Skip to content

Commit

Permalink
Refactor macOS notarization, stapling and signing setup
Browse files Browse the repository at this point in the history
  • Loading branch information
@ann0see
ann0see committed Aug 22, 2024
1 parent cb44669 commit ccc56f5
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 35 deletions.
24 changes: 18 additions & 6 deletions .github/autobuild/mac.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -190,18 +190,27 @@ pass_artifact_to_job() {
fi
}

appstore_submit() {
echo "Submitting package to AppStore Connect..."
# test the signature of package
pkgutil --check-signature "${ARTIFACT_PATH}"
notarize() {
echo "Submitting artifact to AppStore Connect..."

if [[ ${ARTIFACT_PATH} == *.pkg ]]; then
# Check if .pkg file is signed. (https://apple.stackexchange.com/a/212336)
pkgutil --check-signature "${ARTIFACT_PATH}"
fi

echo "Requesting notarization..."
xcrun notarytool submit "${ARTIFACT_PATH}" \
--apple-id "${NOTARIZATION_USERNAME}" \
--team-id "${APPLE_TEAM_ID}" \
--password "${NOTARIZATION_PASSWORD}" \
--wait
}

staple() {
echo "Stapling package..."
xcrun stapler staple "${ARTIFACT_PATH}"
}

case "${1:-}" in
setup)
setup
Expand All @@ -212,8 +221,11 @@ case "${1:-}" in
get-artifacts)
pass_artifact_to_job
;;
appstore-submit)
appstore_submit
notarize)
notarize
;;
staple)
staple
;;
*)
echo "Unknown stage '${1:-}'"
Expand Down
45 changes: 16 additions & 29 deletions .github/workflows/autobuild.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -365,13 +365,13 @@ jobs:
run: ${{ matrix.config.base_command }} build
env:
JAMULUS_BUILD_VERSION: ${{ needs.create_release.outputs.build_version }}
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERT}}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERT_PWD }}
MACOS_CERTIFICATE_ID: ${{ secrets.MACOS_CERT_ID }}
MAC_STORE_APP_CERT: ${{ secrets.MACAPP_CERT}}
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERT }} # Base64 encoded Developer ID Application certificate. See https://help.apple.com/xcode/mac/current/#/dev154b28f09
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERT_PWD }} # Password protecting secrets.MACOS_CERTIFICATE
MACOS_CERTIFICATE_ID: ${{ secrets.MACOS_CERT_ID }} # Certificate ID of secrets.MACOS_CERTIFICATE. If unknown, import secrets.MACOS_CERT into keychain and get the hash via "security find-identity -v"
MAC_STORE_APP_CERT: ${{ secrets.MACAPP_CERT }} # Base64 encoded Mac App Distribution certificate
MAC_STORE_APP_CERT_PWD: ${{ secrets.MACAPP_CERT_PWD }}
MAC_STORE_APP_CERT_ID: ${{ secrets.MACAPP_CERT_ID }}
MAC_STORE_INST_CERT: ${{ secrets.MACAPP_INST_CERT}}
MAC_STORE_INST_CERT: ${{ secrets.MACAPP_INST_CERT }} # Base64 encoded Mac Installer Distribution certificate
MAC_STORE_INST_CERT_PWD: ${{ secrets.MACAPP_INST_CERT_PWD }}
MAC_STORE_INST_CERT_ID: ${{ secrets.MACAPP_INST_CERT_ID }}
NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }}
Expand Down Expand Up @@ -408,23 +408,24 @@ jobs:
needs.create_release.outputs.publish_to_release == 'true' &&
steps.build.outputs.macos_notarize == 'true'
id: notarize-macOS-app
uses: lando/notarize-action@4f5869b09386e8336802159031e4189e0919ae20
with:
product-path: deploy/${{ steps.get-artifacts.outputs.artifact_1 }}
primary-bundle-id: io.jamulus.Jamulus
appstore-connect-username: ${{ secrets.NOTARIZATION_USERNAME }}
appstore-connect-password: ${{ secrets.NOTARIZATION_PASSWORD }}
appstore-connect-team-id: ${{ secrets.NOTARIZATION_TEAM_ID }}
run: ${{ matrix.config.base_command }} notarize
env:
JAMULUS_BUILD_VERSION: ${{ needs.create_release.outputs.build_version }}
ARTIFACT_PATH: deploy/${{ steps.get-artifacts.outputs.artifact_1 }}
NOTARIZATION_USERNAME: ${{ secrets.NOTARIZATION_USERNAME }} # Apple ID for notarization
NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }} # App specific password for Apple ID
APPLE_TEAM_ID: ${{ secrets.NOTARIZATION_TEAM_ID }} # Team ID from App Store Connect

- name: Staple macOS Release Build
if: >-
steps.build.outputs.macos_signed == 'true' &&
needs.create_release.outputs.publish_to_release == 'true' &&
steps.build.outputs.macos_notarize == 'true'
id: staple-macOS-app
uses: BoundfoxStudios/action-xcode-staple@cd6c16fb6a3dfb365203a41343926f81e813afad
with:
product-path: deploy/${{ steps.get-artifacts.outputs.artifact_1 }}
run: ${{ matrix.config.base_command }} staple
env:
JAMULUS_BUILD_VERSION: ${{ needs.create_release.outputs.build_version }}
ARTIFACT_PATH: deploy/${{ steps.get-artifacts.outputs.artifact_1 }}

- name: Deploy Artifacts to Release
if: needs.create_release.outputs.publish_to_release == 'true'
Expand All @@ -436,20 +437,6 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

## RELEASE PROCEDURE FOR: macOS App Store - storesigned pkg
- name: Validate and Upload macOS Storesign Pkg
if: >-
steps.build.outputs.macos_store == 'true' &&
needs.create_release.outputs.publish_to_release == 'true'
id: macos_validate_upload
run: ${{ matrix.config.base_command }} appstore-submit
env:
ARTIFACT_PATH: deploy/${{ steps.get-artifacts.outputs.artifact_2 }}
NOTARIZATION_USERNAME: ${{ secrets.NOTARIZATION_USERNAME }}
NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }}
JAMULUS_BUILD_VERSION: ${{ needs.create_release.outputs.build_version }}
APPLE_TEAM_ID: XXXXXXXXXXX

- name: Perform CodeQL Analysis
if: matrix.config.run_codeql
uses: github/codeql-action/analyze@v3
Expand Down

0 comments on commit ccc56f5

Please sign in to comment.