refactor: update certificate import logic in build_macos.sh script

.github/workflows/deploy.yml

@@ -255,6 +255,20 @@ jobs:
     env:
       # Keep compat with MacOS 10.15 aka Catalina by Qt 6.4
       QT_VERSION: 6.4.3
+
+      MAC_TEAM_ID: ${{ secrets.MAC_TEAM_ID }}
+
+      MAC_APP_CERT_CERT: ${{ secrets.MAC_APP_CERT_CERT }}
+      MAC_SIGNER_ID: ${{ secrets.MAC_SIGNER_ID }}
+      MAC_APP_CERT_PW: ${{ secrets.MAC_APP_CERT_PW }}
+
+      MAC_INSTALLER_SIGNER_CERT: ${{ secrets.MAC_INSTALLER_SIGNER_CERT }}
+      MAC_INSTALLER_SIGNER_ID: ${{ secrets.MAC_INSTALLER_SIGNER_ID }}
+      MAC_INSTALL_CERT_PW: ${{ secrets.MAC_INSTALL_CERT_PW }}
+
+      APPLE_DEV_EMAIL: ${{ secrets.APPLE_DEV_EMAIL }}
+      APPLE_DEV_PASSWORD: ${{ secrets.APPLE_DEV_PASSWORD }}
+
       PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
       PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
       DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
@@ -295,7 +309,7 @@ jobs:
     - name: 'Build project'
       run: |
         export QT_BIN_DIR="${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/macos/bin"
-        bash deploy/build_macos.sh
+        bash deploy/build_macos.sh -n
 
     - name: 'Upload installer artifact'
       uses: actions/upload-artifact@v4
@@ -317,7 +331,21 @@ jobs:
     runs-on: macos-latest
 
     env:
-      QT_VERSION: 6.8.0
+      QT_VERSION: 6.9.1
+
+      MAC_TEAM_ID: ${{ secrets.MAC_TEAM_ID }}
+
+      MAC_APP_CERT_CERT: ${{ secrets.MAC_APP_CERT_CERT }}
+      MAC_SIGNER_ID: ${{ secrets.MAC_SIGNER_ID }}
+      MAC_APP_CERT_PW: ${{ secrets.MAC_APP_CERT_PW }}
+
+      MAC_INSTALLER_SIGNER_CERT: ${{ secrets.MAC_INSTALLER_SIGNER_CERT }}
+      MAC_INSTALLER_SIGNER_ID: ${{ secrets.MAC_INSTALLER_SIGNER_ID }}
+      MAC_INSTALL_CERT_PW: ${{ secrets.MAC_INSTALL_CERT_PW }}
+
+      APPLE_DEV_EMAIL: ${{ secrets.APPLE_DEV_EMAIL }}
+      APPLE_DEV_PASSWORD: ${{ secrets.APPLE_DEV_PASSWORD }}
+
       PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
       PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
       DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
@@ -358,7 +386,7 @@ jobs:
     - name: 'Build project'
       run: |
         export QT_BIN_DIR="${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/macos/bin"
-        bash deploy/build_macos.sh
+        bash deploy/build_macos.sh -n
 
     - name: 'Upload installer artifact'
       uses: actions/upload-artifact@v4

.gitignore

@@ -138,3 +138,4 @@ CMakeFiles/
 ios-ne-build.sh
 macos-ne-build.sh
 macos-signed-build.sh
+macos-with-sign-build.sh

client/platforms/ios/WGConfig.swift

@@ -46,59 +46,29 @@ struct WGConfig: Decodable {
   }
 
   var settings: String {
-    guard junkPacketCount != nil else { return "" }
+    junkPacketCount == nil ? "" :
-    
+    """
-    var settingsLines: [String] = []
+    Jc = \(junkPacketCount!)
-    
+    Jmin = \(junkPacketMinSize!)
-    // Required parameters when junkPacketCount is present
+    Jmax = \(junkPacketMaxSize!)
-    settingsLines.append("Jc = \(junkPacketCount!)")
+    S1 = \(initPacketJunkSize!)
-    settingsLines.append("Jmin = \(junkPacketMinSize!)")
+    S2 = \(responsePacketJunkSize!)
-    settingsLines.append("Jmax = \(junkPacketMaxSize!)")
+    S3 = \(cookieReplyPacketJunkSize!)
-    settingsLines.append("S1 = \(initPacketJunkSize!)")
+    S4 = \(transportPacketJunkSize!)
-    settingsLines.append("S2 = \(responsePacketJunkSize!)")
+    H1 = \(initPacketMagicHeader!)
-    
+    H2 = \(responsePacketMagicHeader!)
-    settingsLines.append("H1 = \(initPacketMagicHeader!)")
+    H3 = \(underloadPacketMagicHeader!)
-    settingsLines.append("H2 = \(responsePacketMagicHeader!)")
+    H4 = \(transportPacketMagicHeader!)
-    settingsLines.append("H3 = \(underloadPacketMagicHeader!)")
+    I1 = \(specialJunk1!)
-    settingsLines.append("H4 = \(transportPacketMagicHeader!)")
+    I2 = \(specialJunk2!)
-
+    I3 = \(specialJunk3!)
-    // Optional parameters - only add if not nil and not empty
+    I4 = \(specialJunk4!)
-    if let s3 = cookieReplyPacketJunkSize, !s3.isEmpty {
+    I5 = \(specialJunk5!)
-      settingsLines.append("S3 = \(s3)")
+    J1 = \(controlledJunk1!)
-    }
+    J2 = \(controlledJunk2!)
-    if let s4 = transportPacketJunkSize, !s4.isEmpty {
+    J3 = \(controlledJunk3!)
-      settingsLines.append("S4 = \(s4)")
+    Itime = \(specialHandshakeTimeout!)
-    }
+    """
-    
-    if let i1 = specialJunk1, !i1.isEmpty {
-      settingsLines.append("I1 = \(i1)")
-    }
-    if let i2 = specialJunk2, !i2.isEmpty {
-      settingsLines.append("I2 = \(i2)")
-    }
-    if let i3 = specialJunk3, !i3.isEmpty {
-      settingsLines.append("I3 = \(i3)")
-    }
-    if let i4 = specialJunk4, !i4.isEmpty {
-      settingsLines.append("I4 = \(i4)")
-    }
-    if let i5 = specialJunk5, !i5.isEmpty {
-      settingsLines.append("I5 = \(i5)")
-    }
-    if let j1 = controlledJunk1, !j1.isEmpty {
-      settingsLines.append("J1 = \(j1)")
-    }
-    if let j2 = controlledJunk2, !j2.isEmpty {
-      settingsLines.append("J2 = \(j2)")
-    }
-    if let j3 = controlledJunk3, !j3.isEmpty {
-      settingsLines.append("J3 = \(j3)")
-    }
-    if let itime = specialHandshakeTimeout, !itime.isEmpty {
-      settingsLines.append("Itime = \(itime)")
-    }
-    
-    return settingsLines.joined(separator: "\n")
   }
 
   var str: String {

client/ui/controllers/api/apiConfigsController.cpp

@@ -221,6 +221,8 @@ namespace
 
         serverConfig[configKey::apiConfig] = apiConfig;
 
+        qDebug() << serverConfig;
+
         return ErrorCode::NoError;
     }
 }

client/ui/qml/Pages2/PageSettingsKillSwitch.qml

@@ -62,7 +62,8 @@ PageType {
                 Layout.leftMargin: 16
                 Layout.rightMargin: 16
 
-                enabled: SettingsController.isKillSwitchEnabled && !ConnectionController.isConnected
+                visible: false
+                // enabled: SettingsController.isKillSwitchEnabled && !ConnectionController.isConnected
                 checked: !SettingsController.strictKillSwitchEnabled
 
                 text: qsTr("Soft KillSwitch")
@@ -73,7 +74,9 @@ PageType {
                 }
             }
 
-            DividerType {}
+            DividerType {
+                visible: false
+            }
 
             VerticalRadioButton {
                 id: strictKillSwitch
@@ -81,9 +84,7 @@ PageType {
                 Layout.leftMargin: 16
                 Layout.rightMargin: 16
 
-                visible: false
+                enabled: SettingsController.isKillSwitchEnabled && !ConnectionController.isConnected
-                enabled: false
-                // enabled: SettingsController.isKillSwitchEnabled && !ConnectionController.isConnected
                 checked: SettingsController.strictKillSwitchEnabled
 
                 text: qsTr("Strict KillSwitch")
@@ -105,9 +106,7 @@ PageType {
                 }
             }
 
-            DividerType {
+            DividerType {}
-                visible: false
-            }
             
             LabelWithButtonType {
                 Layout.topMargin: 32

deploy/build_macos.sh

@@ -71,11 +71,54 @@ cmake --build . --config release --target all
 KEYCHAIN_PATH="$PROJECT_DIR/mac_sign.keychain"
 trap 'echo "Cleaning up mac_sign.keychain..."; security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true; rm -f "$KEYCHAIN_PATH" 2>/dev/null || true' EXIT
 KEYCHAIN=$(security default-keychain -d user | tr -d '"[:space:]"')
-security list-keychains -d user -s "$KEYCHAIN_PATH" "$KEYCHAIN" "$(security list-keychains -d user | tr '\n' ' ')"
+
-security create-keychain -p "" "$KEYCHAIN_PATH"
+# Build a clean list of the *existing* user key-chains. The raw output of
-security import "$DEPLOY_DIR/DeveloperIdApplicationCertificate.p12" -k "$KEYCHAIN_PATH" -P "$MAC_APP_CERT_PW" -T /usr/bin/codesign
+#   security list-keychains -d user
-security import "$DEPLOY_DIR/DeveloperIdInstallerCertificate.p12" -k "$KEYCHAIN_PATH" -P "$MAC_INSTALL_CERT_PW" -T /usr/bin/codesign
+# looks roughly like:
+#     "    \"/Users/foo/Library/Keychains/login.keychain-db\"\n    \"/Library/Keychains/System.keychain\""
+# Every entry is surrounded by quotes and indented with a few blanks. Feeding
+# that verbatim back to `security list-keychains -s` inside a single quoted
+# argument leads to one long, invalid path on some systems. We therefore strip
+# the quotes and rely on the shell to split the string on whitespace so that
+# each path becomes its own argument.
+
+read -ra EXISTING_KEYCHAINS <<< "$(security list-keychains -d user | tr -d '"')"
+
+security list-keychains -d user -s "$KEYCHAIN_PATH" "$KEYCHAIN" "${EXISTING_KEYCHAINS[@]}"
+KEYCHAIN_PWD=""  # Empty password keeps things simple for CI jobs
+# Create, unlock and configure the temporary key-chain so that `codesign` can
+# access the imported identities without triggering interactive prompts.
+security create-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_PATH"
+# Keep the key-chain unlocked for the duration of the job (6 hours is plenty).
+security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+security unlock-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_PATH"
+
+# Import the signing certificates only when the corresponding passwords are
+# available in the environment.  This allows the script to run in environments
+# where code-signing is intentionally turned off (e.g. CI jobs that just build
+# the artefacts without releasing them).
+
+if [ -n "${MAC_APP_CERT_PW-}" ]; then
+  # If the certificate is provided via environment variable, decode it.
+  if [ -n "${MAC_APP_CERT_CERT-}" ]; then
+    echo "$MAC_APP_CERT_CERT" | base64 -d > "$DEPLOY_DIR/DeveloperIdApplicationCertificate.p12"
+  fi
+  security import "$DEPLOY_DIR/DeveloperIdApplicationCertificate.p12" \
+          -k "$KEYCHAIN_PATH" -P "$MAC_APP_CERT_PW" -A
+fi
+
+if [ -n "${MAC_INSTALL_CERT_PW-}" ]; then
+  # Same logic for the installer certificate.
+  if [ -n "${MAC_INSTALLER_SIGNER_CERT-}" ]; then
+    echo "$MAC_INSTALLER_SIGNER_CERT" | base64 -d > "$DEPLOY_DIR/DeveloperIdInstallerCertificate.p12"
+  fi
+  security import "$DEPLOY_DIR/DeveloperIdInstallerCertificate.p12" \
+          -k "$KEYCHAIN_PATH" -P "$MAC_INSTALL_CERT_PW" -A
+fi
+
+# This certificate has no password.
 security import "$DEPLOY_DIR/DeveloperIDG2CA.cer" -k "$KEYCHAIN_PATH" -T /usr/bin/codesign
+
 security list-keychains -d user -s "$KEYCHAIN_PATH"
 
 echo "____________________________________"