jamulussoftware · ann0see · Aug 23, 2024 · Aug 22, 2024 · ann0see · Aug 22, 2024
diff --git a/.github/autobuild/mac.sh b/.github/autobuild/mac.sh
@@ -190,18 +190,27 @@ pass_artifact_to_job() {
     fi
 }
 
-appstore_submit() {
-    echo "Submitting package to AppStore Connect..."
-    # test the signature of package
-    pkgutil --check-signature "${ARTIFACT_PATH}"
+notarize() {
+    echo "Submitting artifact to AppStore Connect..."
 
+    if [[ ${ARTIFACT_PATH} == *.pkg ]]; then
+        # Check if .pkg file is signed. (https://apple.stackexchange.com/a/212336)
+        pkgutil --check-signature "${ARTIFACT_PATH}"
+    fi
+
+    echo "Requesting notarization..."
     xcrun notarytool submit "${ARTIFACT_PATH}" \
         --apple-id "${NOTARIZATION_USERNAME}" \
         --team-id "${APPLE_TEAM_ID}" \
         --password "${NOTARIZATION_PASSWORD}" \
         --wait
 }
 
+staple() {
+    echo "Stapling package..."
+    xcrun stapler staple "${ARTIFACT_PATH}"
+}
+
 case "${1:-}" in
     setup)
         setup
@@ -212,8 +221,11 @@ case "${1:-}" in
     get-artifacts)
         pass_artifact_to_job
         ;;
-    appstore-submit)
-        appstore_submit
+    notarize)
+        notarize
+        ;;
+    staple)
+        staple
         ;;
     *)
         echo "Unknown stage '${1:-}'"

diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml
@@ -365,13 +365,13 @@ jobs:
         run:                        ${{ matrix.config.base_command }} build
         env:
           JAMULUS_BUILD_VERSION:    ${{ needs.create_release.outputs.build_version }}
-          MACOS_CERTIFICATE:        ${{ secrets.MACOS_CERT}}
-          MACOS_CERTIFICATE_PWD:    ${{ secrets.MACOS_CERT_PWD }}
-          MACOS_CERTIFICATE_ID:     ${{ secrets.MACOS_CERT_ID }}
-          MAC_STORE_APP_CERT:       ${{ secrets.MACAPP_CERT}}
+          MACOS_CERTIFICATE:        ${{ secrets.MACOS_CERT }} # Base64 encoded Developer ID Application certificate. See https://help.apple.com/xcode/mac/current/#/dev154b28f09
+          MACOS_CERTIFICATE_PWD:    ${{ secrets.MACOS_CERT_PWD }} # Password protecting secrets.MACOS_CERTIFICATE
+          MACOS_CERTIFICATE_ID:     ${{ secrets.MACOS_CERT_ID }} # Certificate ID of secrets.MACOS_CERTIFICATE. If unknown, import secrets.MACOS_CERT into keychain and get the hash via "security find-identity -v"
+          MAC_STORE_APP_CERT:       ${{ secrets.MACAPP_CERT }} # Base64 encoded Mac App Distribution certificate
           MAC_STORE_APP_CERT_PWD:   ${{ secrets.MACAPP_CERT_PWD }}
           MAC_STORE_APP_CERT_ID:    ${{ secrets.MACAPP_CERT_ID }}
-          MAC_STORE_INST_CERT:      ${{ secrets.MACAPP_INST_CERT}}
+          MAC_STORE_INST_CERT:      ${{ secrets.MACAPP_INST_CERT }} # Base64 encoded Mac Installer Distribution certificate
           MAC_STORE_INST_CERT_PWD:  ${{ secrets.MACAPP_INST_CERT_PWD }}
           MAC_STORE_INST_CERT_ID:   ${{ secrets.MACAPP_INST_CERT_ID }}
           NOTARIZATION_PASSWORD:    ${{ secrets.NOTARIZATION_PASSWORD }}
@@ -408,23 +408,24 @@ jobs:
                                     needs.create_release.outputs.publish_to_release == 'true' &&
                                     steps.build.outputs.macos_notarize == 'true'
         id:                         notarize-macOS-app
-        uses:                       lando/notarize-action@4f5869b09386e8336802159031e4189e0919ae20
-        with:
-          product-path:             deploy/${{ steps.get-artifacts.outputs.artifact_1 }}
-          primary-bundle-id:        io.jamulus.Jamulus
-          appstore-connect-username: ${{ secrets.NOTARIZATION_USERNAME }}
-          appstore-connect-password: ${{ secrets.NOTARIZATION_PASSWORD }}
-          appstore-connect-team-id:  ${{ secrets.NOTARIZATION_TEAM_ID }}
+        run:                        ${{ matrix.config.base_command }} notarize
+        env:
+          JAMULUS_BUILD_VERSION:    ${{ needs.create_release.outputs.build_version }}
+          ARTIFACT_PATH:            deploy/${{ steps.get-artifacts.outputs.artifact_1 }}
+          NOTARIZATION_USERNAME:    ${{ secrets.NOTARIZATION_USERNAME }} # Apple ID for notarization
+          NOTARIZATION_PASSWORD:    ${{ secrets.NOTARIZATION_PASSWORD }} # App specific password for Apple ID
+          APPLE_TEAM_ID:            ${{ secrets.NOTARIZATION_TEAM_ID }} # Team ID from App Store Connect
 
       - name:                       Staple macOS Release Build
         if:                         >-
                                     steps.build.outputs.macos_signed == 'true' &&
                                     needs.create_release.outputs.publish_to_release == 'true' &&
                                     steps.build.outputs.macos_notarize == 'true'
         id:                         staple-macOS-app
-        uses:                       BoundfoxStudios/action-xcode-staple@cd6c16fb6a3dfb365203a41343926f81e813afad
-        with:
-          product-path:             deploy/${{ steps.get-artifacts.outputs.artifact_1 }}
+        run:                        ${{ matrix.config.base_command }} staple
+        env:
+          JAMULUS_BUILD_VERSION:    ${{ needs.create_release.outputs.build_version }}
+          ARTIFACT_PATH:            deploy/${{ steps.get-artifacts.outputs.artifact_1 }}
 
       - name:                       Deploy Artifacts to Release
         if:                         needs.create_release.outputs.publish_to_release == 'true'
@@ -436,20 +437,6 @@ jobs:
         env:
           GITHUB_TOKEN:             ${{ secrets.GITHUB_TOKEN }}
 
-      ## RELEASE PROCEDURE FOR: macOS App Store - storesigned pkg
-      - name:                       Validate and Upload macOS Storesign Pkg
-        if:                         >-
-                                    steps.build.outputs.macos_store == 'true' &&
-                                    needs.create_release.outputs.publish_to_release == 'true'
-        id:                         macos_validate_upload
-        run:                        ${{ matrix.config.base_command }} appstore-submit
-        env:
-          ARTIFACT_PATH:            deploy/${{ steps.get-artifacts.outputs.artifact_2 }}
-          NOTARIZATION_USERNAME:    ${{ secrets.NOTARIZATION_USERNAME }}
-          NOTARIZATION_PASSWORD:    ${{ secrets.NOTARIZATION_PASSWORD }}
-          JAMULUS_BUILD_VERSION:    ${{ needs.create_release.outputs.build_version }}
-          APPLE_TEAM_ID:            XXXXXXXXXXX
-
       - name:                       Perform CodeQL Analysis
         if:                         matrix.config.run_codeql
         uses:                       github/codeql-action/analyze@v3