Notarize

opengisch · Jan 11, 2025 · c93de4c · c93de4c
1 parent cd6658a
commit c93de4c
Show file tree

Hide file tree

Showing 2 changed files with 76 additions and 43 deletions.
diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
@@ -55,26 +55,12 @@ jobs:
         with:
           ssh-private-key: ${{ secrets.SSH_KEY_DEPLOYMENT_CERTIFICATES }}
 
-      - name: 💎 Setup ruby
-        uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: '3.2' # Not needed with a .ruby-version file
-          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
-
-      - name: 🔏 Setup code signing
-        if: ${{ env.SENTRY_AUTH_TOKEN != '' }}
-        env:
-          MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
-        run: |
-          bundle install
-          bundle exec fastlane ios setup_signing type:development app_identifier:ch.opengis.qfield #  --verbose
-
       - name: 🐩 Install CMake and Ninja
         uses: lukka/get-cmake@latest
 
       - name: 🔨 Prepare build env
         run: |
-          brew install automake bison flex gnu-sed create-dmg autoconf-archive nasm libtool xcbeautify
+          brew install automake bison flex gnu-sed autoconf-archive nasm libtool xcbeautify
           echo $(brew --prefix bison)/bin >> $GITHUB_PATH
           echo $(brew --prefix flex)/bin >> $GITHUB_PATH
           echo $(brew --prefix libtool)/bin >> $GITHUB_PATH
@@ -157,15 +143,6 @@ jobs:
           name: "test-report-${{ matrix.triplet }}-${{ env.BUILD_TYPE }}"
           path: "${{ env.CMAKE_BUILD_DIR }}/report"
 
-      - name: 🚀 Upload release asset
-        if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags/v') && env.ARTIFACT_NAME != null
-        uses: shogo82148/actions-upload-release-asset@v1
-        with:
-          upload_url: ${{ github.event.release.upload_url }}
-          asset_path: ${{ env.ARTIFACT_PATHNAME }}
-          asset_name: ${{ env.ARTIFACT_NAME }}
-          overwrite: true
-
       - name: 📑 Upload logs
         uses: actions/upload-artifact@v4
         if: failure()
@@ -174,6 +151,12 @@ jobs:
           path: |
             ${{ env.CMAKE_BUILD_DIR }}/**/*.log
 
+      - name: 💎 Setup ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.2' # Not needed with a .ruby-version file
+          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+
       - name: 📮 Upload debug symbols
         if: ${{ env.SENTRY_AUTH_TOKEN != '' }}
         # if: release or labeled PR
@@ -208,22 +191,19 @@ jobs:
           wget https://raw.githubusercontent.com/faaxm/lipo-dir-merge/refs/heads/main/lipo-dir-merge.py
           python lipo-dir-merge.py ./artifacts/qfield-app-x64-osx ./artifacts/qfield-app-arm64-osx universal
 
-          brew install tree
-          tree universal
-
       - name: Create dmg
         run: |
-          create-dmg --volname "QField Installer" \
-            --hide-extension QField.app \
-            --volicon "$(pwd)/platform/macos/installer.icns" \
-            --background "$(pwd)/platform/macos/installer_background.png" \
-            --window-pos 200 120 \
-            --window-size 512 320 \
-            --icon-size 100 \
-            --icon "QField.app" 130 160 \
-            --app-drop-link 400 155 \
-            "QField Installer.dmg" \
-            universal/usr/local/bin/qfield.app
+          export APP_PATH=$(pwd)/universal/usr/local/bin/qfield.app
+          export DMG_PATH=qfield.dmg
+          echo "${{ secrets.APPLE_DEVELOPER_ID_P12_BASE64 }}" | base64 --decode > cert.p12
+          export P12_PATH=cert.p12
+          export P12_PASSWORD=${{ secrets.APPLE_DEVELOPER_ID_P12_PASSWORD }}
+          export API_KEY_ID=${{ secrets.IOS_APPSTORE_KEY_ID }}
+          export API_KEY_ISSUER_ID=${{ secrets.IOS_APPSTORE_ISSUER_ID }}
+          echo "${{ secrets.IOS_APPSTORE_PRIVATE_KEY }}" > authkey.p8
+          export API_KEY_PATH=authkey.p8
+
+          ./platform/macos/notarize.sh
 
       - name: 📤 Upload app
         uses: actions/upload-artifact@v4
@@ -233,9 +213,11 @@ jobs:
           path: |
             *.dmg
 
-      - name: Upload release assets
-        uses: AButler/upload-release[email protected]
-        if: ${{ github.event_name == 'release' }}
+      - name: 🚀 Upload release asset
+        if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags/v')
+        uses: shogo82148/actions-upload-release-asset@v1
         with:
-          files: '*.dmg'
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          upload_url: ${{ github.event.release.upload_url }}
+          asset_path: "qfield.dmg"
+          asset_name: qfield-${{ github.ref_name }}-macos.dmg
+          overwrite: true
diff --git a/platform/macos/notarize.sh b/platform/macos/notarize.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+set -euo pipefail
+
+# Required environment variables:
+# APP_PATH: Path to your .app bundle
+# DMG_PATH: Path to your .dmg file
+# P12_PATH: Path to your .p12 certificate file
+# P12_PASSWORD: Password for the .p12 file
+# API_KEY_ID: App Store Connect API Key ID
+# API_KEY_ISSUER_ID: App Store Connect API Key Issuer ID
+# API_KEY_PATH: Path to the API key file (.p8)
+
+# Create temporary keychain
+KEYCHAIN_NAME="notary-keychain"
+KEYCHAIN_PASSWORD="temp-password"
+security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME"
+security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME"
+security import "$P12_PATH" -k "$KEYCHAIN_NAME" -P "$P12_PASSWORD" -T /usr/bin/codesign
+security set-keychain-settings -t 3600 -l "$KEYCHAIN_NAME"
+security list-keychains -d user -s "$KEYCHAIN_NAME" $(security list-keychains -d user | tr -d '"')
+security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME"
+
+# Sign the .app bundle
+codesign --force --options runtime --sign "Developer ID Application" --deep --keychain "$KEYCHAIN_NAME" "$APP_PATH"
+
+create-dmg --volname "QField Installer" \
+	--hide-extension "qfield.app" \
+	--volicon "./platform/macos/installer.icns" \
+	--background "./platform/macos/installer_background.png" \
+	--window-pos 200 120 \
+	--window-size 512 320 \
+	--icon-size 100 \
+	--icon "qfield.app" 130 160 \
+	--app-drop-link 400 155 \
+	"$DMG_PATH" "$APP_PATH"
+codesign --force --options runtime --sign "Developer ID Application" --keychain "$KEYCHAIN_NAME" "$DMG_PATH"
+
+echo "Submitting for notarization..."
+xcrun notarytool submit "$DMG_PATH" \
+	--key "$API_KEY_PATH" \
+	--key-id "$API_KEY_ID" \
+	--issuer "$API_KEY_ISSUER_ID" \
+	--wait
+
+# Staple the notarization ticket
+xcrun stapler staple "$DMG_PATH"
+
+# Clean up keychain
+security delete-keychain "$KEYCHAIN_NAME"
+
+echo "Notarization and stapling complete!"