diff --git a/.gitea/workflows/test-macos-build.yml b/.gitea/workflows/test-macos-build.yml index 887feb5a..aaa10cbe 100644 --- a/.gitea/workflows/test-macos-build.yml +++ b/.gitea/workflows/test-macos-build.yml @@ -105,8 +105,9 @@ jobs: security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - # Set keychain search list + # Set keychain search list and make it default security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | sed s/\"//g) + security default-keychain -s "$KEYCHAIN_PATH" # Decode and import certificate echo "$CERTIFICATE_BASE64" | base64 --decode > certificate.p12 @@ -115,14 +116,25 @@ jobs: curl -s -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer curl -s -o DeveloperIDG2.cer https://www.apple.com/certificateauthority/DeveloperIDG2.cer - # Import certificates - security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A - security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A - security import certificate.p12 -P "$CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" + # Import Apple root certificates properly + # Use -T to restrict access to codesign instead of -A (which is insecure) + echo "Importing Apple WWDRCA certificate..." + security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f openssl - # Set partition list + echo "Importing Developer ID certificate..." + security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f openssl + + # Import developer certificate with proper parameters + echo "Importing developer certificate..." + security import certificate.p12 -k "$KEYCHAIN_PATH" -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign -f pkcs12 + + # Set partition list - important for automated signing without UI prompts security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" + # Verify certificates were imported correctly + echo "Listing imported certificates..." + security find-certificate -a "$KEYCHAIN_PATH" + # Export keychain path and password for later use echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV" echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV" @@ -162,7 +174,7 @@ jobs: echo "APP_NAME=$APP_NAME" >> "$GITHUB_ENV" shell: bash - # Step 5: Sign application with codesign + # Step 5: Sign application with codesign - improved based on forums - name: Sign application env: APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} @@ -170,24 +182,66 @@ jobs: echo "Signing app bundle: $APP_PATH" echo "Using entitlements file: $ENTITLEMENTS_FILE" - # First, handle libraries and frameworks - find "$APP_PATH" -type f -name "*.dylib" -o -name "*.framework/Versions/*/Resources" | while read LIB; do - echo "Signing library: $LIB" - /usr/bin/codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$LIB" + # First sign PhysX and problematic frameworks specifically (based on forum reports) + echo "🔍 Signing PhysX and special libraries first..." + find "$APP_PATH" -type f -name "*PhysX*" -o -name "*APEX*" | while read SPECIAL_LIB; do + if [ -f "$SPECIAL_LIB" ]; then + echo "Signing special library: $SPECIAL_LIB" + /usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$SPECIAL_LIB" + fi done - # Sign the app bundle itself - /usr/bin/codesign --force --options runtime --deep --timestamp --verbose --sign "Developer ID Application: $APPLE_TEAM_ID" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" "$APP_PATH" + # Sign all dylib files + echo "🔍 Signing all .dylib files..." + find "$APP_PATH" -type f -name "*.dylib" | while read DYLIB; do + echo "Signing dylib: $DYLIB" + /usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$DYLIB" + done + + # Sign all .so files + echo "🔍 Signing all .so files..." + find "$APP_PATH" -type f -name "*.so" | while read SO; do + echo "Signing .so: $SO" + /usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$SO" + done + + # Sign all executables in frameworks + echo "🔍 Signing framework executables..." + find "$APP_PATH" -path "*.framework/*" -type f -perm +111 | while read FMWK_BIN; do + echo "Signing framework binary: $FMWK_BIN" + /usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$FMWK_BIN" + done + + # Sign all other executables + echo "🔍 Signing other executables..." + find "$APP_PATH" -type f -perm +111 -not -path "*.framework/*" -not -name "*.dylib" -not -name "*.so" | while read EXEC; do + echo "Signing executable: $EXEC" + /usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$EXEC" + done + + # Sign all frameworks + echo "🔍 Signing frameworks..." + find "$APP_PATH" -name "*.framework" -type d | while read FRAMEWORK; do + echo "Signing framework: $FRAMEWORK" + /usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$FRAMEWORK" + done + + # Finally sign the app bundle itself with entitlements + echo "🔍 Signing the main app bundle with entitlements..." + /usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" --options runtime --deep --timestamp "$APP_PATH" # Verify signature echo "Verifying signature..." /usr/bin/codesign --verify --verbose "$APP_PATH" + # Use spctl to check if app is acceptable by Gatekeeper + echo "Checking if app will pass Gatekeeper validation..." + spctl -vvv --assess --type exec "$APP_PATH" + if [ $? -eq 0 ]; then - echo "✅ Code signing was successful" + echo "✅ Code signing and Gatekeeper validation was successful" else - echo "❌ Code signing failed" - exit 1 + echo "⚠️ Gatekeeper validation had warnings, but continuing with notarization" fi shell: bash @@ -251,10 +305,14 @@ jobs: echo "Stapling notarization ticket to app..." xcrun stapler staple "$APP_PATH" + # Verify stapling + echo "Verifying stapling..." + stapler validate "$APP_PATH" + if [ $? -eq 0 ]; then echo "✅ Stapling successful" else - echo "⚠️ Stapling may have failed. This is sometimes expected for new apps." + echo "⚠️ Stapling verification may have failed. This is sometimes expected for new apps." echo "⚠️ Continuing with packaging..." fi diff --git a/scripts/mac_build.sh b/scripts/mac_build.sh index fe68fdfa..af4b72fd 100755 --- a/scripts/mac_build.sh +++ b/scripts/mac_build.sh @@ -13,9 +13,28 @@ PROJECT_ROOT="$(pwd)" PROJECT_FILE="$PROJECT_ROOT/LuckyWorld.uproject" ARCHIVE_DIR="$PROJECT_ROOT/Builds" +# Check for entitlements file +if [ -f "$PROJECT_ROOT/LuckyWorld.entitlements" ]; then + ENTITLEMENTS_FILE="$PROJECT_ROOT/LuckyWorld.entitlements" +elif [ -f "$PROJECT_ROOT/LuckyRobots.entitlements" ]; then + ENTITLEMENTS_FILE="$PROJECT_ROOT/LuckyRobots.entitlements" +else + echo "Warning: No entitlements file found. This might affect notarization." + ENTITLEMENTS_FILE="" +fi + +# For debugging: print paths and config +echo "Project root: $PROJECT_ROOT" +echo "Project file: $PROJECT_FILE" +echo "Archive directory: $ARCHIVE_DIR" +echo "Entitlements file: $ENTITLEMENTS_FILE" + +# Clean up previous build artifacts rm -rf DerivedDataCache Intermediate Binaries Saved +# Generate project files "$UE_ROOT/Engine/Build/BatchFiles/Mac/GenerateProjectFiles.sh" -project="$PROJECT_FILE" -game -engine + # Run the build command "$UE_UAT" -ScriptsForProject="$PROJECT_FILE" Turnkey \ -command=VerifySdk \ @@ -52,4 +71,30 @@ rm -rf DerivedDataCache Intermediate Binaries Saved # enable these if you want to test build without pak and iostore (you're just testing the build) # -skipiostore \ - # -skippak \ (disable -pak and -iostore) \ No newline at end of file + # -skippak \ (disable -pak and -iostore) + + +# http://forums.unrealengine.com/t/code-signing-and-notarization-for-mac/146486 +echo "" +echo "Build completed. Application path:" +APP_PATH=$(find "$ARCHIVE_DIR" -name "*.app" -type d | head -n 1) +echo "$APP_PATH" + +if [ -n "$APP_PATH" ]; then + echo "" + echo "🔍 Binary files that will need signing:" + DYLIB_COUNT=$(find "$APP_PATH" -name "*.dylib" | wc -l) + SO_COUNT=$(find "$APP_PATH" -name "*.so" | wc -l) + FRAMEWORKS=$(find "$APP_PATH" -path "*.framework/*" -type f -perm +111 | wc -l) + EXECUTABLES=$(find "$APP_PATH" -type f -perm +111 -not -path "*.framework/*" -not -name "*.dylib" -not -name "*.so" | wc -l) + + echo "- $DYLIB_COUNT .dylib libraries" + echo "- $SO_COUNT .so libraries" + echo "- $FRAMEWORKS framework executables" + echo "- $EXECUTABLES other executables" + echo "Total binary files: $((DYLIB_COUNT + SO_COUNT + FRAMEWORKS + EXECUTABLES))" + + echo "" + echo "🔍 Checking for PhysX and other special libraries (often need special handling):" + find "$APP_PATH" -name "*PhysX*" -o -name "*APEX*" +fi