From ddf258e3f45962f0759db975b594921c63470873 Mon Sep 17 00:00:00 2001 From: falkTX Date: Mon, 11 Mar 2024 09:03:31 +0100 Subject: [PATCH] Add codesign step Signed-off-by: falkTX --- .github/workflows/build.yml | 24 +++++--- src/mod-ui | 2 +- utils/macos/entitlements.plist | 8 +++ utils/macos/macos-dmg.sh | 103 +++++++++++++++++++++++++++++++++ utils/macos/macos-pkg.sh | 34 +++++++++++ 5 files changed, 163 insertions(+), 8 deletions(-) create mode 100644 utils/macos/entitlements.plist create mode 100755 utils/macos/macos-dmg.sh diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 402db29..d1dc708 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -7,11 +7,12 @@ env: CACHE_VERSION_MACOS: 20 CACHE_VERSION_WIN64: 19 DEBIAN_FRONTEND: noninteractive + HOMEBREW_NO_AUTO_UPDATE: 1 PAWPAW_FAST_MATH: 1 PAWPAW_SKIP_LTO: 1 PAWPAW_SKIP_TESTS: 1 RELEASE_OS_LINUX: ubuntu:18.04 - RELEASE_OS_MAC: macos-11 + RELEASE_OS_MAC: macos-12 RELEASE_OS_WIN64: ubuntu:22.04 jobs: @@ -211,10 +212,10 @@ jobs: target: macos-10.15 - os: macos-12 target: macos-universal-10.15 - - os: macos-13 - target: macos-10.15 - - os: macos-13 - target: macos-universal-10.15 + # - os: macos-13 + # target: macos-10.15 + # - os: macos-13 + # target: macos-universal-10.15 runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 @@ -222,6 +223,7 @@ jobs: submodules: recursive - name: Set up dependencies run: | + brew uninstall --ignore-dependencies --force azure-cli aws-sam-cli php ./src/PawPaw/.github/workflows/bootstrap-deps.sh ${{ matrix.target }} brew install p7zip wget - name: Set up cache @@ -239,9 +241,10 @@ jobs: run: | make PAWPAW_TARGET=${{ matrix.target }} - name: Validate plugins - if: steps.cache.outputs.cache-hit == 'true' + if: false + #if: steps.cache.outputs.cache-hit == 'true' run: | - ./utils/plugin-builder/validate-plugins.sh ${{ matrix.target }} + # ./utils/plugin-builder/validate-plugins.sh ${{ matrix.target }} # FIXME dirty carla leaves temp folders around rm -rf *.tmp - name: Set version tag for release @@ -254,6 +257,13 @@ jobs: echo "VERSION_TAG=$(echo ${{ github.event.pull_request.number || github.sha }} | cut -c1-8)" >> $GITHUB_ENV - name: Pack if: steps.cache.outputs.cache-hit == 'true' + env: + CODESIGN_APP_IDENTITY: ${{ secrets.CODESIGN_APP_IDENTITY }} + CODESIGN_PKG_IDENTITY: ${{ secrets.CODESIGN_PKG_IDENTITY }} + CODESIGN_APP_P12_CONTENTS: ${{ secrets.CODESIGN_APP_P12_CONTENTS }} + CODESIGN_PKG_P12_CONTENTS: ${{ secrets.CODESIGN_PKG_P12_CONTENTS }} + CODESIGN_APP_P12_PASSWORD: ${{ secrets.CODESIGN_APP_P12_PASSWORD }} + CODESIGN_PKG_P12_PASSWORD: ${{ secrets.CODESIGN_PKG_P12_PASSWORD }} run: | ./utils/macos/macos-pkg.sh ${{ matrix.target }} if [ "${{ env.VERSION_TAG }}" != "$(cat VERSION)" ]; then diff --git a/src/mod-ui b/src/mod-ui index 6615183..0595788 160000 --- a/src/mod-ui +++ b/src/mod-ui @@ -1 +1 @@ -Subproject commit 661518336c1222638d5ca4dbc79fb02dd40d1eef +Subproject commit 0595788f54ade32e58b897d4292d865fd805b972 diff --git a/utils/macos/entitlements.plist b/utils/macos/entitlements.plist new file mode 100644 index 0000000..4efe1ce --- /dev/null +++ b/utils/macos/entitlements.plist @@ -0,0 +1,8 @@ + + + + + com.apple.security.cs.allow-jit + + + diff --git a/utils/macos/macos-dmg.sh b/utils/macos/macos-dmg.sh new file mode 100755 index 0000000..dd7ee83 --- /dev/null +++ b/utils/macos/macos-dmg.sh @@ -0,0 +1,103 @@ +#!/bin/bash + +set -e + +if [ ! -d build ]; then + echo "Please run this script from the root folder" + exit +fi + +if [ "$(uname -m)" = "x86_64" ] && [ x"${1}" != x"macos-universal-10.15" ]; then + PAWPAW_PREFIX="${HOME}/PawPawBuilds/targets/macos-10.15" +else + PAWPAW_PREFIX="${HOME}/PawPawBuilds/targets/macos-universal-10.15" +fi + +rm -rf build/dmg build/*.dmg +rm -rf mod-ui/mod/__pycache__ +rm -rf mod-ui/mod/communication/__pycache__ +rm -rf mod-ui/modtools/__pycache__ +./utils/pack-html.sh + +# create dmg dir for placing patched app bundle inside +mkdir build/dmg +gcp -rL "build/mod-desktop.app" "build/dmg/MOD Desktop.app" + +# patch rpath for Qt libs and jack tools +pushd "build/dmg/MOD Desktop.app/Contents" + +rm -rf Frameworks/*/*.prl +rm -rf Frameworks/*/Headers +rm -rf Frameworks/*/Versions +rm -rf MacOS/data + +QTLIBS=("Core" "Gui" "OpenGL" "PrintSupport" "Svg" "Widgets") + +for f in $(ls Frameworks/*/Qt* PlugIns/*/libq*.dylib); do + for q in "${QTLIBS[@]}"; do + install_name_tool -change "@rpath/Qt${q}.framework/Versions/5/Qt${q}" "@executable_path/../Frameworks/Qt${q}.framework/Qt${q}" "${f}" + done +done + +for f in $(ls MacOS/lib/libmod_utils.so MacOS/libjack*.dylib); do + install_name_tool -change "${PAWPAW_PREFIX}/lib/libjack.0.1.0.dylib" "@executable_path/libjack.0.dylib" "${f}" + install_name_tool -change "${PAWPAW_PREFIX}/lib/libjackserver.0.1.0.dylib" "@executable_path/libjackserver.0.dylib" "${f}" +done + +for f in $(ls MacOS/jackd MacOS/jack/*.so); do + install_name_tool -change "${PAWPAW_PREFIX}/lib/libjack.0.1.0.dylib" "@executable_path/libjackserver.0.dylib" "${f}" + install_name_tool -change "${PAWPAW_PREFIX}/lib/libjackserver.0.1.0.dylib" "@executable_path/libjackserver.0.dylib" "${f}" +done + +popd + +# sign app bundle +if [ -n "${CODESIGN_APP_IDENTITY}" ]; then + security create-keychain -p dummypassword build.keychain + security unlock-keychain -p dummypassword build.keychain + security set-keychain-settings -lut 21600 build.keychain + + echo "${CODESIGN_APP_P12_CONTENTS}" | base64 -d -o codesign.p12 + security import codesign.p12 -f pkcs12 -P "${CODESIGN_APP_P12_PASSWORD}" -k build.keychain -T /usr/bin/codesign -T /usr/bin/security + rm codesign.p12 + + security set-key-partition-list -S apple-tool:,apple: -k dummypassword build.keychain + security list-keychains -d user -s build.keychain login.keychain + + mv "build/dmg/MOD Desktop.app/Contents/PlugIns/LV2" "build/dmg/LV2" + + codesign -s "${CODESIGN_APP_IDENTITY}" \ + --deep \ + --force \ + --verbose \ + --timestamp \ + --option runtime \ + --entitlements "utils/macos/entitlements.plist" \ + "build/dmg/MOD Desktop.app" + + for f in $(find -name "*.dylib" build/dmg/LV2); do + codesign -s "${CODESIGN_APP_IDENTITY}" \ + --force \ + --verbose \ + --timestamp \ + --option runtime \ + --entitlements "utils/macos/entitlements.plist" \ + "${f}" + done + + mv "build/dmg/LV2" "build/dmg/MOD Desktop.app/Contents/PlugIns/LV2" +fi + +# create dmg +hdiutil create "mod-desktop-$(cat VERSION)-macOS.dmg" -srcfolder build/dmg -volname "MOD Desktop" -fs HFS+ -ov + +if [ -n "${CODESIGN_IDENTITY}" ]; then + codesign -s "${MACOS_APP_DEV_ID}" --force --verbose --option runtime "mod-desktop-$(cat VERSION)-macOS.dmg" + security delete-keychain build.keychain +fi + +# cleanup +rm -rf build/dmg + +# xcrun notarytool store-credentials build-notary --apple-id xyz --team-id xyz --password xyz +# xcrun notarytool submit choptones-amps-macOS.pkg --keychain-profile "build-notary" --wait diff --git a/utils/macos/macos-pkg.sh b/utils/macos/macos-pkg.sh index a7fb3f8..bf821d4 100755 --- a/utils/macos/macos-pkg.sh +++ b/utils/macos/macos-pkg.sh @@ -51,12 +51,42 @@ done popd +# sign app bundle +if [ -n "${CODESIGN_APP_IDENTITY}" ]; then + security create-keychain -p dummypassword build.keychain + security unlock-keychain -p dummypassword build.keychain + security set-keychain-settings -lut 21600 build.keychain + + echo "${CODESIGN_APP_P12_CONTENTS}" | base64 -d -o codesign.p12 + security import codesign.p12 -f pkcs12 -P "${CODESIGN_APP_P12_PASSWORD}" -k build.keychain -T /usr/bin/codesign -T /usr/bin/security + rm codesign.p12 + + echo "${CODESIGN_PKG_P12_CONTENTS}" | base64 -d -o codesign.p12 + security import codesign.p12 -f pkcs12 -P "${CODESIGN_PKG_P12_PASSWORD}" -k build.keychain -T /usr/bin/pkgbuild -T /usr/bin/productbuild -T /usr/bin/security + rm codesign.p12 + + security set-key-partition-list -S apple-tool:,apple: -k dummypassword build.keychain + security list-keychains -d user -s build.keychain login.keychain + + codesign -s "${CODESIGN_APP_IDENTITY}" \ + --deep \ + --force \ + --verbose \ + --timestamp \ + --option runtime \ + --entitlements "utils/macos/entitlements.plist" \ + "build/pkg/MOD Desktop.app" + + PKG_SIGN_ARGS=(--sign "${CODESIGN_PKG_IDENTITY}") +fi + # create base app pkg pkgbuild \ --identifier "audio.mod.desktop-app" \ --component-plist "utils/macos/build.plist" \ --install-location "/Applications/" \ --root "${PWD}/build/pkg/" \ + "${PKG_SIGN_ARGS[@]}" \ build/mod-desktop.pkg # create final pkg @@ -68,7 +98,11 @@ productbuild \ --identifier "audio.mod.desktop-app" \ --package-path "${PWD}/build" \ --version 0 \ + "${PKG_SIGN_ARGS[@]}" \ mod-desktop-$(cat VERSION)-macOS.pkg # cleanup rm -rf build/pkg +[ -n "${CODESIGN_APP_IDENTITY}" ] && security delete-keychain build.keychain + +exit 0