Add entitlements for mac building

sdercolin · Dec 12, 2023 · 0f86097 · 0f86097
1 parent 6fb6902
commit 0f86097
Show file tree

Hide file tree

Showing 6 changed files with 53 additions and 25 deletions.
diff --git a/.github/workflows/release-mac-arm.yml b/.github/workflows/release-mac-arm.yml
@@ -43,41 +43,25 @@ jobs:
           distribution: 'corretto'
 
       - name: Prepare signing
-        env:
-          KEYCHAIN_NAME: build.keychain
-          KEYCHAIN_PWD: ${{ secrets.KEYCHAIN_PWD }}
         run: |
-          # Unlock the keychain
-          security unlock-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_NAME"
-          
-          # Set keychain settings to prevent it from locking automatically
-          security set-keychain-settings "$KEYCHAIN_NAME"
-          
-          # Set the keychain to be searched by default, which is necessary for codesign to find the certificate
-          security list-keychains -s "$KEYCHAIN_NAME"
-          
-          # Verify that the certificate is available in the keychain
-          security find-identity -vp codesigning "$KEYCHAIN_NAME"
-          
           # Configure the local.properties file with the necessary information for signing
           echo "compose.desktop.mac.sign=true" > local.properties
           echo "compose.desktop.mac.signing.identity=${{ secrets.MACOS_CERTIFICATE_IDENTITY }}" >> local.properties
           echo "compose.desktop.mac.notarization.appleID=${{ secrets.APPLE_ID }}" >> local.properties
           echo "compose.desktop.mac.notarization.password=${{ secrets.MACOS_APP_PWD }}" >> local.properties
+          echo "compose.desktop.mac.notarization.teamID=${{ secrets.APPLE_TEAM_ID }}" >> local.properties
           cat local.properties
 
       - name: Build with Gradle
         uses: gradle/gradle-build-action@v2
         with:
-          arguments: packageDmg
+          arguments: notarizeDmg
 
-      - name: Rename and notarize
+      - name: Rename
         run: |
           VERSION=${{ github.ref_name }}
           echo $VERSION
           mv ./desktopApp/build/compose/binaries/main/dmg/RecStar-1.0.0.dmg ./recstar-$VERSION-mac-arm64.dmg
-          xcrun notarytool submit recstar-$VERSION-mac-arm64.dmg --apple-id ${{ secrets.APPLE_ID }} --password ${{ secrets.MACOS_APP_PWD }} --team-id ${{ secrets.APPLE_TEAM_ID }} --wait
-          xcrun stapler staple recstar-$VERSION-mac-arm64.dmg
 
       - name: Release
         uses: softprops/action-gh-release@v1

diff --git a/.github/workflows/release-mac.yml b/.github/workflows/release-mac.yml
@@ -55,21 +55,23 @@ jobs:
           security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
           security find-identity -v
           security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PWD build.keychain
-          echo $'compose.desktop.mac.sign=true\ncompose.desktop.mac.signing.identity=${{ secrets.MACOS_CERTIFICATE_IDENTITY }}\ncompose.desktop.mac.notarization.appleID=${{ secrets.APPLE_ID }}\ncompose.desktop.mac.notarization.password=${{ secrets.MACOS_APP_PWD }}' >local.properties
+          echo "compose.desktop.mac.sign=true" > local.properties
+          echo "compose.desktop.mac.signing.identity=${{ secrets.MACOS_CERTIFICATE_IDENTITY }}" >> local.properties
+          echo "compose.desktop.mac.notarization.appleID=${{ secrets.APPLE_ID }}" >> local.properties
+          echo "compose.desktop.mac.notarization.password=${{ secrets.MACOS_APP_PWD }}" >> local.properties
+          echo "compose.desktop.mac.notarization.teamID=${{ secrets.APPLE_TEAM_ID }}" >> local.properties
           cat local.properties
 
       - name: Build with Gradle
         uses: gradle/gradle-build-action@v2
         with:
-          arguments: packageDmg
+          arguments: notarizeDmg
 
-      - name: Rename and notarize
+      - name: Rename
         run: |
           VERSION=${{ github.ref_name }}
           echo $VERSION
           mv ./desktopApp/build/compose/binaries/main/dmg/RecStar-1.0.0.dmg ./recstar-$VERSION-mac-x64.dmg
-          xcrun notarytool submit recstar-$VERSION-mac-x64.dmg --apple-id ${{ secrets.APPLE_ID }} --password ${{ secrets.MACOS_APP_PWD }} --team-id ${{ secrets.APPLE_TEAM_ID }} --wait
-          xcrun stapler staple recstar-$VERSION-mac-x64.dmg
 
       - name: Release
         uses: softprops/action-gh-release@v1

diff --git a/desktopApp/build.gradle.kts b/desktopApp/build.gradle.kts
@@ -62,6 +62,8 @@ compose.desktop {
                     extraKeysRawXml = "  <key>NSMicrophoneUsageDescription</key>\n" +
                         "  <string>RecStar needs access to the microphone to be able to record audio.</string>"
                 }
+                entitlementsFile.set(project.file("entitlements.plist"))
+                runtimeEntitlementsFile.set(project.file("runtime-entitlements.plist"))
             }
             windows {
                 iconFile.set(project.file("src/jvmMain/resources/icon.ico"))

diff --git a/desktopApp/entitlements.plist b/desktopApp/entitlements.plist
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.debugger</key>
+    <true/>
+    <key>com.apple.security.device.audio-input</key>
+    <true/>
+    <key>com.apple.security.device.microphone</key>
+    <true/>
+</dict>
+</plist>
diff --git a/desktopApp/runtime-entitlements.plist b/desktopApp/runtime-entitlements.plist
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.debugger</key>
+    <true/>
+    <key>com.apple.security.device.audio-input</key>
+    <true/>
+    <key>com.apple.security.device.microphone</key>
+    <true/>
+</dict>
+</plist>
diff --git a/iosApp/iosApp/Info.plist b/iosApp/iosApp/Info.plist
@@ -53,6 +53,6 @@
     <key>NSDocumentsDirectory</key>
     <string>Read/Write access to app’s shared documents directory</string>
     <key>NSMicrophoneUsageDescription</key>
-    <string>We need access to the microphone for recording purposes.</string>
+    <string>RecStar needs access to the microphone to be able to record audio.</string>
 </dict>
 </plist>