diff --git a/.gitea/workflows/test-macos-build.yml b/.gitea/workflows/test-macos-build.yml index c3628bcf..f2cb0254 100644 --- a/.gitea/workflows/test-macos-build.yml +++ b/.gitea/workflows/test-macos-build.yml @@ -21,9 +21,6 @@ jobs: if [ -f "LuckyWorld.entitlements" ]; then echo "Using existing LuckyWorld.entitlements file" ENTITLEMENTS_FILE="LuckyWorld.entitlements" - elif [ -f "LuckyRobots.entitlements" ]; then - echo "Using existing LuckyRobots.entitlements file" - ENTITLEMENTS_FILE="LuckyRobots.entitlements" else echo "Creating default entitlements file as LuckyWorld.entitlements" # Create entitlements file line by line instead of heredoc @@ -81,47 +78,23 @@ jobs: fi shell: bash - # Step 3: Setup for Signing - - name: Setup for Signing - id: setup-signing + # Step 3: Setup API Key + - name: Setup API Key + id: setup-api-key env: API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }} - APPLE_CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }} - APPLE_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }} run: | - # Create output directory - mkdir -p PackagedReleases - - # Decode the API key from Base64 secret + # Decode the API key from Base64 secret and save it to a file echo "$API_KEY_PATH" | base64 --decode > api_key.p8 + echo "API_KEY_FILE=$(pwd)/api_key.p8" >> "$GITHUB_ENV" - # Decode the certificate - echo "$APPLE_CERTIFICATE_BASE64" | base64 --decode > certificate.p12 - - # Create keychain - KEYCHAIN_PATH="signing.keychain-db" - KEYCHAIN_PASSWORD="temporary" - - security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" - security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - - # Download Apple root certificates - curl -s -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer - curl -s -o DeveloperIDG2.cer https://www.apple.com/certificateauthority/DeveloperIDG2.cer - - # Import certificates - security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A - security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A - security import certificate.p12 -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" - - # Set keychain for signing - security list-keychain -d user -s "$KEYCHAIN_PATH" - security default-keychain -s "$KEYCHAIN_PATH" - - # Set partition list - security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - + echo "API key setup complete" + shell: bash + + # Step 4: Find App Bundle + - name: Find App Bundle + id: find-app-bundle + run: | # Find app bundle APP_PATH=$(find Builds -type d -name "*.app" | head -1) @@ -135,60 +108,30 @@ jobs: fi echo "Found app path: $APP_PATH" - # Use standard environment variable that works in all workflows echo "APP_PATH=$APP_PATH" >> "$GITHUB_ENV" - - # Also save the keychain and api key info - echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV" - echo "API_KEY_FILE=$(pwd)/api_key.p8" >> "$GITHUB_ENV" shell: bash - # Step 4: Sign macOS App + # Step 5: Sign macOS App using lando/code-sign-action - name: Sign macOS App - env: - APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} - run: | - echo "Signing app bundle: $APP_PATH" - - # First, handle libraries - find "$APP_PATH" -name "*.dylib" -o -name "*.framework" | while read LIB; do - echo "Signing library: $LIB" - codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$LIB" - done - - # Sign the app bundle - echo "Signing with entitlements file: $ENTITLEMENTS_FILE" - codesign --force --options runtime --deep --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" --entitlements "./$ENTITLEMENTS_FILE" "$APP_PATH" - - # Verify signature - codesign --verify --verbose "$APP_PATH" - shell: bash - - # Step 5: Notarize macOS App - - name: Notarize macOS App - env: - API_KEY_ID: ${{ secrets.NOTARY_API_KEY_ID }} - API_KEY_ISSUER_ID: ${{ secrets.NOTARY_API_KEY_ISSUER_ID }} - run: | - # Create a temporary file for notarization - NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip" - ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH" - - # Submit for notarization using API key - echo "Submitting for notarization with API key..." - xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" --wait - - # Staple the ticket to the application - xcrun stapler staple "$APP_PATH" - - # Clean up temporary notarization file - rm -f "$NOTARIZE_APP_PATH" - shell: bash + id: sign-app + uses: lando/code-sign-action@v3 + with: + file: ${{ env.APP_PATH }} + certificate-data: ${{ secrets.MACOS_CERTIFICATE }} + certificate-password: ${{ secrets.MACOS_CERTIFICATE_PWD }} + apple-team-id: ${{ secrets.APPLE_TEAM_ID }} + options: --options runtime --deep --timestamp --entitlements ./${{ env.ENTITLEMENTS_FILE }} + # API Key Notarization (daha güvenli ve modern) + apple-api-key: ${{ env.API_KEY_FILE }} + apple-api-key-id: ${{ secrets.NOTARY_API_KEY_ID }} + apple-api-issuer: ${{ secrets.NOTARY_API_KEY_ISSUER_ID }} + apple-product-id: dev.luckyrobots.luckyworld # Step 6: Package macOS App - name: Package macOS App run: | # Package the signed and notarized app + APP_PATH="${{ steps.sign-app.outputs.file }}" APP_NAME=$(basename "$APP_PATH") DIR_PATH=$(dirname "$APP_PATH") @@ -213,11 +156,7 @@ jobs: - name: Cleanup if: always() run: | - # Clean up keychain and files - if [ -n "$KEYCHAIN_PATH" ]; then - security delete-keychain "$KEYCHAIN_PATH" || true - fi - + # Clean up files rm -f certificate.p12 AppleWWDRCAG3.cer DeveloperIDG2.cer api_key.p8 || true shell: bash \ No newline at end of file