-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Notarize the GitX app #334
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -30,15 +30,84 @@ jobs: | |
submodules: recursive | ||
- name: Set XCode Version | ||
run: sudo xcode-select -s /Applications/${{ matrix.xcode }}.app | ||
- name: Install the Apple certificate and provisioning profile | ||
env: | ||
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }} | ||
P12_PASSWORD: ${{ secrets.P12_PASSWORD }} | ||
BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }} | ||
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | ||
run: | | ||
# create variables | ||
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 | ||
PP_PATH=$RUNNER_TEMP/build_pp.provisionprofile | ||
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | ||
|
||
# import certificate and provisioning profile from secrets | ||
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode --output $CERTIFICATE_PATH | ||
echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode --output $PP_PATH | ||
|
||
# create temporary keychain | ||
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | ||
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH | ||
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | ||
|
||
# import certificate to keychain | ||
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | ||
security list-keychain -d user -s $KEYCHAIN_PATH | ||
|
||
# apply provisioning profile | ||
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles | ||
cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles | ||
- name: pre build | ||
run: cd External/objective-git && script/bootstrap && script/update_libgit2 && cd ../.. | ||
- name: Build project | ||
run: xcodebuild -workspace GitX.xcworkspace -scheme GitX -archivePath ./GitX archive ARCHS="${{ matrix.abi }}" | ||
run: xcodebuild -workspace GitX.xcworkspace -scheme GitX -archivePath ./GitX archive ARCHS="${{ matrix.abi }}" PRODUCT_BUNDLE_IDENTIFIER=${{ secrets.NOTARY_BUNDLE_IDENTIFIER}} | ||
- name: Prepare artifact | ||
env: | ||
EXPORT_OPTIONS: ${{ secrets.NOTARY_EXPORT_OPTIONS }} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @insha There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @hannesa2 Apologies for the delayed response. The value of this secret variable is the contents of the export options plist file. It is in secrets because it contains my Apple Team ID. The contents are as follows with my team ID redacted:
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You mean to say the entire XML content is put inside an environment variable? 🤔 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, from what I recall, that is correct. The reason being that the plist files has sensitive information in it. |
||
run: | | ||
mv GitX.xcarchive/Products/Applications/GitX.app . | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
EXPORT_OPTIONS_PATH=$RUNNER_TEMP/ExportOptions.plist | ||
|
||
echo -n "$EXPORT_OPTIONS" > EXPORT_OPTIONS_PATH | ||
|
||
xcodebuild -exportArchive -archivePath GitX.xcarchive -exportPath . -exportOptionsPlist EXPORT_OPTIONS_PATH | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Now we create a new archive and using this. Not sure if this is an issue |
||
|
||
hdiutil create -fs HFS+ -srcfolder GitX.app -volname GitX GitX-${{ matrix.abi }}.dmg | ||
zip -r GitX-${{ matrix.abi }}.zip GitX.app | ||
- name: Notarize App | ||
env: | ||
APPLE_ID: ${{ secrets.APPLE_ID }} | ||
TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | ||
APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} | ||
KEY_ID: ${{ secrets.APPLE_KEY_ID }} | ||
run: | | ||
APP_PATH="GitX.app" | ||
ZIP_PATH="GitX.zip" | ||
NOTARY_LOG="notary.log" | ||
ID_FILE="id.txt" | ||
|
||
ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH" | ||
|
||
xcrun notarytool submit "$ZIP_PATH" --key-id $KEY_ID --apple-id $APPLE_ID --team-id $TEAM_ID --password $APPLE_PASSWORD --wait | tee "$NOTARY_LOG" echo "print log output" | ||
cat "$NOTARY_LOG" | ||
|
||
ID=$(cat "$NOTARY_LOG" | tail -3 | cut -d':' -f2 | head -n 1) | ||
echo "Id is: $ID" | ||
|
||
xcrun notarytool log $ID --apple-id $APPLE_ID --team-id $TEAM_ID --password $APPLE_PASSWORD | ||
- name: Staple Notarization | ||
run: | | ||
# While you can notarize a ZIP archive, you can’t staple to it directly. | ||
# Instead, run stapler against each item that you added to the archive. | ||
# Then create a new ZIP file containing the stapled items for distribution. | ||
# Reference: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow | ||
APP_PATH="GitX.app" | ||
ZIP_PATH="GitX.zip" | ||
|
||
xcrun stapler staple "$APP_PATH" | ||
ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH" | ||
- name: Check Notarization | ||
run: spctl -a -vv GitX.app | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I added this verify of the notarization |
||
- name: Upload artifact | ||
uses: actions/upload-artifact@v3 | ||
if: ${{ success() }} | ||
|
@@ -51,3 +120,8 @@ jobs: | |
with: | ||
name: GitX-${{ matrix.abi }}.zip | ||
path: GitX-${{ matrix.abi }}.zip | ||
- name: Clean up keychain and provisioning profile | ||
if: ${{ always() }} | ||
run: | | ||
security delete-keychain $RUNNER_TEMP/app-signing.keychain-db | ||
rm ~/Library/MobileDevice/Provisioning\ Profiles/build_pp.provisionprofile |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | ||
<plist version="1.0"> | ||
<dict/> | ||
</plist> |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | ||
<plist version="1.0"> | ||
<dict/> | ||
</plist> |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | ||
<plist version="1.0"> | ||
<dict/> | ||
</plist> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@insha can it be this
secrets.NOTARY_BUNDLE_IDENTIFIER
can have a relation to this meaning identifiernet.phere.GitX
?