[TASK] Sign MacOS Application

mjonuschat · Apr 13, 2024 · 2cc97af · 2cc97af
1 parent e36a9e4
commit 2cc97af
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 2 deletions.
diff --git a/.github/scripts/disable_validation.entitlements b/.github/scripts/disable_validation.entitlements
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+</dict>
+</plist>
diff --git a/.github/workflows/build_prusa.yml b/.github/workflows/build_prusa.yml
@@ -85,9 +85,34 @@ jobs:
         run: |
           ./build_release_macos.sh -s -n -a ${{inputs.arch}} -t 10.15
 
+      - name: Sign app and notary
+        if: (github.ref == 'refs/heads/boss' || startsWith(github.ref, 'refs/heads/release/')) && (inputs.os == 'macos-12' || inputs.os == 'macos-13' || inputs.os == 'macos-14')
+        working-directory: ${{ github.workspace }}
+        env:
+          BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
+          P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
+          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+          CERTIFICATE_ID: ${{ secrets.MACOS_CERTIFICATE_ID }}
+        run: |
+          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode --output $CERTIFICATE_PATH
+          security create-keychain -p $KEYCHAIN_PASSWORD $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p $KEYCHAIN_PASSWORD $KEYCHAIN_PATH
+          security import $CERTIFICATE_PATH -P $P12_PASSWORD -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $P12_PASSWORD $KEYCHAIN_PATH
+          codesign --deep --force --verbose --options runtime --timestamp --entitlements ${{ github.workspace }}/.github/scripts/disable_validation.entitlements --sign "$CERTIFICATE_ID" ${{ github.workspace }}/build_${{inputs.arch}}/PrusaSlicer/PrusaSlicer.app
+          ln -s /Applications ${{ github.workspace }}/build_${{inputs.arch}}/PrusaSlicer/Applications
+          hdiutil create -volname "PrusaSlicer" -srcfolder ${{ github.workspace }}/build_${{inputs.arch}}/PrusaSlicer -ov -format UDZO PrusaSlicer-${{ env.ver }}+MacOS-${{inputs.arch}}-${{ env.date }}.dmg
+          codesign --deep --force --verbose --options runtime --timestamp --entitlements ${{ github.workspace }}/.github/scripts/disable_validation.entitlements --sign "$CERTIFICATE_ID" PrusaSlicer-${{ env.ver }}+MacOS-${{inputs.arch}}-${{ env.date }}.dmg
+          xcrun notarytool store-credentials "notarytool-profile" --apple-id "${{ secrets.APPLE_DEV_ACCOUNT }}" --team-id "${{ secrets.TEAM_ID }}" --password "${{ secrets.APP_PWD }}"
+          xcrun notarytool submit "PrusaSlicer-${{ env.ver }}+MacOS-${{inputs.arch}}-${{ env.date }}.dmg" --keychain-profile "notarytool-profile" --wait
+          xcrun stapler staple PrusaSlicer-${{ env.ver }}+MacOS-${{inputs.arch}}-${{ env.date }}.dmg
+
       - name: Create DMG without notary
-        # if: github.ref != 'refs/heads/boss' && (inputs.os == 'macos-12' || inputs.os == 'macos-13' || inputs.os == 'macos-14')
-        if: inputs.os == 'macos-12' || inputs.os == 'macos-13' || inputs.os == 'macos-14'
+        if: (github.ref != 'refs/heads/boss' && !startsWith(github.ref, 'refs/heads/release/')) && (inputs.os == 'macos-12' || inputs.os == 'macos-13' || inputs.os == 'macos-14')
         working-directory: ${{ github.workspace }}
         run: |
           ln -s /Applications ${{ github.workspace }}/build_${{inputs.arch}}/PrusaSlicer/Applications