diff --git a/.github/scripts/common.py b/.github/scripts/common.py index 5322451..404194f 100644 --- a/.github/scripts/common.py +++ b/.github/scripts/common.py @@ -487,11 +487,10 @@ def notarize_macos_build(project): """ sign and notarize files for macOS Expects the following environment: - - Imported Mac/Apple Distribution certificate (with private key) in Keychain - `SIGNING_IDENTITY` environ with Certificate name/identity - - `ALTOOL_USERNAME` with Apple ID of an account with perms on the certificate - - Keychain entry `ALTOOL_PASSWORD` with an app-specific password for the account - - `ASC_PROVIDER` environ with Team ID + - `KEYCHAIN` environ with path to the keychain storing credentials + - `KEYCHAIN_PROFILE` environ with name of the profile in that keychain + - `KEYCHAIN_PASSWORD` environ with password to unlock the keychain """ if project != "libzim": return @@ -519,13 +518,35 @@ def notarize_macos_build(project): + [str(f) for f in filepaths] + [zip_name], env=os.environ) - subprocess.check_call(["/usr/bin/xcrun", "altool", "--notarize-app", - "--file", str(zip_name), - "--primary-bundle-id", "org.kiwix.build.{}".format(project), - "--username", os.getenv("ALTOOL_USERNAME", "missing"), - "--password", "@keychain:ALTOOL_PASSWORD", - "--asc-provider", os.getenv("ASC_PROVIDER")], env=os.environ) + # make sure keychain is unlocked + subprocess.check_call( + [ + "/usr/bin/security", + "unlock-keychain", + "-p", + os.getenv("KEYCHAIN_PASSWORD", "no-keychain-password"), + os.getenv("KEYCHAIN", "no-keychain-path"), + ], + env=os.environ, + ) + + subprocess.check_call( + [ + "/usr/bin/xcrun", + "notarytool", + "submit", + "--keychain", + os.getenv("KEYCHAIN", "no-keychain-path"), + "--keychain-profile", + os.getenv("KEYCHAIN_PROFILE", "no-keychain-profile"), + "--wait", + str(zip_name), + ], + env=os.environ, + ) # check notarization of a file (should be in-progress atm and this != 0) - subprocess.call(["/usr/sbin/spctl", "-a", "-v", "-t", "install", - filepaths[-1]], env=os.environ) + subprocess.call( + ["/usr/sbin/spctl", "--assess", "-vv", "--type", "install", filepaths[-1]], + env=os.environ, + ) diff --git a/.github/workflows/releaseNigthly.yml b/.github/workflows/releaseNigthly.yml index 43a839f..e4c595c 100644 --- a/.github/workflows/releaseNigthly.yml +++ b/.github/workflows/releaseNigthly.yml @@ -184,9 +184,9 @@ jobs: OS_NAME: osx CERTIFICATE: /tmp/wmch-devid.p12 SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} - ALTOOL_USERNAME: ${{ secrets.APPLE_SIGNING_ALTOOL_USERNAME }} - ASC_PROVIDER: ${{ secrets.APPLE_SIGNING_TEAM }} KEYCHAIN: /Users/runner/build.keychain-db + KEYCHAIN_PASSWORD: mysecretpassword + KEYCHAIN_PROFILE: build-profile steps: - name: Checkout code uses: actions/checkout@v1 @@ -210,16 +210,21 @@ jobs: shell: bash run: | echo "${{ secrets.APPLE_SIGNING_CERTIFICATE }}" | base64 --decode -o $CERTIFICATE - security create-keychain -p mysecretpassword $KEYCHAIN + security create-keychain -p $KEYCHAIN_PASSWORD $KEYCHAIN security default-keychain -s $KEYCHAIN security set-keychain-settings $KEYCHAIN - security unlock-keychain -p mysecretpassword $KEYCHAIN + security unlock-keychain -p $KEYCHAIN_PASSWORD $KEYCHAIN security import $CERTIFICATE -k $KEYCHAIN -P "${{ secrets.APPLE_SIGNING_P12_PASSWORD }}" -A -T "/usr/bin/codesign" rm $CERTIFICATE - security set-key-partition-list -S apple-tool:,apple: -s -k mysecretpassword $KEYCHAIN + security set-key-partition-list -S apple-tool:,apple: -s -k $KEYCHAIN_PASSWORD $KEYCHAIN security find-identity -v $KEYCHAIN - sudo sntp -sS -t 60 time4.google.com || true - xcrun altool --keychain $KEYCHAIN --store-password-in-keychain-item "ALTOOL_PASSWORD" -u "$ALTOOL_USERNAME" -p "${{ secrets.APPLE_SIGNING_ALTOOL_PASSWORD }}" + xcrun notarytool store-credentials \ + --apple-id "${{ secrets.APPLE_SIGNING_ALTOOL_USERNAME }}" \ + --password "${{ secrets.APPLE_SIGNING_ALTOOL_PASSWORD }}" \ + --team-id "${{ secrets.APPLE_SIGNING_TEAM }}" \ + --validate \ + --keychain $KEYCHAIN \ + $KEYCHAIN_PROFILE - name: Ensure base deps shell: bash run: |