diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 0c9dfb32..d08b1409 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -255,6 +255,20 @@ jobs: env: # Keep compat with MacOS 10.15 aka Catalina by Qt 6.4 QT_VERSION: 6.4.3 + + MAC_TEAM_ID: ${{ secrets.MAC_TEAM_ID }} + + MAC_APP_CERT_CERT: ${{ secrets.MAC_APP_CERT_CERT }} + MAC_SIGNER_ID: ${{ secrets.MAC_SIGNER_ID }} + MAC_APP_CERT_PW: ${{ secrets.MAC_APP_CERT_PW }} + + MAC_INSTALLER_SIGNER_CERT: ${{ secrets.MAC_INSTALLER_SIGNER_CERT }} + MAC_INSTALLER_SIGNER_ID: ${{ secrets.MAC_INSTALLER_SIGNER_ID }} + MAC_INSTALL_CERT_PW: ${{ secrets.MAC_INSTALL_CERT_PW }} + + APPLE_DEV_EMAIL: ${{ secrets.APPLE_DEV_EMAIL }} + APPLE_DEV_PASSWORD: ${{ secrets.APPLE_DEV_PASSWORD }} + PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }} PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }} DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }} @@ -295,7 +309,7 @@ jobs: - name: 'Build project' run: | export QT_BIN_DIR="${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/macos/bin" - bash deploy/build_macos.sh + bash deploy/build_macos.sh -n - name: 'Upload installer artifact' uses: actions/upload-artifact@v4 @@ -317,7 +331,21 @@ jobs: runs-on: macos-latest env: - QT_VERSION: 6.8.0 + QT_VERSION: 6.9.1 + + MAC_TEAM_ID: ${{ secrets.MAC_TEAM_ID }} + + MAC_APP_CERT_CERT: ${{ secrets.MAC_APP_CERT_CERT }} + MAC_SIGNER_ID: ${{ secrets.MAC_SIGNER_ID }} + MAC_APP_CERT_PW: ${{ secrets.MAC_APP_CERT_PW }} + + MAC_INSTALLER_SIGNER_CERT: ${{ secrets.MAC_INSTALLER_SIGNER_CERT }} + MAC_INSTALLER_SIGNER_ID: ${{ secrets.MAC_INSTALLER_SIGNER_ID }} + MAC_INSTALL_CERT_PW: ${{ secrets.MAC_INSTALL_CERT_PW }} + + APPLE_DEV_EMAIL: ${{ secrets.APPLE_DEV_EMAIL }} + APPLE_DEV_PASSWORD: ${{ secrets.APPLE_DEV_PASSWORD }} + PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }} PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }} DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }} @@ -358,7 +386,7 @@ jobs: - name: 'Build project' run: | export QT_BIN_DIR="${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/macos/bin" - bash deploy/build_macos.sh + bash deploy/build_macos.sh -n - name: 'Upload installer artifact' uses: actions/upload-artifact@v4 diff --git a/.gitignore b/.gitignore index 503adc2d..d905f1e3 100644 --- a/.gitignore +++ b/.gitignore @@ -138,3 +138,4 @@ CMakeFiles/ ios-ne-build.sh macos-ne-build.sh macos-signed-build.sh +macos-with-sign-build.sh diff --git a/deploy/build_macos.sh b/deploy/build_macos.sh index 03f286fc..6e67ee79 100644 --- a/deploy/build_macos.sh +++ b/deploy/build_macos.sh @@ -71,11 +71,54 @@ cmake --build . --config release --target all KEYCHAIN_PATH="$PROJECT_DIR/mac_sign.keychain" trap 'echo "Cleaning up mac_sign.keychain..."; security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true; rm -f "$KEYCHAIN_PATH" 2>/dev/null || true' EXIT KEYCHAIN=$(security default-keychain -d user | tr -d '"[:space:]"') -security list-keychains -d user -s "$KEYCHAIN_PATH" "$KEYCHAIN" "$(security list-keychains -d user | tr '\n' ' ')" -security create-keychain -p "" "$KEYCHAIN_PATH" -security import "$DEPLOY_DIR/DeveloperIdApplicationCertificate.p12" -k "$KEYCHAIN_PATH" -P "$MAC_APP_CERT_PW" -T /usr/bin/codesign -security import "$DEPLOY_DIR/DeveloperIdInstallerCertificate.p12" -k "$KEYCHAIN_PATH" -P "$MAC_INSTALL_CERT_PW" -T /usr/bin/codesign + +# Build a clean list of the *existing* user key-chains. The raw output of +# security list-keychains -d user +# looks roughly like: +# " \"/Users/foo/Library/Keychains/login.keychain-db\"\n \"/Library/Keychains/System.keychain\"" +# Every entry is surrounded by quotes and indented with a few blanks. Feeding +# that verbatim back to `security list-keychains -s` inside a single quoted +# argument leads to one long, invalid path on some systems. We therefore strip +# the quotes and rely on the shell to split the string on whitespace so that +# each path becomes its own argument. + +read -ra EXISTING_KEYCHAINS <<< "$(security list-keychains -d user | tr -d '"')" + +security list-keychains -d user -s "$KEYCHAIN_PATH" "$KEYCHAIN" "${EXISTING_KEYCHAINS[@]}" +KEYCHAIN_PWD="" # Empty password keeps things simple for CI jobs +# Create, unlock and configure the temporary key-chain so that `codesign` can +# access the imported identities without triggering interactive prompts. +security create-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_PATH" +# Keep the key-chain unlocked for the duration of the job (6 hours is plenty). +security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" +security unlock-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_PATH" + +# Import the signing certificates only when the corresponding passwords are +# available in the environment. This allows the script to run in environments +# where code-signing is intentionally turned off (e.g. CI jobs that just build +# the artefacts without releasing them). + +if [ -n "${MAC_APP_CERT_PW-}" ]; then + # If the certificate is provided via environment variable, decode it. + if [ -n "${MAC_APP_CERT_CERT-}" ]; then + echo "$MAC_APP_CERT_CERT" | base64 -d > "$DEPLOY_DIR/DeveloperIdApplicationCertificate.p12" + fi + security import "$DEPLOY_DIR/DeveloperIdApplicationCertificate.p12" \ + -k "$KEYCHAIN_PATH" -P "$MAC_APP_CERT_PW" -A +fi + +if [ -n "${MAC_INSTALL_CERT_PW-}" ]; then + # Same logic for the installer certificate. + if [ -n "${MAC_INSTALLER_SIGNER_CERT-}" ]; then + echo "$MAC_INSTALLER_SIGNER_CERT" | base64 -d > "$DEPLOY_DIR/DeveloperIdInstallerCertificate.p12" + fi + security import "$DEPLOY_DIR/DeveloperIdInstallerCertificate.p12" \ + -k "$KEYCHAIN_PATH" -P "$MAC_INSTALL_CERT_PW" -A +fi + +# This certificate has no password. security import "$DEPLOY_DIR/DeveloperIDG2CA.cer" -k "$KEYCHAIN_PATH" -T /usr/bin/codesign + security list-keychains -d user -s "$KEYCHAIN_PATH" echo "____________________________________"