refactor: update certificate import logic in build_macos.sh script

chore: added notarization flag to macos build
chore: fix cert parsing
2025-07-08 19:39:25 +03:00 · 2025-07-08 12:51:19 +08:00 · 2025-07-08 12:03:45 +08:00 · 2025-07-08 03:14:19 +03:00
6 changed files with 111 additions and 68 deletions
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@ -255,6 +255,20 @@ jobs:
    env:
      # Keep compat with MacOS 10.15 aka Catalina by Qt 6.4
      QT_VERSION: 6.4.3
+
+      MAC_TEAM_ID: ${{ secrets.MAC_TEAM_ID }}
+
+      MAC_APP_CERT_CERT: ${{ secrets.MAC_APP_CERT_CERT }}
+      MAC_SIGNER_ID: ${{ secrets.MAC_SIGNER_ID }}
+      MAC_APP_CERT_PW: ${{ secrets.MAC_APP_CERT_PW }}
+
+      MAC_INSTALLER_SIGNER_CERT: ${{ secrets.MAC_INSTALLER_SIGNER_CERT }}
+      MAC_INSTALLER_SIGNER_ID: ${{ secrets.MAC_INSTALLER_SIGNER_ID }}
+      MAC_INSTALL_CERT_PW: ${{ secrets.MAC_INSTALL_CERT_PW }}
+
+      APPLE_DEV_EMAIL: ${{ secrets.APPLE_DEV_EMAIL }}
+      APPLE_DEV_PASSWORD: ${{ secrets.APPLE_DEV_PASSWORD }}
+
      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
@ -295,7 +309,7 @@ jobs:
    - name: 'Build project'
      run: |
        export QT_BIN_DIR="${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/macos/bin"
-        bash deploy/build_macos.sh
+        bash deploy/build_macos.sh -n

    - name: 'Upload installer artifact'
      uses: actions/upload-artifact@v4
@ -317,7 +331,21 @@ jobs:
    runs-on: macos-latest

    env:
-      QT_VERSION: 6.8.0
+      QT_VERSION: 6.9.1
+
+      MAC_TEAM_ID: ${{ secrets.MAC_TEAM_ID }}
+
+      MAC_APP_CERT_CERT: ${{ secrets.MAC_APP_CERT_CERT }}
+      MAC_SIGNER_ID: ${{ secrets.MAC_SIGNER_ID }}
+      MAC_APP_CERT_PW: ${{ secrets.MAC_APP_CERT_PW }}
+
+      MAC_INSTALLER_SIGNER_CERT: ${{ secrets.MAC_INSTALLER_SIGNER_CERT }}
+      MAC_INSTALLER_SIGNER_ID: ${{ secrets.MAC_INSTALLER_SIGNER_ID }}
+      MAC_INSTALL_CERT_PW: ${{ secrets.MAC_INSTALL_CERT_PW }}
+
+      APPLE_DEV_EMAIL: ${{ secrets.APPLE_DEV_EMAIL }}
+      APPLE_DEV_PASSWORD: ${{ secrets.APPLE_DEV_PASSWORD }}
+
      PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
      PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
      DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
@ -358,7 +386,7 @@ jobs:
    - name: 'Build project'
      run: |
        export QT_BIN_DIR="${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/macos/bin"
-        bash deploy/build_macos.sh
+        bash deploy/build_macos.sh -n

    - name: 'Upload installer artifact'
      uses: actions/upload-artifact@v4
--- a/.gitignore
+++ b/.gitignore
@ -138,3 +138,4 @@ CMakeFiles/
 ios-ne-build.sh
 macos-ne-build.sh
 macos-signed-build.sh
+macos-with-sign-build.sh
--- a/client/platforms/ios/WGConfig.swift
+++ b/client/platforms/ios/WGConfig.swift
@ -46,59 +46,29 @@ struct WGConfig: Decodable {
  }

  var settings: String {
-    guard junkPacketCount != nil else { return "" }
-    
-    var settingsLines: [String] = []
-    
-    // Required parameters when junkPacketCount is present
-    settingsLines.append("Jc = \(junkPacketCount!)")
-    settingsLines.append("Jmin = \(junkPacketMinSize!)")
-    settingsLines.append("Jmax = \(junkPacketMaxSize!)")
-    settingsLines.append("S1 = \(initPacketJunkSize!)")
-    settingsLines.append("S2 = \(responsePacketJunkSize!)")
-    
-    settingsLines.append("H1 = \(initPacketMagicHeader!)")
-    settingsLines.append("H2 = \(responsePacketMagicHeader!)")
-    settingsLines.append("H3 = \(underloadPacketMagicHeader!)")
-    settingsLines.append("H4 = \(transportPacketMagicHeader!)")
-
-    // Optional parameters - only add if not nil and not empty
-    if let s3 = cookieReplyPacketJunkSize, !s3.isEmpty {
-      settingsLines.append("S3 = \(s3)")
-    }
-    if let s4 = transportPacketJunkSize, !s4.isEmpty {
-      settingsLines.append("S4 = \(s4)")
-    }
-    
-    if let i1 = specialJunk1, !i1.isEmpty {
-      settingsLines.append("I1 = \(i1)")
-    }
-    if let i2 = specialJunk2, !i2.isEmpty {
-      settingsLines.append("I2 = \(i2)")
-    }
-    if let i3 = specialJunk3, !i3.isEmpty {
-      settingsLines.append("I3 = \(i3)")
-    }
-    if let i4 = specialJunk4, !i4.isEmpty {
-      settingsLines.append("I4 = \(i4)")
-    }
-    if let i5 = specialJunk5, !i5.isEmpty {
-      settingsLines.append("I5 = \(i5)")
-    }
-    if let j1 = controlledJunk1, !j1.isEmpty {
-      settingsLines.append("J1 = \(j1)")
-    }
-    if let j2 = controlledJunk2, !j2.isEmpty {
-      settingsLines.append("J2 = \(j2)")
-    }
-    if let j3 = controlledJunk3, !j3.isEmpty {
-      settingsLines.append("J3 = \(j3)")
-    }
-    if let itime = specialHandshakeTimeout, !itime.isEmpty {
-      settingsLines.append("Itime = \(itime)")
-    }
-    
-    return settingsLines.joined(separator: "\n")
+    junkPacketCount == nil ? "" :
+    """
+    Jc = \(junkPacketCount!)
+    Jmin = \(junkPacketMinSize!)
+    Jmax = \(junkPacketMaxSize!)
+    S1 = \(initPacketJunkSize!)
+    S2 = \(responsePacketJunkSize!)
+    S3 = \(cookieReplyPacketJunkSize!)
+    S4 = \(transportPacketJunkSize!)
+    H1 = \(initPacketMagicHeader!)
+    H2 = \(responsePacketMagicHeader!)
+    H3 = \(underloadPacketMagicHeader!)
+    H4 = \(transportPacketMagicHeader!)
+    I1 = \(specialJunk1!)
+    I2 = \(specialJunk2!)
+    I3 = \(specialJunk3!)
+    I4 = \(specialJunk4!)
+    I5 = \(specialJunk5!)
+    J1 = \(controlledJunk1!)
+    J2 = \(controlledJunk2!)
+    J3 = \(controlledJunk3!)
+    Itime = \(specialHandshakeTimeout!)
+    """
  }

  var str: String {
--- a/client/ui/controllers/api/apiConfigsController.cpp
+++ b/client/ui/controllers/api/apiConfigsController.cpp
@ -221,6 +221,8 @@ namespace

        serverConfig[configKey::apiConfig] = apiConfig;

+        qDebug() << serverConfig;
+
        return ErrorCode::NoError;
    }
 }
--- a/client/ui/qml/Pages2/PageSettingsKillSwitch.qml
+++ b/client/ui/qml/Pages2/PageSettingsKillSwitch.qml
@ -62,7 +62,8 @@ PageType {
                Layout.leftMargin: 16
                Layout.rightMargin: 16

-                enabled: SettingsController.isKillSwitchEnabled && !ConnectionController.isConnected
+                visible: false
+                // enabled: SettingsController.isKillSwitchEnabled && !ConnectionController.isConnected
                checked: !SettingsController.strictKillSwitchEnabled

                text: qsTr("Soft KillSwitch")
@ -73,7 +74,9 @@ PageType {
                }
            }

-            DividerType {}
+            DividerType {
+                visible: false
+            }

            VerticalRadioButton {
                id: strictKillSwitch
@ -81,9 +84,7 @@ PageType {
                Layout.leftMargin: 16
                Layout.rightMargin: 16

-                visible: false
-                enabled: false
-                // enabled: SettingsController.isKillSwitchEnabled && !ConnectionController.isConnected
+                enabled: SettingsController.isKillSwitchEnabled && !ConnectionController.isConnected
                checked: SettingsController.strictKillSwitchEnabled

                text: qsTr("Strict KillSwitch")
@ -105,9 +106,7 @@ PageType {
                }
            }

-            DividerType {
-                visible: false
-            }
+            DividerType {}
            
            LabelWithButtonType {
                Layout.topMargin: 32
--- a/deploy/build_macos.sh
+++ b/deploy/build_macos.sh
@ -71,11 +71,54 @@ cmake --build . --config release --target all
 KEYCHAIN_PATH="$PROJECT_DIR/mac_sign.keychain"
 trap 'echo "Cleaning up mac_sign.keychain..."; security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true; rm -f "$KEYCHAIN_PATH" 2>/dev/null || true' EXIT
 KEYCHAIN=$(security default-keychain -d user | tr -d '"[:space:]"')
-security list-keychains -d user -s "$KEYCHAIN_PATH" "$KEYCHAIN" "$(security list-keychains -d user | tr '\n' ' ')"
-security create-keychain -p "" "$KEYCHAIN_PATH"
-security import "$DEPLOY_DIR/DeveloperIdApplicationCertificate.p12" -k "$KEYCHAIN_PATH" -P "$MAC_APP_CERT_PW" -T /usr/bin/codesign
-security import "$DEPLOY_DIR/DeveloperIdInstallerCertificate.p12" -k "$KEYCHAIN_PATH" -P "$MAC_INSTALL_CERT_PW" -T /usr/bin/codesign
+
+# Build a clean list of the *existing* user key-chains. The raw output of
+#   security list-keychains -d user
+# looks roughly like:
+#     "    \"/Users/foo/Library/Keychains/login.keychain-db\"\n    \"/Library/Keychains/System.keychain\""
+# Every entry is surrounded by quotes and indented with a few blanks. Feeding
+# that verbatim back to `security list-keychains -s` inside a single quoted
+# argument leads to one long, invalid path on some systems. We therefore strip
+# the quotes and rely on the shell to split the string on whitespace so that
+# each path becomes its own argument.
+
+read -ra EXISTING_KEYCHAINS <<< "$(security list-keychains -d user | tr -d '"')"
+
+security list-keychains -d user -s "$KEYCHAIN_PATH" "$KEYCHAIN" "${EXISTING_KEYCHAINS[@]}"
+KEYCHAIN_PWD=""  # Empty password keeps things simple for CI jobs
+# Create, unlock and configure the temporary key-chain so that `codesign` can
+# access the imported identities without triggering interactive prompts.
+security create-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_PATH"
+# Keep the key-chain unlocked for the duration of the job (6 hours is plenty).
+security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+security unlock-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_PATH"
+
+# Import the signing certificates only when the corresponding passwords are
+# available in the environment.  This allows the script to run in environments
+# where code-signing is intentionally turned off (e.g. CI jobs that just build
+# the artefacts without releasing them).
+
+if [ -n "${MAC_APP_CERT_PW-}" ]; then
+  # If the certificate is provided via environment variable, decode it.
+  if [ -n "${MAC_APP_CERT_CERT-}" ]; then
+    echo "$MAC_APP_CERT_CERT" | base64 -d > "$DEPLOY_DIR/DeveloperIdApplicationCertificate.p12"
+  fi
+  security import "$DEPLOY_DIR/DeveloperIdApplicationCertificate.p12" \
+          -k "$KEYCHAIN_PATH" -P "$MAC_APP_CERT_PW" -A
+fi
+
+if [ -n "${MAC_INSTALL_CERT_PW-}" ]; then
+  # Same logic for the installer certificate.
+  if [ -n "${MAC_INSTALLER_SIGNER_CERT-}" ]; then
+    echo "$MAC_INSTALLER_SIGNER_CERT" | base64 -d > "$DEPLOY_DIR/DeveloperIdInstallerCertificate.p12"
+  fi
+  security import "$DEPLOY_DIR/DeveloperIdInstallerCertificate.p12" \
+          -k "$KEYCHAIN_PATH" -P "$MAC_INSTALL_CERT_PW" -A
+fi
+
+# This certificate has no password.
 security import "$DEPLOY_DIR/DeveloperIDG2CA.cer" -k "$KEYCHAIN_PATH" -T /usr/bin/codesign
+
 security list-keychains -d user -s "$KEYCHAIN_PATH"

 echo "____________________________________"
Author	SHA1	Message	Date
Yaroslav Yashin	564dbbe3ef	refactor: update certificate import logic in build_macos.sh script	2025-07-08 19:39:25 +03:00
vladimir.kuznetsov	086780e397	chore: added notarization flag to macos build	2025-07-08 12:51:19 +08:00
vladimir.kuznetsov	577b2ec3c3	chore: fix cert parsing	2025-07-08 12:03:45 +08:00
Yaroslav Yashin	703d9e1291	Fixing broken ci/cd for macos pkg bundle	2025-07-08 03:14:19 +03:00