mac: enable running on 10.15+ with default security settings

this is signing and notarizing as part of qmake if qmake step is with CONFIG+=macSign
FashionFreedom · Jan 28, 2023 · f933e5a · f933e5a
1 parent c892334
commit f933e5a
Show file tree

Hide file tree

Showing 7 changed files with 100 additions and 54 deletions.
diff --git a/.github/README-DEVELOPER.md b/.github/README-DEVELOPER.md
@@ -71,6 +71,11 @@ ___________________________________________________
     * Read about Qt for Windows [here](https://doc.qt.io/qt-5/windows.html).
     * Add Qt and QtCreator directories to the Windows PATH environment variable through Control Panel:  
       `[Control Panel | System And Security | System | Advanced Tab | Environment Variables button]`
+3. Mac only for signing and notarizing:
+    * Enable signing and notarizing at qmake step:
+      ```
+      qmake Seamly2D.pro CONFIG+=macSign
+      ```
 4. Both MacOS and Windows: 
     * Build the Seamly2D project
       * To build with Qt's *QtCreator* IDE:

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -128,9 +128,37 @@ jobs:
         run: |
           ./scripts/version.sh ${VERSION_NUMBER}
 
+      - name: setup signing and notarization
+        env:
+          KEYCHAIN_FILE: ~/seamly2d.keychain
+          APPLE_SIGN_IDENTITY: ${{ secrets.apple_sign_identity }}
+        if: ${{ env.APPLE_SIGN_IDENTITY }}
+        run: |
+          security create-keychain -p ${{ secrets.apple_keychain_password }} $KEYCHAIN_FILE
+          security unlock-keychain -p ${{ secrets.apple_keychain_password }} $KEYCHAIN_FILE
+          security set-keychain-settings $KEYCHAIN_FILE
+          security list-keychains -d user -s $KEYCHAIN_FILE
+          echo '${{ secrets.apple_sign_certificate }}' | base64 -d -o ~/seamly2d.p12
+          security import ~/seamly2d.p12 -k $KEYCHAIN_FILE -T /usr/bin/codesign -P ${{ secrets.apple_sign_certificate_password }}
+          security set-key-partition-list -S apple-tool:,apple: -s -k ${{ secrets.apple_keychain_password }} $KEYCHAIN_FILE
+          echo "APPLE_SIGN_IDENTITY=${{ secrets.apple_sign_identity }}" >> $GITHUB_ENV
+
+          mkdir -p ~/private_keys/
+          echo '${{ secrets.apple_notarize_key_content }}' > ~/private_keys/AuthKey_${{ secrets.apple_notarize_key_id }}.p8
+          echo "APPLE_NOTARIZE_KEY=~/private_keys/AuthKey_${{ secrets.apple_notarize_key_id }}.p8" >> $GITHUB_ENV
+          echo "APPLE_NOTARIZE_KEY_ID=${{ secrets.apple_notarize_key_id }}" >> $GITHUB_ENV
+          echo "APPLE_NOTARIZE_ISSUER_ID=${{ secrets.apple_notarize_issuer_id }}" >> $GITHUB_ENV
+
       - name: make Seamly2D for macos
+        env:
+          APPLE_SIGN_IDENTITY: ${{ secrets.apple_sign_identity }}
         run: |
-          qmake Seamly2D.pro -config release CONFIG+=noTests
+          # run signing part if secrets are available (main builds), otherwise (3rd party PRs etc) skip
+          if [ -n "$APPLE_SIGN_IDENTITY" ] ; then
+            qmake Seamly2D.pro -config release CONFIG+=noTests CONFIG+=macSign
+          else
+            qmake Seamly2D.pro -config release CONFIG+=noTests
+          fi
           make -j$(sysctl -n hw.logicalcpu)
 
       - uses: actions/upload-artifact@v3

diff --git a/out/out.pro b/out/out.pro
@@ -1,12 +1,29 @@
 TEMPLATE = aux
 
 macx{
+    APPLE_SIGN_IDENTITY = $$shell_quote($(APPLE_SIGN_IDENTITY))
+    APPLE_NOTARIZE_KEY = $(APPLE_NOTARIZE_KEY)
+    APPLE_NOTARIZE_KEY_ID = $(APPLE_NOTARIZE_KEY_ID)
+    APPLE_NOTARIZE_ISSUER_ID = $(APPLE_NOTARIZE_ISSUER_ID)
+
     seamly2ddmg.target = Seamly2D.dmg
     seamly2ddmg.commands = hdiutil create -fs HFS+ -srcfolder $${OUT_PWD}/../src/app/seamly2d/bin/Seamly2D.app -volname "Seamly2D" $$seamly2ddmg.target
 
+    macSign {
+        seamly2ddmg.commands += && codesign --options runtime --timestamp -s $${APPLE_SIGN_IDENTITY} $$seamly2ddmg.target
+        seamly2ddmg.commands += && xcrun notarytool submit --key $${APPLE_NOTARIZE_KEY} --key-id $${APPLE_NOTARIZE_KEY_ID} --issuer $${APPLE_NOTARIZE_ISSUER_ID} --wait $$seamly2ddmg.target
+        seamly2ddmg.commands += && xcrun stapler staple -v $$seamly2ddmg.target
+    }
+
     seamlymedmg.target = SeamlyME.dmg
     seamlymedmg.commands = hdiutil create -fs HFS+ -srcfolder $${OUT_PWD}/../src/app/seamlyme/bin/seamlyme.app -volname "SeamlyME" $$seamlymedmg.target
 
+    macSign {
+        seamlymedmg.commands += && codesign --options runtime --timestamp -s $${APPLE_SIGN_IDENTITY} $$seamlymedmg.target
+        seamlymedmg.commands += && xcrun notarytool submit --key $${APPLE_NOTARIZE_KEY} --key-id $${APPLE_NOTARIZE_KEY_ID} --issuer $${APPLE_NOTARIZE_ISSUER_ID} --wait $$seamlymedmg.target
+        seamlymedmg.commands += && xcrun stapler staple -v $$seamlymedmg.target
+    }
+
     TARGET = Seamly2D-macos.zip
     first.commands = zip Seamly2D-macos.zip Seamly2D.dmg SeamlyME.dmg
     first.depends = seamly2ddmg seamlymedmg

diff --git a/scripts/sign_mac_bundle.sh b/scripts/sign_mac_bundle.sh
diff --git a/src/app/seamly2d/seamly2d.pro b/src/app/seamly2d/seamly2d.pro
@@ -78,7 +78,7 @@ message(seamly2d.pro: Examples: $$[QT_INSTALL_EXAMPLES])
 # Path to resource file.
 win32:RC_FILE = share/resources/seamly2d.rc
 
-# INSTALL_MULTISIZE_MEASUREMENTS and INSTALL_STANDARD_TEMPLATES inside tables.pri
+# INSTALL_MULTISIZE_MEASUREMENTS and INSTALL_STANDARD_TEMPLATES and INSTALL_LABEL_TEMPLATES inside tables.pri
 include(../tables.pri)
 
 win32 {
@@ -146,14 +146,15 @@ unix{
         # Path to resources in app bundle
         FRAMEWORKS_DIR = "Contents/Frameworks"
         MACOS_DIR = "Contents/MacOS"
+        RESOURCES_DIR = "Contents/Resources"
         # On macx we will use app bundle. Bundle doesn't need bin directory inside.
         # See issue #166: Creating OSX Homebrew (Mac OS X package manager) formula.
         target.path = $$MACOS_DIR
 
         #languages added inside translations.pri
 
         seamlyme.path = $$MACOS_DIR
-        seamlyme.files += $${OUT_PWD}/../seamlyme/$${DESTDIR}/seamlyme.app/$$MACOS_DIR/seamlyme
+        seamlyme.files += $${OUT_PWD}/../seamlyme/$${DESTDIR}/seamlyme.app/$${MACOS_DIR}/seamlyme
 
         # Utility pdftops need for saving a layout image to PS and EPS formats.
         xpdf.path = $$MACOS_DIR
@@ -162,22 +163,21 @@ unix{
         # logo on macx.
         ICON = ../../../dist/Seamly2D.icns
 
-        QMAKE_INFO_PLIST = $$PWD/../../../dist/macx/seamly2d/Info.plist
+        QMAKE_INFO_PLIST = $${PWD}/../../../dist/macx/seamly2d/Info.plist
 
         # Copy to bundle multisize measurements files
-        multisize.path = $$RESOURCES_DIR/tables/multisize/
+        multisize.path = $${RESOURCES_DIR}/tables/multisize
         multisize.files = $$INSTALL_MULTISIZE_MEASUREMENTS
 
         # Copy to bundle templates files
-        templates.path = $$RESOURCES_DIR/tables/templates/
+        templates.path = $${RESOURCES_DIR}/tables/templates
         templates.files = $$INSTALL_STANDARD_TEMPLATES
 
         # Path to label templates after installation
-        label.path = $$RESOURCES_DIR/labels/
-        #label.path = /usr/share/$${TARGET}/labels/
+        label.path = $${RESOURCES_DIR}/labels
         label.files = $$INSTALL_LABEL_TEMPLATES
 
-        icns_resources.path = $$RESOURCES_DIR/
+        icns_resources.path = $${RESOURCES_DIR}
         icns_resources.files += $$PWD/../../../dist/macx/i-measurements.icns
         icns_resources.files += $$PWD/../../../dist/macx/s-measurements.icns
         icns_resources.files += $$PWD/../../../dist/macx/pattern.icns
@@ -330,8 +330,19 @@ win32:!win32-g++: PRE_TARGETDEPS += $$OUT_PWD/../../libs/vpropertyexplorer/$${DE
 else:unix|win32-g++: PRE_TARGETDEPS += $$OUT_PWD/../../libs/vpropertyexplorer/$${DESTDIR}/libvpropertyexplorer.a
 
 macx{
-   # run macdeployqt to include all qt libraries in packet
-   QMAKE_POST_LINK += $$[QT_INSTALL_BINS]/macdeployqt $${OUT_PWD}/$${DESTDIR}/$${TARGET}.app
+    APPLE_SIGN_IDENTITY_UNQUOTED = $(APPLE_SIGN_IDENTITY)
+    APPLE_SIGN_IDENTITY = $$shell_quote($(APPLE_SIGN_IDENTITY))
+
+    !macSign {
+        # run macdeployqt to include all qt libraries in packet
+        QMAKE_POST_LINK += $$[QT_INSTALL_BINS]/macdeployqt $${OUT_PWD}/$${DESTDIR}/$${TARGET}.app
+    } else {
+        # we need to manually sign with codesign --deep as pdftops otherwise will not get signed by macdeployqt
+        # we need --force as seamlyme is already signed, but we need to resign it
+        QMAKE_POST_LINK += $$[QT_INSTALL_BINS]/macdeployqt $${OUT_PWD}/$${DESTDIR}/$${TARGET}.app &&
+        QMAKE_POST_LINK += codesign --deep --timestamp --options runtime --force -s $${APPLE_SIGN_IDENTITY} $${OUT_PWD}/$${DESTDIR}/$${TARGET}.app &&
+        QMAKE_POST_LINK += codesign --verify $${OUT_PWD}/$${DESTDIR}/$${TARGET}.app
+    }
 }
 
 win32{

diff --git a/src/app/seamlyme/seamlyme.pro b/src/app/seamlyme/seamlyme.pro
@@ -38,9 +38,12 @@ RESOURCES += \
     share/resources/seamlymeicon.qrc \
     share/resources/diagrams.qrc
 
-# INSTALL_MULTISIZE_MEASUREMENTS and INSTALL_STANDARD_TEMPLATES inside tables.pri
+# INSTALL_MULTISIZE_MEASUREMENTS and INSTALL_STANDARD_TEMPLATES and INSTALL_LABEL_TEMPLATES inside tables.pri
 include(../tables.pri)
-copyToDestdir($$INSTALL_STANDARD_TEMPLATES, $$shell_path($${OUT_PWD}/$${DESTDIR}/tables/templates))
+
+win32 {
+    copyToDestdir($$INSTALL_STANDARD_TEMPLATES, $$shell_path($${OUT_PWD}/$${DESTDIR}/tables/templates))
+}
 
 include(../translations.pri)
 
@@ -68,26 +71,27 @@ unix{
         # Path to resources in app bundle
         FRAMEWORKS_DIR = "Contents/Frameworks"
         MACOS_DIR = "Contents/MacOS"
+        RESOURCES_DIR = "Contents/Resources"
         # On macx we will use app bundle. Bundle doesn't need bin directory inside.
         # See issue #166: Creating OSX Homebrew (Mac OS X package manager) formula.
         target.path = $$MACOS_DIR
 
         #languages added inside translations.pri
 
         # logo on macx.
-        ICON = $$PWD/../../../dist/SeamlyMe.icns
+        ICON = $${PWD}/../../../dist/SeamlyMe.icns
 
-        QMAKE_INFO_PLIST = $$PWD/../../../dist/macx/seamlyme/Info.plist
+        QMAKE_INFO_PLIST = $${PWD}/../../../dist/macx/seamlyme/Info.plist
 
         # Copy to bundle multisize measurements files
-        multisize.path = $$RESOURCES_DIR/tables/multisize/
+        multisize.path = $${RESOURCES_DIR}/tables/multisize
         multisize.files = $$INSTALL_MULTISIZE_MEASUREMENTS
 
         # Copy to bundle templates files
-        templates.path = $$RESOURCES_DIR/tables/templates/
+        templates.path = $${RESOURCES_DIR}/tables/templates
         templates.files = $$INSTALL_STANDARD_TEMPLATES
 
-        format.path = $$RESOURCES_DIR/
+        format.path = $${RESOURCES_DIR}
         format.files += $$PWD/../../../dist/macx/i-measurements.icns
         format.files += $$PWD/../../../dist/macx/s-measurements.icns
 
@@ -227,8 +231,14 @@ win32:!win32-g++: PRE_TARGETDEPS += $$OUT_PWD/../../libs/vpropertyexplorer/$${DE
 else:unix|win32-g++: PRE_TARGETDEPS += $$OUT_PWD/../../libs/vpropertyexplorer/$${DESTDIR}/libvpropertyexplorer.a
 
 macx{
-   # run macdeployqt to include all qt libraries in packet
-   QMAKE_POST_LINK += $$[QT_INSTALL_BINS]/macdeployqt $${OUT_PWD}/$${DESTDIR}/$${TARGET}.app
+    APPLE_SIGN_IDENTITY = $$shell_quote($(APPLE_SIGN_IDENTITY))
+
+    QMAKE_POST_LINK += $$[QT_INSTALL_BINS]/macdeployqt $${OUT_PWD}/$${DESTDIR}/$${TARGET}.app
+
+    macSign {
+        QMAKE_POST_LINK += && codesign --deep --timestamp --options runtime -s $${APPLE_SIGN_IDENTITY} $${OUT_PWD}/$${DESTDIR}/$${TARGET}.app
+        QMAKE_POST_LINK += && codesign --verify $${OUT_PWD}/$${DESTDIR}/$${TARGET}.app
+    }
 }
 
 win32{

diff --git a/src/app/tables.pri b/src/app/tables.pri
@@ -1,14 +1,16 @@
 # Keep path to all files with multisize measurements we support right now
-INSTALL_MULTISIZE_MEASUREMENTS += $$PWD/share/tables/multisize/GOST_man_ru.vst
+INSTALL_MULTISIZE_MEASUREMENTS += $${PWD}/share/tables/multisize/GOST_man_ru.vst
 
 # Keep path to all template files we have right now
 INSTALL_STANDARD_TEMPLATES += \
-    $$PWD/share/tables/templates/template_all_measurements.vit \
-    $$PWD/share/tables/templates/t_Aldrich_Women.vit
+    $${PWD}/share/tables/templates/template_all_measurements.vit \
+    $${PWD}/share/tables/templates/t_Aldrich_Women.vit
 
 # Keep path to all label templates we provide right now
-INSTALL_LABEL_TEMPLATES += $$PWD/share/labels/def_pattern_label.xml \
-                           $$PWD/share/labels/def_piece_label.xml
+INSTALL_LABEL_TEMPLATES += $${PWD}/share/labels/def_pattern_label.xml \
+                           $${PWD}/share/labels/def_piece_label.xml
 
-copyToDestdir($$INSTALL_MULTISIZE_MEASUREMENTS, $$shell_path($${OUT_PWD}/$$DESTDIR/tables/multisize))
-copyToDestdir($$INSTALL_LABEL_TEMPLATES, $$shell_path($${OUT_PWD}/$$DESTDIR/labels))
+win32 {
+    copyToDestdir($$INSTALL_MULTISIZE_MEASUREMENTS, $$shell_path($${OUT_PWD}/$$DESTDIR/tables/multisize))
+    copyToDestdir($$INSTALL_LABEL_TEMPLATES, $$shell_path($${OUT_PWD}/$$DESTDIR/labels))
+}