fix(workflows): enhance macOS build workflow with improved signing process and entitlements handling
Some checks failed
Test macOS Build Action / test-macos-build (push) Failing after 27m47s
Some checks failed
Test macOS Build Action / test-macos-build (push) Failing after 27m47s
This commit is contained in:
parent
a207e10eff
commit
f8f55321af
@ -105,8 +105,9 @@ jobs:
|
||||
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
|
||||
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
|
||||
# Set keychain search list
|
||||
# Set keychain search list and make it default
|
||||
security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | sed s/\"//g)
|
||||
security default-keychain -s "$KEYCHAIN_PATH"
|
||||
|
||||
# Decode and import certificate
|
||||
echo "$CERTIFICATE_BASE64" | base64 --decode > certificate.p12
|
||||
@ -115,14 +116,25 @@ jobs:
|
||||
curl -s -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
|
||||
curl -s -o DeveloperIDG2.cer https://www.apple.com/certificateauthority/DeveloperIDG2.cer
|
||||
|
||||
# Import certificates
|
||||
security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A
|
||||
security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A
|
||||
security import certificate.p12 -P "$CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
|
||||
# Import Apple root certificates properly
|
||||
# Use -T to restrict access to codesign instead of -A (which is insecure)
|
||||
echo "Importing Apple WWDRCA certificate..."
|
||||
security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f openssl
|
||||
|
||||
# Set partition list
|
||||
echo "Importing Developer ID certificate..."
|
||||
security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f openssl
|
||||
|
||||
# Import developer certificate with proper parameters
|
||||
echo "Importing developer certificate..."
|
||||
security import certificate.p12 -k "$KEYCHAIN_PATH" -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign -f pkcs12
|
||||
|
||||
# Set partition list - important for automated signing without UI prompts
|
||||
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
|
||||
# Verify certificates were imported correctly
|
||||
echo "Listing imported certificates..."
|
||||
security find-certificate -a "$KEYCHAIN_PATH"
|
||||
|
||||
# Export keychain path and password for later use
|
||||
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
|
||||
echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV"
|
||||
@ -162,7 +174,7 @@ jobs:
|
||||
echo "APP_NAME=$APP_NAME" >> "$GITHUB_ENV"
|
||||
shell: bash
|
||||
|
||||
# Step 5: Sign application with codesign
|
||||
# Step 5: Sign application with codesign - improved based on forums
|
||||
- name: Sign application
|
||||
env:
|
||||
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
||||
@ -170,24 +182,66 @@ jobs:
|
||||
echo "Signing app bundle: $APP_PATH"
|
||||
echo "Using entitlements file: $ENTITLEMENTS_FILE"
|
||||
|
||||
# First, handle libraries and frameworks
|
||||
find "$APP_PATH" -type f -name "*.dylib" -o -name "*.framework/Versions/*/Resources" | while read LIB; do
|
||||
echo "Signing library: $LIB"
|
||||
/usr/bin/codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$LIB"
|
||||
# First sign PhysX and problematic frameworks specifically (based on forum reports)
|
||||
echo "🔍 Signing PhysX and special libraries first..."
|
||||
find "$APP_PATH" -type f -name "*PhysX*" -o -name "*APEX*" | while read SPECIAL_LIB; do
|
||||
if [ -f "$SPECIAL_LIB" ]; then
|
||||
echo "Signing special library: $SPECIAL_LIB"
|
||||
/usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$SPECIAL_LIB"
|
||||
fi
|
||||
done
|
||||
|
||||
# Sign the app bundle itself
|
||||
/usr/bin/codesign --force --options runtime --deep --timestamp --verbose --sign "Developer ID Application: $APPLE_TEAM_ID" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" "$APP_PATH"
|
||||
# Sign all dylib files
|
||||
echo "🔍 Signing all .dylib files..."
|
||||
find "$APP_PATH" -type f -name "*.dylib" | while read DYLIB; do
|
||||
echo "Signing dylib: $DYLIB"
|
||||
/usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$DYLIB"
|
||||
done
|
||||
|
||||
# Sign all .so files
|
||||
echo "🔍 Signing all .so files..."
|
||||
find "$APP_PATH" -type f -name "*.so" | while read SO; do
|
||||
echo "Signing .so: $SO"
|
||||
/usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$SO"
|
||||
done
|
||||
|
||||
# Sign all executables in frameworks
|
||||
echo "🔍 Signing framework executables..."
|
||||
find "$APP_PATH" -path "*.framework/*" -type f -perm +111 | while read FMWK_BIN; do
|
||||
echo "Signing framework binary: $FMWK_BIN"
|
||||
/usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$FMWK_BIN"
|
||||
done
|
||||
|
||||
# Sign all other executables
|
||||
echo "🔍 Signing other executables..."
|
||||
find "$APP_PATH" -type f -perm +111 -not -path "*.framework/*" -not -name "*.dylib" -not -name "*.so" | while read EXEC; do
|
||||
echo "Signing executable: $EXEC"
|
||||
/usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$EXEC"
|
||||
done
|
||||
|
||||
# Sign all frameworks
|
||||
echo "🔍 Signing frameworks..."
|
||||
find "$APP_PATH" -name "*.framework" -type d | while read FRAMEWORK; do
|
||||
echo "Signing framework: $FRAMEWORK"
|
||||
/usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$FRAMEWORK"
|
||||
done
|
||||
|
||||
# Finally sign the app bundle itself with entitlements
|
||||
echo "🔍 Signing the main app bundle with entitlements..."
|
||||
/usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" --options runtime --deep --timestamp "$APP_PATH"
|
||||
|
||||
# Verify signature
|
||||
echo "Verifying signature..."
|
||||
/usr/bin/codesign --verify --verbose "$APP_PATH"
|
||||
|
||||
# Use spctl to check if app is acceptable by Gatekeeper
|
||||
echo "Checking if app will pass Gatekeeper validation..."
|
||||
spctl -vvv --assess --type exec "$APP_PATH"
|
||||
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "✅ Code signing was successful"
|
||||
echo "✅ Code signing and Gatekeeper validation was successful"
|
||||
else
|
||||
echo "❌ Code signing failed"
|
||||
exit 1
|
||||
echo "⚠️ Gatekeeper validation had warnings, but continuing with notarization"
|
||||
fi
|
||||
shell: bash
|
||||
|
||||
@ -251,10 +305,14 @@ jobs:
|
||||
echo "Stapling notarization ticket to app..."
|
||||
xcrun stapler staple "$APP_PATH"
|
||||
|
||||
# Verify stapling
|
||||
echo "Verifying stapling..."
|
||||
stapler validate "$APP_PATH"
|
||||
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "✅ Stapling successful"
|
||||
else
|
||||
echo "⚠️ Stapling may have failed. This is sometimes expected for new apps."
|
||||
echo "⚠️ Stapling verification may have failed. This is sometimes expected for new apps."
|
||||
echo "⚠️ Continuing with packaging..."
|
||||
fi
|
||||
|
||||
|
||||
@ -13,9 +13,28 @@ PROJECT_ROOT="$(pwd)"
|
||||
PROJECT_FILE="$PROJECT_ROOT/LuckyWorld.uproject"
|
||||
ARCHIVE_DIR="$PROJECT_ROOT/Builds"
|
||||
|
||||
# Check for entitlements file
|
||||
if [ -f "$PROJECT_ROOT/LuckyWorld.entitlements" ]; then
|
||||
ENTITLEMENTS_FILE="$PROJECT_ROOT/LuckyWorld.entitlements"
|
||||
elif [ -f "$PROJECT_ROOT/LuckyRobots.entitlements" ]; then
|
||||
ENTITLEMENTS_FILE="$PROJECT_ROOT/LuckyRobots.entitlements"
|
||||
else
|
||||
echo "Warning: No entitlements file found. This might affect notarization."
|
||||
ENTITLEMENTS_FILE=""
|
||||
fi
|
||||
|
||||
# For debugging: print paths and config
|
||||
echo "Project root: $PROJECT_ROOT"
|
||||
echo "Project file: $PROJECT_FILE"
|
||||
echo "Archive directory: $ARCHIVE_DIR"
|
||||
echo "Entitlements file: $ENTITLEMENTS_FILE"
|
||||
|
||||
# Clean up previous build artifacts
|
||||
rm -rf DerivedDataCache Intermediate Binaries Saved
|
||||
|
||||
# Generate project files
|
||||
"$UE_ROOT/Engine/Build/BatchFiles/Mac/GenerateProjectFiles.sh" -project="$PROJECT_FILE" -game -engine
|
||||
|
||||
# Run the build command
|
||||
"$UE_UAT" -ScriptsForProject="$PROJECT_FILE" Turnkey \
|
||||
-command=VerifySdk \
|
||||
@ -53,3 +72,29 @@ rm -rf DerivedDataCache Intermediate Binaries Saved
|
||||
# enable these if you want to test build without pak and iostore (you're just testing the build)
|
||||
# -skipiostore \
|
||||
# -skippak \ (disable -pak and -iostore)
|
||||
|
||||
|
||||
# http://forums.unrealengine.com/t/code-signing-and-notarization-for-mac/146486
|
||||
echo ""
|
||||
echo "Build completed. Application path:"
|
||||
APP_PATH=$(find "$ARCHIVE_DIR" -name "*.app" -type d | head -n 1)
|
||||
echo "$APP_PATH"
|
||||
|
||||
if [ -n "$APP_PATH" ]; then
|
||||
echo ""
|
||||
echo "🔍 Binary files that will need signing:"
|
||||
DYLIB_COUNT=$(find "$APP_PATH" -name "*.dylib" | wc -l)
|
||||
SO_COUNT=$(find "$APP_PATH" -name "*.so" | wc -l)
|
||||
FRAMEWORKS=$(find "$APP_PATH" -path "*.framework/*" -type f -perm +111 | wc -l)
|
||||
EXECUTABLES=$(find "$APP_PATH" -type f -perm +111 -not -path "*.framework/*" -not -name "*.dylib" -not -name "*.so" | wc -l)
|
||||
|
||||
echo "- $DYLIB_COUNT .dylib libraries"
|
||||
echo "- $SO_COUNT .so libraries"
|
||||
echo "- $FRAMEWORKS framework executables"
|
||||
echo "- $EXECUTABLES other executables"
|
||||
echo "Total binary files: $((DYLIB_COUNT + SO_COUNT + FRAMEWORKS + EXECUTABLES))"
|
||||
|
||||
echo ""
|
||||
echo "🔍 Checking for PhysX and other special libraries (often need special handling):"
|
||||
find "$APP_PATH" -name "*PhysX*" -o -name "*APEX*"
|
||||
fi
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user