Merge pull request #541 from kiwix/notarytool

Use notarytool to notarize on macOS
2022-09-07 17:40:46 +02:00 · 2022-09-07 17:40:46 +02:00 · a943388b41
parent a8c769ddff fe92fc5080
commit a943388b41
2 changed files with 45 additions and 19 deletions
--- a/.github/scripts/common.py
+++ b/.github/scripts/common.py
@ -487,11 +487,10 @@ def notarize_macos_build(project):
    """ sign and notarize files for macOS

        Expects the following environment:
-        - Imported Mac/Apple Distribution certificate (with private key) in Keychain
        - `SIGNING_IDENTITY` environ with Certificate name/identity
-        - `ALTOOL_USERNAME` with Apple ID of an account with perms on the certificate
-        - Keychain entry `ALTOOL_PASSWORD` with an app-specific password for the account
-        - `ASC_PROVIDER` environ with Team ID
+        - `KEYCHAIN` environ with path to the keychain storing credentials
+        - `KEYCHAIN_PROFILE` environ with name of the profile in that keychain
+        - `KEYCHAIN_PASSWORD` environ with password to unlock the keychain
        """
    if project != "libzim":
        return
@ -519,13 +518,35 @@ def notarize_macos_build(project):
        + [str(f) for f in filepaths] + [zip_name],
        env=os.environ)

-    subprocess.check_call(["/usr/bin/xcrun", "altool", "--notarize-app",
-                           "--file", str(zip_name),
-                           "--primary-bundle-id", "org.kiwix.build.{}".format(project),
-                           "--username", os.getenv("ALTOOL_USERNAME", "missing"),
-                           "--password", "@keychain:ALTOOL_PASSWORD",
-                           "--asc-provider", os.getenv("ASC_PROVIDER")], env=os.environ)
+    # make sure keychain is unlocked
+    subprocess.check_call(
+        [
+            "/usr/bin/security",
+            "unlock-keychain",
+            "-p",
+            os.getenv("KEYCHAIN_PASSWORD", "no-keychain-password"),
+            os.getenv("KEYCHAIN", "no-keychain-path"),
+        ],
+        env=os.environ,
+    )
+
+    subprocess.check_call(
+        [
+            "/usr/bin/xcrun",
+            "notarytool",
+            "submit",
+            "--keychain",
+            os.getenv("KEYCHAIN", "no-keychain-path"),
+            "--keychain-profile",
+            os.getenv("KEYCHAIN_PROFILE", "no-keychain-profile"),
+            "--wait",
+            str(zip_name),
+        ],
+        env=os.environ,
+    )

    # check notarization of a file (should be in-progress atm and this != 0)
-    subprocess.call(["/usr/sbin/spctl", "-a", "-v", "-t", "install",
-                    filepaths[-1]], env=os.environ)
+    subprocess.call(
+        ["/usr/sbin/spctl", "--assess", "-vv", "--type", "install", filepaths[-1]],
+        env=os.environ,
+    )
--- a/.github/workflows/releaseNigthly.yml
+++ b/.github/workflows/releaseNigthly.yml
@ -184,9 +184,9 @@ jobs:
      OS_NAME: osx
      CERTIFICATE: /tmp/wmch-devid.p12
      SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
-      ALTOOL_USERNAME: ${{ secrets.APPLE_SIGNING_ALTOOL_USERNAME }}
-      ASC_PROVIDER: ${{ secrets.APPLE_SIGNING_TEAM }}
      KEYCHAIN: /Users/runner/build.keychain-db
+      KEYCHAIN_PASSWORD: mysecretpassword
+      KEYCHAIN_PROFILE: build-profile
    steps:
    - name: Checkout code
      uses: actions/checkout@v1
@ -210,16 +210,21 @@ jobs:
      shell: bash
      run: |
        echo "${{ secrets.APPLE_SIGNING_CERTIFICATE }}" | base64 --decode -o $CERTIFICATE
-        security create-keychain -p mysecretpassword $KEYCHAIN
+        security create-keychain -p $KEYCHAIN_PASSWORD $KEYCHAIN
        security default-keychain -s $KEYCHAIN
        security set-keychain-settings $KEYCHAIN
-        security unlock-keychain -p mysecretpassword $KEYCHAIN
+        security unlock-keychain -p $KEYCHAIN_PASSWORD $KEYCHAIN
        security import $CERTIFICATE -k $KEYCHAIN -P "${{ secrets.APPLE_SIGNING_P12_PASSWORD }}" -A -T "/usr/bin/codesign"
        rm $CERTIFICATE
-        security set-key-partition-list -S apple-tool:,apple: -s -k mysecretpassword $KEYCHAIN
+        security set-key-partition-list -S apple-tool:,apple: -s -k $KEYCHAIN_PASSWORD $KEYCHAIN
        security find-identity -v $KEYCHAIN
-        sudo sntp -sS -t 60 time4.google.com || true
-        xcrun altool --keychain $KEYCHAIN --store-password-in-keychain-item "ALTOOL_PASSWORD" -u "$ALTOOL_USERNAME" -p "${{ secrets.APPLE_SIGNING_ALTOOL_PASSWORD }}"
+        xcrun notarytool store-credentials \
+            --apple-id "${{ secrets.APPLE_SIGNING_ALTOOL_USERNAME }}" \
+            --password "${{ secrets.APPLE_SIGNING_ALTOOL_PASSWORD }}" \
+            --team-id "${{ secrets.APPLE_SIGNING_TEAM }}" \
+            --validate \
+            --keychain $KEYCHAIN \
+            $KEYCHAIN_PROFILE
    - name: Ensure base deps
      shell: bash
      run: |