smallsolar
/
kiwix-build
mirror of https://github.com/kiwix/kiwix-build.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #541 from kiwix/notarytool 

Use notarytool to notarize on macOS
This commit is contained in:
Matthieu Gautier 2022-09-07 17:40:46 +02:00 committed by GitHub
parent a8c769ddff fe92fc5080
commit a943388b41
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 45 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
.github/scripts/common.py vendored
View File

@ -487,11 +487,10 @@ def notarize_macos_build(project):
""" sign and notarize files for macOS """ sign and notarize files for macOS
Expects the following environment: Expects the following environment:
- Imported Mac/Apple Distribution certificate (with private key) in Keychain
- `SIGNING_IDENTITY` environ with Certificate name/identity - `SIGNING_IDENTITY` environ with Certificate name/identity
- `ALTOOL_USERNAME` with Apple ID of an account with perms on the certificate - `KEYCHAIN` environ with path to the keychain storing credentials
- Keychain entry `ALTOOL_PASSWORD` with an app-specific password for the account - `KEYCHAIN_PROFILE` environ with name of the profile in that keychain
- `ASC_PROVIDER` environ with Team ID - `KEYCHAIN_PASSWORD` environ with password to unlock the keychain
""" """
if project != "libzim": if project != "libzim":
return return
@ -519,13 +518,35 @@ def notarize_macos_build(project):
+ [str(f) for f in filepaths] + [zip_name], + [str(f) for f in filepaths] + [zip_name],
env=os.environ) env=os.environ)
subprocess.check_call(["/usr/bin/xcrun", "altool", "--notarize-app", # make sure keychain is unlocked
"--file", str(zip_name), subprocess.check_call(
"--primary-bundle-id", "org.kiwix.build.{}".format(project), [
"--username", os.getenv("ALTOOL_USERNAME", "missing"), "/usr/bin/security",
"--password", "@keychain:ALTOOL_PASSWORD", "unlock-keychain",
"--asc-provider", os.getenv("ASC_PROVIDER")], env=os.environ) "-p",
os.getenv("KEYCHAIN_PASSWORD", "no-keychain-password"),
os.getenv("KEYCHAIN", "no-keychain-path"),
],
env=os.environ,
)
subprocess.check_call(
[
"/usr/bin/xcrun",
"notarytool",
"submit",
"--keychain",
os.getenv("KEYCHAIN", "no-keychain-path"),
"--keychain-profile",
os.getenv("KEYCHAIN_PROFILE", "no-keychain-profile"),
"--wait",
str(zip_name),
],
env=os.environ,
)
# check notarization of a file (should be in-progress atm and this != 0) # check notarization of a file (should be in-progress atm and this != 0)
subprocess.call(["/usr/sbin/spctl", "-a", "-v", "-t", "install", subprocess.call(
filepaths[-1]], env=os.environ) ["/usr/sbin/spctl", "--assess", "-vv", "--type", "install", filepaths[-1]],
env=os.environ,
)

19
.github/workflows/releaseNigthly.yml vendored
View File

@ -184,9 +184,9 @@ jobs:
OS_NAME: osx OS_NAME: osx
CERTIFICATE: /tmp/wmch-devid.p12 CERTIFICATE: /tmp/wmch-devid.p12
SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
ALTOOL_USERNAME: ${{ secrets.APPLE_SIGNING_ALTOOL_USERNAME }}
ASC_PROVIDER: ${{ secrets.APPLE_SIGNING_TEAM }}
KEYCHAIN: /Users/runner/build.keychain-db KEYCHAIN: /Users/runner/build.keychain-db
KEYCHAIN_PASSWORD: mysecretpassword
KEYCHAIN_PROFILE: build-profile
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v1 uses: actions/checkout@v1
@ -210,16 +210,21 @@ jobs:
shell: bash shell: bash
run: | run: |
echo "${{ secrets.APPLE_SIGNING_CERTIFICATE }}" | base64 --decode -o $CERTIFICATE echo "${{ secrets.APPLE_SIGNING_CERTIFICATE }}" | base64 --decode -o $CERTIFICATE
security create-keychain -p mysecretpassword $KEYCHAIN security create-keychain -p $KEYCHAIN_PASSWORD $KEYCHAIN
security default-keychain -s $KEYCHAIN security default-keychain -s $KEYCHAIN
security set-keychain-settings $KEYCHAIN security set-keychain-settings $KEYCHAIN
security unlock-keychain -p mysecretpassword $KEYCHAIN security unlock-keychain -p $KEYCHAIN_PASSWORD $KEYCHAIN
security import $CERTIFICATE -k $KEYCHAIN -P "${{ secrets.APPLE_SIGNING_P12_PASSWORD }}" -A -T "/usr/bin/codesign" security import $CERTIFICATE -k $KEYCHAIN -P "${{ secrets.APPLE_SIGNING_P12_PASSWORD }}" -A -T "/usr/bin/codesign"
rm $CERTIFICATE rm $CERTIFICATE
security set-key-partition-list -S apple-tool:,apple: -s -k mysecretpassword $KEYCHAIN security set-key-partition-list -S apple-tool:,apple: -s -k $KEYCHAIN_PASSWORD $KEYCHAIN
security find-identity -v $KEYCHAIN security find-identity -v $KEYCHAIN
sudo sntp -sS -t 60 time4.google.com || true xcrun notarytool store-credentials \
xcrun altool --keychain $KEYCHAIN --store-password-in-keychain-item "ALTOOL_PASSWORD" -u "$ALTOOL_USERNAME" -p "${{ secrets.APPLE_SIGNING_ALTOOL_PASSWORD }}" --apple-id "${{ secrets.APPLE_SIGNING_ALTOOL_USERNAME }}" \
--password "${{ secrets.APPLE_SIGNING_ALTOOL_PASSWORD }}" \
--team-id "${{ secrets.APPLE_SIGNING_TEAM }}" \
--validate \
--keychain $KEYCHAIN \
$KEYCHAIN_PROFILE
- name: Ensure base deps - name: Ensure base deps
shell: bash shell: bash
run: | run: |