Merge pull request #302 from squidowl/feat/sign-macos

Sign macOS builds

.github/workflows/release.yml

@@ -53,6 +53,22 @@ jobs:
       - name: Build
         run: ${{ matrix.target.make }}
 
+      - name: Sign macOS
+        if: matrix.target.target == 'macos'
+        env: 
+          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+          MACOS_CERTIFICATE_NAME: ${{ secrets.MACOS_CERTIFICATE_NAME }}
+          MACOS_CI_KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }}
+          MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
+          MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
+          MACOS_NOTARIZATION_PWD: ${{ secrets.MACOS_NOTARIZATION_PWD }}
+        run: bash scripts/sign-macos.sh
+
+      - name: Package macOS
+        if: matrix.target.target == 'macos'
+        run: bash scripts/package-macos.sh
+
       - name: Set artifact path
         run: ${{ matrix.target.artifact_path }}
 

scripts/build-macos.sh

@@ -36,10 +36,3 @@ cp -fRp "$APP_TEMPLATE" "$APP_DIR"
 cp -fp "$APP_BINARY" "$APP_BINARY_DIR"
 touch -r "$APP_BINARY" "$APP_DIR/$APP_NAME"
 echo "Created '$APP_NAME' in '$APP_DIR'"
-
-# package dmg
-echo "Packing disk image..."
-ln -sf /Applications "$DMG_DIR/Applications"
-hdiutil create "$DMG_DIR/$DMG_NAME" -volname "Halloy" -fs HFS+ -srcfolder "$APP_DIR" -ov -format UDZO
-echo "Packed '$APP_NAME' in '$APP_DIR'"
-

scripts/package-macos.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+RELEASE_DIR="target/release"
+APP_DIR="$RELEASE_DIR/macos"
+APP_NAME="Halloy.app"
+DMG_NAME="halloy.dmg"
+DMG_DIR="$RELEASE_DIR/macos"
+
+# package dmg
+echo "Packing disk image..."
+ln -sf /Applications "$DMG_DIR/Applications"
+hdiutil create "$DMG_DIR/$DMG_NAME" -volname "Halloy" -fs HFS+ -srcfolder "$APP_DIR" -ov -format UDZO
+echo "Packed '$APP_NAME' in '$APP_DIR'"

scripts/sign-macos.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+RELEASE_DIR="target/release"
+APP_DIR="$RELEASE_DIR/macos"
+APP_NAME="Halloy.app"
+APP_PATH=$APP_DIR/$APP_NAME
+
+environment=("MACOS_CERTIFICATE" "MACOS_CERTIFICATE_PWD" "MACOS_CI_KEYCHAIN_PWD" "MACOS_CERTIFICATE_NAME" "MACOS_NOTARIZATION_APPLE_ID" "MACOS_NOTARIZATION_TEAM_ID" "MACOS_NOTARIZATION_PWD")
+for var in "${environment[@]}"; do
+    if [[ -z "${!var}" ]]; then
+        echo "Error: $var is not set"
+        exit 1
+    fi
+done
+
+echo "Decoding certificate"
+echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+
+echo "Installing cert in a new key chain"
+security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain 
+security default-keychain -s build.keychain
+security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
+security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
+security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
+
+echo "Signing..."
+/usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime $APP_PATH -v
+
+echo "Create keychain profile"
+xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
+
+echo "Creating temp notarization archive"
+ditto -c -k --keepParent "$APP_PATH" "notarization.zip"
+
+echo "Notarize app"
+xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
+
+echo "Attach staple"
+xcrun stapler staple $APP_PATH