API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }} + API_KEY_ID: ${{ secrets.NOTARY_API_KEY_ID }} + API_KEY_ISSUER_ID: ${{ secrets.NOTARY_API_KEY_ISSUER_ID }} + run: | + # Decode the base64 certificate + echo "Setting up certificate..." + echo $CERTIFICATE_BASE64 | base64 --decode > certificate.p12 + + # Create keychain and import certificate + KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db + KEYCHAIN_PASSWORD=temporary + + security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" + security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" + security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" + security import certificate.p12 -P "$CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" + security list-keychain -d user -s "$KEYCHAIN_PATH" + + # Find app bundle + APP_PATH=$(find Builds -type d -name "*.app" | head -1) + + if [ -n "$APP_PATH" ]; then + echo "Signing app bundle: $APP_PATH" + + # Sign the application + /usr/bin/codesign --force --options runtime --sign "Developer ID Application: $APPLE_TEAM_ID" --deep --entitlements "./LuckyRobots.entitlements" "$APP_PATH" + + # Create a temporary file for notarization + NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip" + ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH" + + # Decode the API key from Base64 secret + echo "$API_KEY_PATH" | base64 --decode > api_key.p8 + API_KEY_FILE="api_key.p8" + + # Submit for notarization using API key + echo "Submitting for notarization with API key..." + xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" --wait + + # Check notarization result + NOTARIZATION_INFO=$(xcrun notarytool history --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" | grep -E '(success|invalid)' | head -1) + + # Clean up the API key file + rm -f "$API_KEY_FILE" + + if echo "$NOTARIZATION_INFO" | grep -q "success"; then + echo "Notarization successful" + + # Staple the ticket to the application + xcrun stapler staple "$APP_PATH" + + # Repackage the notarized app + rm "PackagedReleases/LuckyRobots-macOS.zip" + (cd $(dirname "$APP_PATH") && zip -r "../../PackagedReleases/LuckyRobots-macOS.zip" "$(basename "$APP_PATH")") + echo "Repackaged notarized app" + else + echo "Notarization failed: $NOTARIZATION_INFO" + exit 1 + fi + else + echo "No app bundle found for signing and notarization" + exit 1 + fi + + # Clean up + rm -f certificate.p12 + security delete-keychain "$KEYCHAIN_PATH" + - name: Upload macOS Build Artifact uses: actions/upload-artifact@v3 if: success() diff --git a/LuckyRobots.entitlements b/LuckyRobots.entitlements new file mode 100644 index 00000000..ee35bd86 --- /dev/null +++ b/LuckyRobots.entitlements @@ -0,0 +1,18 @@ + + + + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.disable-library-validation + + com.apple.security.cs.allow-dyld-environment-variables + + com.apple.security.device.audio-input + + com.apple.security.device.camera + + + \ No newline at end of file