refactor: update certificate import logic in build_macos.sh script

chore: added notarization flag to macos build
chore: fix cert parsing
2025-07-08 19:39:25 +03:00 · 2025-07-08 12:51:19 +08:00 · 2025-07-08 12:03:45 +08:00 · 2025-07-08 03:14:19 +03:00
3 changed files with 79 additions and 7 deletions
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@ -255,6 +255,20 @@ jobs:
    env:
      # Keep compat with MacOS 10.15 aka Catalina by Qt 6.4
      QT_VERSION: 6.4.3
      MAC_TEAM_ID: ${{ secrets.MAC_TEAM_ID }}
      MAC_APP_CERT_CERT: ${{ secrets.MAC_APP_CERT_CERT }}
      MAC_SIGNER_ID: ${{ secrets.MAC_SIGNER_ID }}
      MAC_APP_CERT_PW: ${{ secrets.MAC_APP_CERT_PW }}
      MAC_INSTALLER_SIGNER_CERT: ${{ secrets.MAC_INSTALLER_SIGNER_CERT }}
      MAC_INSTALLER_SIGNER_ID: ${{ secrets.MAC_INSTALLER_SIGNER_ID }}
      MAC_INSTALL_CERT_PW: ${{ secrets.MAC_INSTALL_CERT_PW }}
      APPLE_DEV_EMAIL: ${{ secrets.APPLE_DEV_EMAIL }}
      APPLE_DEV_PASSWORD: ${{ secrets.APPLE_DEV_PASSWORD }}
      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
@ -295,7 +309,7 @@ jobs:
    - name: 'Build project'
      run: |
        export QT_BIN_DIR="${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/macos/bin"
-        bash deploy/build_macos.sh
+        bash deploy/build_macos.sh -n
    - name: 'Upload installer artifact'
      uses: actions/upload-artifact@v4
@ -317,7 +331,21 @@ jobs:
    runs-on: macos-latest
    env:
-      QT_VERSION: 6.8.0
+      QT_VERSION: 6.9.1
      MAC_TEAM_ID: ${{ secrets.MAC_TEAM_ID }}
      MAC_APP_CERT_CERT: ${{ secrets.MAC_APP_CERT_CERT }}
      MAC_SIGNER_ID: ${{ secrets.MAC_SIGNER_ID }}
      MAC_APP_CERT_PW: ${{ secrets.MAC_APP_CERT_PW }}
      MAC_INSTALLER_SIGNER_CERT: ${{ secrets.MAC_INSTALLER_SIGNER_CERT }}
      MAC_INSTALLER_SIGNER_ID: ${{ secrets.MAC_INSTALLER_SIGNER_ID }}
      MAC_INSTALL_CERT_PW: ${{ secrets.MAC_INSTALL_CERT_PW }}
      APPLE_DEV_EMAIL: ${{ secrets.APPLE_DEV_EMAIL }}
      APPLE_DEV_PASSWORD: ${{ secrets.APPLE_DEV_PASSWORD }}
      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
@ -358,7 +386,7 @@ jobs:
    - name: 'Build project'
      run: |
        export QT_BIN_DIR="${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/macos/bin"
-        bash deploy/build_macos.sh
+        bash deploy/build_macos.sh -n
    - name: 'Upload installer artifact'
      uses: actions/upload-artifact@v4
--- a/.gitignore
+++ b/.gitignore
@ -138,3 +138,4 @@ CMakeFiles/
 ios-ne-build.sh
 macos-ne-build.sh
 macos-signed-build.sh
 macos-with-sign-build.sh
--- a/deploy/build_macos.sh
+++ b/deploy/build_macos.sh
@ -71,11 +71,54 @@ cmake --build . --config release --target all
 KEYCHAIN_PATH="$PROJECT_DIR/mac_sign.keychain"
 trap 'echo "Cleaning up mac_sign.keychain..."; security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true; rm -f "$KEYCHAIN_PATH" 2>/dev/null || true' EXIT
 KEYCHAIN=$(security default-keychain -d user | tr -d '"[:space:]"')
-security list-keychains -d user -s "$KEYCHAIN_PATH" "$KEYCHAIN" "$(security list-keychains -d user | tr '\n' ' ')"
+
-security create-keychain -p "" "$KEYCHAIN_PATH"
+# Build a clean list of the *existing* user key-chains. The raw output of
-security import "$DEPLOY_DIR/DeveloperIdApplicationCertificate.p12" -k "$KEYCHAIN_PATH" -P "$MAC_APP_CERT_PW" -T /usr/bin/codesign
+#   security list-keychains -d user
-security import "$DEPLOY_DIR/DeveloperIdInstallerCertificate.p12" -k "$KEYCHAIN_PATH" -P "$MAC_INSTALL_CERT_PW" -T /usr/bin/codesign
+# looks roughly like:
 #     "    \"/Users/foo/Library/Keychains/login.keychain-db\"\n    \"/Library/Keychains/System.keychain\""
 # Every entry is surrounded by quotes and indented with a few blanks. Feeding
 # that verbatim back to `security list-keychains -s` inside a single quoted
 # argument leads to one long, invalid path on some systems. We therefore strip
 # the quotes and rely on the shell to split the string on whitespace so that
 # each path becomes its own argument.
 read -ra EXISTING_KEYCHAINS <<< "$(security list-keychains -d user | tr -d '"')"
 security list-keychains -d user -s "$KEYCHAIN_PATH" "$KEYCHAIN" "${EXISTING_KEYCHAINS[@]}"
 KEYCHAIN_PWD=""  # Empty password keeps things simple for CI jobs
 # Create, unlock and configure the temporary key-chain so that `codesign` can
 # access the imported identities without triggering interactive prompts.
 security create-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_PATH"
 # Keep the key-chain unlocked for the duration of the job (6 hours is plenty).
 security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
 security unlock-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_PATH"
 # Import the signing certificates only when the corresponding passwords are
 # available in the environment.  This allows the script to run in environments
 # where code-signing is intentionally turned off (e.g. CI jobs that just build
 # the artefacts without releasing them).
 if [ -n "${MAC_APP_CERT_PW-}" ]; then
  # If the certificate is provided via environment variable, decode it.
  if [ -n "${MAC_APP_CERT_CERT-}" ]; then
    echo "$MAC_APP_CERT_CERT" | base64 -d > "$DEPLOY_DIR/DeveloperIdApplicationCertificate.p12"
  fi
  security import "$DEPLOY_DIR/DeveloperIdApplicationCertificate.p12" \
          -k "$KEYCHAIN_PATH" -P "$MAC_APP_CERT_PW" -A
 fi
 if [ -n "${MAC_INSTALL_CERT_PW-}" ]; then
  # Same logic for the installer certificate.
  if [ -n "${MAC_INSTALLER_SIGNER_CERT-}" ]; then
    echo "$MAC_INSTALLER_SIGNER_CERT" | base64 -d > "$DEPLOY_DIR/DeveloperIdInstallerCertificate.p12"
  fi
  security import "$DEPLOY_DIR/DeveloperIdInstallerCertificate.p12" \
          -k "$KEYCHAIN_PATH" -P "$MAC_INSTALL_CERT_PW" -A
 fi
 # This certificate has no password.
 security import "$DEPLOY_DIR/DeveloperIDG2CA.cer" -k "$KEYCHAIN_PATH" -T /usr/bin/codesign
 security list-keychains -d user -s "$KEYCHAIN_PATH"
 echo "____________________________________"
Author	SHA1	Message	Date
Yaroslav Yashin	564dbbe3ef	refactor: update certificate import logic in build_macos.sh script	2025-07-08 19:39:25 +03:00
vladimir.kuznetsov	086780e397	chore: added notarization flag to macos build	2025-07-08 12:51:19 +08:00
vladimir.kuznetsov	577b2ec3c3	chore: fix cert parsing	2025-07-08 12:03:45 +08:00
Yaroslav Yashin	703d9e1291	Fixing broken ci/cd for macos pkg bundle	2025-07-08 03:14:19 +03:00