Add signed package build and App Store submission for Mac #3309
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit combines all the changes made by Dan G into one.
5 tasks
ann0see
reviewed
Jul 11, 2024
.github/autobuild/mac.sh
Outdated
| security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${KEYCHAIN_PASSWORD}" build.keychain | ||
| security import macos_certificate.p12 -k build.keychain -P "${MACOS_CERTIFICATE_PWD}" -A -T /usr/bin/codesign | ||
| security import macapp_certificate.p12 -k build.keychain -P "${MAC_STORE_APP_CERT_PWD}" -A -T /usr/bin/codesign | ||
| security import macinst_certificate.p12 -k build.keychain -P "${MAC_STORE_INST_CERT_PWD}" -A -T /usr/bin/productbuild |
There was a problem hiding this comment.
Is this ok even if no macinst_certificate or macapp_certificate exists?
There was a problem hiding this comment.
I'm just looking through the logic. I suspect we need to add some checks to allow signing without app store submission. At the moment it appears that signing will be skipped if the app store certificates are not also available. I'll raise a comment at the relevant place.
|
Otherwise: If it builds, we can merge this. |
softins
commented
Jul 12, 2024
.github/autobuild/mac.sh
Outdated
Comment on lines
79
to
92
| [[ "${SIGN_IF_POSSIBLE:-0}" == "1" ]] || return 1 | ||
|
|
||
| # Signing was requested, now check all prerequisites: | ||
| [[ -n "${MACOS_CERTIFICATE:-}" ]] || return 1 | ||
| [[ -n "${MACOS_CERTIFICATE_ID:-}" ]] || return 1 | ||
| [[ -n "${MACOS_CERTIFICATE_PWD:-}" ]] || return 1 | ||
| [[ -n "${MAC_STORE_APP_CERT:-}" ]] || return 1 | ||
| [[ -n "${MAC_STORE_APP_CERT_ID:-}" ]] || return 1 | ||
| [[ -n "${MAC_STORE_APP_CERT_PWD:-}" ]] || return 1 | ||
| [[ -n "${MAC_STORE_INST_CERT:-}" ]] || return 1 | ||
| [[ -n "${MAC_STORE_INST_CERT_ID:-}" ]] || return 1 | ||
| [[ -n "${MAC_STORE_INST_CERT_PWD:-}" ]] || return 1 | ||
| [[ -n "${NOTARIZATION_PASSWORD:-}" ]] || return 1 | ||
| [[ -n "${KEYCHAIN_PASSWORD:-}" ]] || return 1 |
There was a problem hiding this comment.
This suggests that signing will be aborted if we do not also have certificates for app store submission. We need a way to allow just signing without store submission.
|
Closing this in favour of #2624, which is now up to date. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Short description of changes
This PR adds automation to create a signed pkg (installer) file for direct submission to the macOS App Store, and was originally authored by @danryu.
This PR replaces #2624 and squashes all the changes made by Dan G into one commit. They have also been rebased on to the latest
main, as the original PR was based on amainthat was at least a year old.CHANGELOG: Build: adds macOS signed pkg build automation
Context: Fixes an issue?
Improves the process for signing the releases for macOS and potentially submitting them automatically to the App Store.
Does this change need documentation? What needs to be documented and how?
Required:
Certificates:
Identifier:
Status of this Pull Request
Brought up to date with the current
mainbranch. Build works.What is missing until this pull request can be merged?
Needs to be tested as-is with a release (e.g. nightly?), and in the future with suitable signing certificates for both notarization and App Store submission.
Checklist