LuckyRobots/LuckyWorld
14
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects 1 Releases 13 Wiki Activity

WIP: feat(workflows): add new build workflows for Windows, Linux, and macOS, and remove obsolete build scripts #17

Draft
m wants to merge 109 commits from ozgur/build into main
pull from: ozgur/build
merge into: LuckyRobots:main
Conversation 0 Commits 109 Files Changed 21 +117 -19
1 changed files with 117 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 5c6898e856 - Show all commits

136
scripts/mac_build.sh
View File

@ -129,29 +129,127 @@ if [ -n "$APP_PATH" ]; then
fi
fi
# Kütüphaneleri kontrol et ve gerekirse post-processing yap
echo ""
echo "🔍 Checking for unsigned libraries..."
if [ -n "$APP_PATH" ]; then
# Uygulamanın tüm executable ve kütüphanelerini bul
find "$APP_PATH" -type f -perm +111 | while read -r binary; do
# Codesign durumunu kontrol et
if ! codesign -v "$binary" &>/dev/null; then
echo "⚠️ Unsigned binary found: $binary"
# Bu dosyayı imzalamak için entitlements kullan
if [ -n "$ENTITLEMENTS_FILE" ]; then
echo "Re-signing binary with ad-hoc signature..."
codesign --force --options runtime --deep --sign - --timestamp --entitlements "$ENTITLEMENTS_FILE" "$binary"
fi
# Recursive imzalama fonksiyonu - tüm binary dosyaları imzalar
function sign_recursively() {
local app_path="$1"
local entitlements_file="$2"
local counter=0
local total=0
local failed=0
# Önce toplam dosya sayısını hesapla
# Tüm binary dosyaları bul (executable, dylib, so, çerçeveler)
echo "Scanning for binary files..."
# Executable binary files (libraries, executables)
binaries=$(find "$app_path" -type f \( -name "*.dylib" -o -name "*.so" -o -perm +111 \) | sort)
total=$(echo "$binaries" | wc -l)
echo "Found $total binary files to sign"
# Helper binary dosyaları imzala (tercih sırasına göre)
echo "Signing all binary files (libraries and executables)..."
echo "$binaries" | while read -r binary; do
counter=$((counter + 1))
# Her 20 dosyada bir ilerleme göster
if [ $((counter % 20)) -eq 0 ] || [ $counter -eq 1 ] || [ $counter -eq $total ]; then
echo "Progress: $counter/$total - Signing: $binary"
fi
# Skip if not a regular file (symbolic links etc)
if [ ! -f "$binary" ]; then
continue
fi
# Dosya türünü kontrol et
file_info=$(file "$binary")
# Sadece Mach-O dosyalarını imzala
if ! echo "$file_info" | grep -q "Mach-O"; then
continue
fi
if [[ "$binary" == *CrashReportClient* ]]; then
echo "🛠️ Special handling for CrashReportClient: $binary"
fi
# Timestamp ve runtime options ile imzala
codesign --force --options runtime --deep --sign - --timestamp --entitlements "$entitlements_file" "$binary" 2>&1 || {
echo "⚠️ Failed to sign: $binary"
failed=$((failed + 1))
}
done
# Hardened Runtime için ek kontroller
echo "Ensuring Hardened Runtime flags are set for main executable..."
MAIN_EXECUTABLE="$APP_PATH/Contents/MacOS/$(basename "$APP_PATH" .app)"
if [ -f "$MAIN_EXECUTABLE" ]; then
codesign --force --options runtime --deep --sign - --timestamp --entitlements "$ENTITLEMENTS_FILE" "$MAIN_EXECUTABLE"
# Başvuru için ENTITLEMENTS içeriğini göster
echo "Using entitlements file for signatures:"
cat "$entitlements_file"
# Tüm nested app'leri bul ve imzala
nested_apps=$(find "$app_path" -name "*.app" -type d)
if [ -n "$nested_apps" ]; then
echo "Signing nested applications..."
echo "$nested_apps" | while read -r nested_app; do
if [ "$nested_app" != "$app_path" ]; then
echo "Signing nested app: $nested_app"
# İmzalamadan önce Info.plist varsa Bundle ID ayarla
nested_info="$nested_app/Contents/Info.plist"
if [ -f "$nested_info" ]; then
echo "Setting bundle identifier for nested app"
/usr/libexec/PlistBuddy -c "Set :CFBundleIdentifier com.luckyrobots.luckyworld.nested" "$nested_info" 2>/dev/null || true
fi
codesign --force --options runtime --deep --sign - --timestamp --entitlements "$entitlements_file" "$nested_app" 2>&1 || {
echo "⚠️ Failed to sign nested app: $nested_app"
failed=$((failed + 1))
}
fi
done
fi
# Asıl uygulamayı imzala
echo "Signing main application: $app_path"
codesign --force --options runtime --deep --sign - --timestamp --entitlements "$entitlements_file" "$app_path" 2>&1 || {
echo "⚠️ Failed to sign main app: $app_path"
failed=$((failed + 1))
}
echo "✅ Signing completed: $counter files processed, $failed failures"
# İmzalama durumunu kontrol et
echo "Verifying signatures..."
codesign -vvv --deep --strict "$app_path"
# Hardened Runtime ve diğer güvenlik ayarları kontrol et
echo "Checking security settings (Hardened Runtime, etc.):"
codesign -d --entitlements - "$app_path" | grep -i "runtime\|hardened\|security"
# Spesifik olarak CrashReportClient'i kontrol et (sorunlu dosya)
crash_reporter=$(find "$app_path" -path "*CrashReportClient.app/Contents/MacOS/CrashReportClient" -type f | head -1)
if [ -n "$crash_reporter" ]; then
echo "Checking CrashReportClient specifically:"
codesign -d --entitlements - "$crash_reporter" | grep -i "runtime\|hardened\|security"
fi
}
# Kütüphaneleri kontrol et ve gerekirse post-processing yap
echo ""
echo "🔍 Performing comprehensive signing and hardening of all binaries..."
if [ -n "$APP_PATH" ] && [ -n "$ENTITLEMENTS_FILE" ]; then
# Recursive olarak tüm binary dosyaları imzala
sign_recursively "$APP_PATH" "$ENTITLEMENTS_FILE"
# Son olarak ana uygulamayı tekrar imzala
echo "Final signing of main app bundle"
codesign --force --options runtime --deep --sign - --timestamp --entitlements "$ENTITLEMENTS_FILE" "$APP_PATH"
echo "✅ All binaries signed successfully with Hardened Runtime enabled"
else
echo "❌ App path or entitlements file not found, cannot perform comprehensive signing"
echo "App path: $APP_PATH"
echo "Entitlements file: $ENTITLEMENTS_FILE"
fi
echo ""