LuckyRobots/LuckyWorld
14
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects 1 Releases 13 Wiki Activity
LuckyWorld/.gitea/workflows/test-local-signing.yml
Ozgur Ersoy c4a7c7bec5
All checks were successful
Test Local Signing / test-local-signing (push) Successful in 8s
Details
fix(workflows): refine local signing workflow with self-signing steps, enhanced documentation, and improved script for notarization
2025-04-14 14:42:09 +02:00

228 lines
9.8 KiB
YAML
Raw Blame History

name: Test Local Signing
on:
workflow_dispatch: # Manual trigger
push:
branches: [ozgur/build]
jobs:
test-local-signing:
runs-on: macos
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Create Test Entitlements
run: |
echo "📝 Creating entitlements file..."
cat > LuckyWorld.entitlements << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.device.camera</key>
<true/>
</dict>
</plist>
EOF
echo "✅ Created entitlements file"
cat LuckyWorld.entitlements
shell: bash
- name: Create Test App Bundle
run: |
echo "📦 Creating test app bundle..."
# Create test app bundle structure
TEST_APP_DIR="TestApp.app"
mkdir -p "$TEST_APP_DIR/Contents/MacOS"
# Create a simple test executable
echo '#!/bin/bash
echo "Hello from TestApp!"' > "$TEST_APP_DIR/Contents/MacOS/TestApp"
chmod +x "$TEST_APP_DIR/Contents/MacOS/TestApp"
# Create Info.plist
cat > "$TEST_APP_DIR/Contents/Info.plist" << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleExecutable</key>
<string>TestApp</string>
<key>CFBundleIdentifier</key>
<string>com.luckyworld.testapp</string>
<key>CFBundleName</key>
<string>TestApp</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>LSMinimumSystemVersion</key>
<string>10.10</string>
</dict>
</plist>
EOF
echo "✅ Created test app bundle"
# Verify app bundle exists
if [ ! -d "$TEST_APP_DIR" ]; then
echo "❌ Error: App bundle not found at $TEST_APP_DIR"
exit 1
fi
echo "🔍 App bundle contents:"
ls -la "$TEST_APP_DIR"
shell: bash
- name: Self-Sign App for Testing
run: |
echo "🔏 Self-signing app for testing..."
# Create a self-signed certificate for testing
echo "🔑 Creating self-signed certificate..."
# Generate key and certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout TestKey.key -out TestCert.crt \
-subj "/CN=Test Signing/O=LuckyWorld/C=TR"
# Sign the app with ad-hoc identity
echo "🔏 Signing app with ad-hoc identity..."
codesign --force --sign - --timestamp --options runtime --entitlements LuckyWorld.entitlements TestApp.app
# Verify signing
echo "🔍 Verifying signature..."
codesign -vvv --deep --strict TestApp.app
# Check entitlements
echo "🔍 Checking entitlements..."
codesign -d --entitlements - TestApp.app
shell: bash
- name: Create Sign and Notarize Script (Developer Reference)
run: |
echo "📝 Creating reference script for actual code signing..."
cat > sign_and_notarize.sh << 'EOF'
#!/bin/bash
# Sign and notarize macOS application
# This script is a reference for using a real Developer ID certificate
# Configuration (replace with your values)
APP_PATH="YourApp.app"
TEAM_ID="YOUR_TEAM_ID"
BUNDLE_ID="com.yourdomain.yourapp"
ENTITLEMENTS_PATH="YourApp.entitlements"
APPLE_ID="your_apple_id@example.com"
APP_PASSWORD="your_app_specific_password"
# Step 1: Check for Developer ID Application certificate
echo "Checking for Developer ID Application certificate..."
IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}')
if [ -z "$IDENTITY" ]; then
echo "Error: No Developer ID Application certificate found"
echo "Please create a Developer ID Application certificate in your Apple Developer account"
echo "and install it in your keychain"
exit 1
fi
echo "Using identity: $IDENTITY"
# Step 2: Sign the app
echo "Signing app..."
codesign --force --options runtime --entitlements "$ENTITLEMENTS_PATH" \
--sign "$IDENTITY" --timestamp "$APP_PATH"
# Step 3: Verify signing
echo "Verifying signature..."
codesign -vvv --deep --strict "$APP_PATH"
# Step 4: Create zip for notarization
echo "Creating zip for notarization..."
zip_path="/tmp/app_for_notarization.zip"
ditto -c -k --keepParent "$APP_PATH" "$zip_path"
# Step 5: Submit for notarization
echo "Submitting for notarization..."
xcrun notarytool submit "$zip_path" \
--apple-id "$APPLE_ID" \
--password "$APP_PASSWORD" \
--team-id "$TEAM_ID" \
--wait
# Step 6: Staple the notarization ticket
echo "Stapling notarization ticket..."
xcrun stapler staple "$APP_PATH"
# Step 7: Verify notarization
echo "Verifying notarization..."
spctl --assess --verbose --type exec "$APP_PATH"
echo "✅ App successfully signed and notarized!"
EOF
chmod +x sign_and_notarize.sh
echo "✅ Created reference script for actual code signing"
shell: bash
- name: Documentation for Certificate Requirements
run: |
echo "📋 Requirements for code signing with Developer ID Application certificate:"
echo ""
echo "1. You must have a paid Apple Developer account"
echo "2. You need to create a Developer ID Application certificate in Apple Developer Portal"
echo "3. The certificate must be exported with its private key in p12 format"
echo "4. The certificate must be properly imported into keychain with proper access controls"
echo "5. For production, you should use the xcrun notarytool to notarize your app"
echo ""
echo "Common issues:"
echo "- The p12 file doesn't contain a private key"
echo "- The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type)"
echo "- The certificate has expired"
echo "- The certificate was revoked"
echo "- Keychain access restrictions are preventing access to the private key"
echo ""
echo "For testing purposes, you can sign with ad-hoc identity (as demonstrated in this workflow)"
echo "For production, follow the steps in the reference script created in this workflow"
# Print this information in a file for reference
echo "📋 Requirements for code signing with Developer ID Application certificate:" > signing_requirements.txt
echo "" >> signing_requirements.txt
echo "1. You must have a paid Apple Developer account" >> signing_requirements.txt
echo "2. You need to create a Developer ID Application certificate in Apple Developer Portal" >> signing_requirements.txt
echo "3. The certificate must be exported with its private key in p12 format" >> signing_requirements.txt
echo "4. The certificate must be properly imported into keychain with proper access controls" >> signing_requirements.txt
echo "5. For production, you should use the xcrun notarytool to notarize your app" >> signing_requirements.txt
echo "" >> signing_requirements.txt
echo "Common issues:" >> signing_requirements.txt
echo "- The p12 file doesn't contain a private key" >> signing_requirements.txt
echo "- The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type)" >> signing_requirements.txt
echo "- The certificate has expired" >> signing_requirements.txt
echo "- The certificate was revoked" >> signing_requirements.txt
echo "- Keychain access restrictions are preventing access to the private key" >> signing_requirements.txt
echo "" >> signing_requirements.txt
echo "For testing purposes, you can sign with ad-hoc identity (as demonstrated in this workflow)" >> signing_requirements.txt
echo "For production, follow the steps in the reference script created in this workflow" >> signing_requirements.txt
shell: bash
- name: Cleanup
if: always()
run: |
echo "🧹 Cleaning up..."
rm -rf TestApp.app TestKey.key TestCert.crt || true
echo "✅ Cleanup complete"
shell: bash
Reference in New Issue View Git Blame Copy Permalink