From 6cde6a148b65ecbcc2a4a6a9ded93dcb463f4c9a Mon Sep 17 00:00:00 2001 From: Odysseas Gabrielides Date: Mon, 2 Dec 2024 19:30:46 +0200 Subject: [PATCH 01/17] release dmg zip --- .github/workflows/release.yml | 7 +- scripts/pack.sh | 141 ++++++++++++++++++++++++++++++++++ 2 files changed, 144 insertions(+), 4 deletions(-) create mode 100755 scripts/pack.sh diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 710fd8e5b..780ca1e10 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -126,8 +126,7 @@ jobs: CFLAGS_x86_64_pc_windows_gnu: "-O2" - name: Package release - run: | - zip -r dash-evo-tool-${{ matrix.platform }}.zip dash-evo-tool/ + run: "${GITHUB_WORKSPACE}/scripts/pack.sh 0.6.0 ${{ matrix.platform }} ${{ matrix.ext }}" - name: Attest uses: actions/attest-build-provenance@v1 @@ -137,8 +136,8 @@ jobs: - name: Upload build artifact uses: actions/upload-artifact@v4 with: - name: dash-evo-tool-${{ matrix.platform }}.zip - path: dash-evo-tool-${{ matrix.platform }}.zip + name: dash-evo-tool + path: dist/** release: name: Create GitHub Release diff --git a/scripts/pack.sh b/scripts/pack.sh new file mode 100755 index 000000000..5b8ab087e --- /dev/null +++ b/scripts/pack.sh @@ -0,0 +1,141 @@ +#!/bin/bash + +set -e + +VERSION="$1" +PLATFORM="$2" +EXT="$3" + +if [ -z "PLATFORM" ]; then + echo "Error" + exit 1 +fi + +create_zip_package() { + echo "Building ZIP for $PLATFORM version $VERSION" + echo "extention is:$EXT" + + zip -r $DIST_DIR/dash-evo-tool-"$PLATFORM".zip $BUILD_DIR +} + +create_dmg_package() { + echo "Building DMG for $PLATFORM version $VERSION" + echo "extention is:$EXT" + + APP_BUNDLE_NAME="$APP_NAME.app" + APP_BUNDLE_DIR="$BUILD_DIR/$APP_BUNDLE_NAME" + CONTENTS_DIR="$APP_BUNDLE_DIR/Contents" + MACOS_DIR="$CONTENTS_DIR/MacOS" + RESOURCES_DIR="$CONTENTS_DIR/Resources" + + # Create directories for the .app bundle + mkdir -p "$APP_BUNDLE_DIR" + mkdir -p "$MACOS_DIR" + mkdir -p "$RESOURCES_DIR" + + # Copy the binary into the app bundle + cp "$BUILD_DIR/$APP_NAME" "$MACOS_DIR/" + + ICON_SOURCE="$ROOT_PATH/mac_os/AppIcons/appstore.png" + ICONSET_DIR="$BUILD_DIR/AppIcon.iconset" + mkdir -p "$ICONSET_DIR" + + sips -z 16 16 "$ICON_SOURCE" --out "$ICONSET_DIR/icon_16x16.png" + sips -z 32 32 "$ICON_SOURCE" --out "$ICONSET_DIR/icon_16x16@2x.png" + sips -z 32 32 "$ICON_SOURCE" --out "$ICONSET_DIR/icon_32x32.png" + sips -z 64 64 "$ICON_SOURCE" --out "$ICONSET_DIR/icon_32x32@2x.png" + sips -z 128 128 "$ICON_SOURCE" --out "$ICONSET_DIR/icon_128x128.png" + sips -z 256 256 "$ICON_SOURCE" --out "$ICONSET_DIR/icon_128x128@2x.png" + sips -z 256 256 "$ICON_SOURCE" --out "$ICONSET_DIR/icon_256x256.png" + sips -z 512 512 "$ICON_SOURCE" --out "$ICONSET_DIR/icon_256x256@2x.png" + sips -z 512 512 "$ICON_SOURCE" --out "$ICONSET_DIR/icon_512x512.png" + cp "$ICON_SOURCE" "$ICONSET_DIR/icon_512x512@2x.png" + + # Convert iconset to .icns + iconutil -c icns "$ICONSET_DIR" -o "$RESOURCES_DIR/AppIcon.icns" + + # Clean up the iconset directory + rm -rf "$ICONSET_DIR" +# Create a minimal Info.plist file + cat < "$CONTENTS_DIR/Info.plist" + + + + + CFBundleName + $APP_NAME + CFBundleDisplayName + $APP_NAME + CFBundleExecutable + $APP_NAME + CFBundleIdentifier + com.example.$APP_NAME + CFBundleVersion + $VERSION + CFBundlePackageType + APPL + CFBundleSignature + ???? + LSMinimumSystemVersion + 10.9 + CFBundleIconFile + AppIcon.icns + + +EOF + + # Create the .dmg directory structure + DMG_DIR="$BUILD_DIR/dmg_content" + mkdir -p "$DMG_DIR" + + # Copy the .app bundle into the dmg content directory + cp -R "$APP_BUNDLE_DIR" "$DMG_DIR/" + + # Create a symbolic link to the Applications folder + ln -s /Applications "$DMG_DIR/Applications" + + # Create the .dmg file + hdiutil create -volname "$APP_NAME Installer" \ + -srcfolder "$DMG_DIR" \ + -ov -format UDZO \ + "$DIST_DIR/$APP_NAME-$PLATFORM.dmg" +} + +echo "Starting" + +FULL_PATH=$(realpath "$0") +DIR_PATH=$(dirname "$FULL_PATH") +ROOT_PATH=$(dirname "$DIR_PATH") + +APP_NAME="dash-evo-tool" +BUILD_DIR="$ROOT_PATH/dash-evo-tool" +DIST_DIR="$ROOT_PATH/dist" + +mkdir -p "$DIST_DIR" + +case "$PLATFORM" in + x86_64-mac) + create_dmg_package + ;; + arm64-mac) + create_dmg_package + ;; + x86_64-linux) + create_zip_package + ;; + arm64-linux) + create_zip_package + ;; + windows) + create_zip_package + ;; + *) + echo "Invalid command." + echo "$cmd_usage" + exit 1 + ;; +esac + +rm -rf "$BUILD_DIR" +echo "Done." \ No newline at end of file From 1f940e0dcc052c9a3c1563ffb04b004452df99fa Mon Sep 17 00:00:00 2001 From: Odysseas Gabrielides Date: Mon, 2 Dec 2024 19:45:26 +0200 Subject: [PATCH 02/17] logs --- scripts/pack.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/scripts/pack.sh b/scripts/pack.sh index 5b8ab087e..d4127ee59 100755 --- a/scripts/pack.sh +++ b/scripts/pack.sh @@ -16,6 +16,9 @@ create_zip_package() { echo "extention is:$EXT" zip -r $DIST_DIR/dash-evo-tool-"$PLATFORM".zip $BUILD_DIR + + echo "Finished. Dist folder:" + ls "$DIST_DIR" } create_dmg_package() { @@ -100,6 +103,8 @@ EOF -srcfolder "$DMG_DIR" \ -ov -format UDZO \ "$DIST_DIR/$APP_NAME-$PLATFORM.dmg" + echo "Finished. Dist folder:" + ls "$DIST_DIR" } echo "Starting" From b43d5f81e7aa76d1e0918dd26b1354ef28bb0967 Mon Sep 17 00:00:00 2001 From: Odysseas Gabrielides Date: Mon, 2 Dec 2024 19:54:51 +0200 Subject: [PATCH 03/17] remove attest action --- .github/workflows/release.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 780ca1e10..fbaf8b5b9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -128,11 +128,6 @@ jobs: - name: Package release run: "${GITHUB_WORKSPACE}/scripts/pack.sh 0.6.0 ${{ matrix.platform }} ${{ matrix.ext }}" - - name: Attest - uses: actions/attest-build-provenance@v1 - with: - subject-path: 'dash-evo-tool-${{ matrix.platform }}.zip' - - name: Upload build artifact uses: actions/upload-artifact@v4 with: From ec2e3c96bb0940e4cfcaa35cace64f2c08a1d4af Mon Sep 17 00:00:00 2001 From: Odysseas Gabrielides Date: Mon, 2 Dec 2024 20:06:46 +0200 Subject: [PATCH 04/17] unique artifact name --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fbaf8b5b9..1c7572903 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -131,7 +131,7 @@ jobs: - name: Upload build artifact uses: actions/upload-artifact@v4 with: - name: dash-evo-tool + name: dash-evo-tool-${{ matrix.platform }} path: dist/** release: From 728ef73f27dbb67665c7df03ee42817178f4c494 Mon Sep 17 00:00:00 2001 From: Odysseas Gabrielides Date: Mon, 2 Dec 2024 20:17:53 +0200 Subject: [PATCH 05/17] various fixes --- .github/workflows/release.yml | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1c7572903..e9c674548 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -116,6 +116,16 @@ jobs: if: ${{ matrix.target == 'x86_64-pc-windows-gnu' }} run: curl -OL https://www.sqlite.org/2024/sqlite-dll-win-x64-3460100.zip && sudo unzip -o sqlite-dll-win-x64-3460100.zip -d winlibs && sudo chown -R runner:docker winlibs/ && pwd && ls -lah && cd winlibs && x86_64-w64-mingw32-dlltool -d sqlite3.def -l libsqlite3.a && ls -lah && cd .. + - name: Set VERSION + run: | + if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then + echo "VERSION=${{ inputs.tag }}" >> $GITHUB_ENV + elif [ "${{ github.event_name }}" == "release" ]; then + echo "VERSION=${{ github.event.release.tag_name }}" >> $GITHUB_ENV + else + echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV + fi + - name: Build project run: | cargo build --release --target ${{ matrix.target }} @@ -126,7 +136,7 @@ jobs: CFLAGS_x86_64_pc_windows_gnu: "-O2" - name: Package release - run: "${GITHUB_WORKSPACE}/scripts/pack.sh 0.6.0 ${{ matrix.platform }} ${{ matrix.ext }}" + run: "${GITHUB_WORKSPACE}/scripts/pack.sh ${{ env.VERSION }} ${{ matrix.platform }} ${{ matrix.ext }}" - name: Upload build artifact uses: actions/upload-artifact@v4 @@ -150,11 +160,11 @@ jobs: - name: Download MacOS AMD64 Artifact uses: actions/download-artifact@v4 with: - name: dash-evo-tool-x86_64-mac.zip + name: dash-evo-tool-x86_64-mac.dmg - name: Download MacOS ARM64 Artifact uses: actions/download-artifact@v4 with: - name: dash-evo-tool-arm64-mac.zip + name: dash-evo-tool-arm64-mac.dmg - name: Download Windows Artifact uses: actions/download-artifact@v4 with: @@ -169,8 +179,8 @@ jobs: files: | ./dash-evo-tool-x86_64-linux.zip ./dash-evo-tool-arm64-linux.zip - ./dash-evo-tool-x86_64-mac.zip - ./dash-evo-tool-arm64-mac.zip + ./dash-evo-tool-x86_64-mac.dmg + ./dash-evo-tool-arm64-mac.dmg ./dash-evo-tool-windows.zip draft: false prerelease: true \ No newline at end of file From 260e5b5f1f97f9e6490f0262f2fac1ac0f92e4d2 Mon Sep 17 00:00:00 2001 From: Odysseas Gabrielides Date: Mon, 2 Dec 2024 20:41:34 +0200 Subject: [PATCH 06/17] added release-ext and attest --- .github/workflows/release.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e9c674548..2018b0335 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -29,23 +29,28 @@ jobs: runs-on: "ubuntu-20.04" target: "x86_64-unknown-linux-gnu" platform: "x86_64-linux" + release-ext: "zip" - name: "linux-arm64" runs-on: ["self-hosted", "Linux", "ARM64", "ubuntu20.04"] # Array of tags for ARM64 target: "aarch64-unknown-linux-gnu" platform: "arm64-linux" + release-ext: "zip" - name: "macos-x86_64" runs-on: "macos-13" target: "x86_64-apple-darwin" platform: "x86_64-mac" + release-ext: "dmg" - name: "macos-arm64" runs-on: "macos-latest" target: "aarch64-apple-darwin" platform: "arm64-mac" + release-ext: "dmg" - name: "Windows" runs-on: "ubuntu-20.04" target: "x86_64-pc-windows-gnu" platform: "windows" ext: ".exe" + release-ext: "zip" runs-on: ${{ matrix.runs-on }} @@ -138,6 +143,11 @@ jobs: - name: Package release run: "${GITHUB_WORKSPACE}/scripts/pack.sh ${{ env.VERSION }} ${{ matrix.platform }} ${{ matrix.ext }}" + - name: Attest + uses: actions/attest-build-provenance@v1 + with: + subject-path: 'dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }}' + - name: Upload build artifact uses: actions/upload-artifact@v4 with: From 2196defe337d518174fd4d39d579b1f320f11f79 Mon Sep 17 00:00:00 2001 From: Odysseas Gabrielides Date: Mon, 2 Dec 2024 20:51:14 +0200 Subject: [PATCH 07/17] added dist in attest --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2018b0335..7e886af56 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -146,7 +146,7 @@ jobs: - name: Attest uses: actions/attest-build-provenance@v1 with: - subject-path: 'dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }}' + subject-path: 'dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }}' - name: Upload build artifact uses: actions/upload-artifact@v4 From 25cb5dd7c77f876c601d1df8207ae4cf8374b4e7 Mon Sep 17 00:00:00 2001 From: Odysseas Gabrielides Date: Mon, 2 Dec 2024 21:13:31 +0200 Subject: [PATCH 08/17] correct upload --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7e886af56..86e49c395 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -151,8 +151,8 @@ jobs: - name: Upload build artifact uses: actions/upload-artifact@v4 with: - name: dash-evo-tool-${{ matrix.platform }} - path: dist/** + name: dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} + path: dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} release: name: Create GitHub Release From bc88d36e643726938ab8f1756c91b92318a612f5 Mon Sep 17 00:00:00 2001 From: Odysseas Gabrielides Date: Mon, 2 Dec 2024 21:50:33 +0200 Subject: [PATCH 09/17] Apple signing steps --- .github/workflows/release.yml | 39 +++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 86e49c395..e484d3ad1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -140,6 +140,45 @@ jobs: AR_x86_64_pc_windows_gnu: x86_64-w64-mingw32-ar CFLAGS_x86_64_pc_windows_gnu: "-O2" + # Import code signing certificate for macOS + - name: Import code signing certificate + if: contains(matrix.target, 'apple-darwin') + id: import_certs + uses: apple-actions/import-codesign-certs@v1 + with: + p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }} + p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} + keychain: 'login' + + # Sign the binary for macOS + - name: Sign binary + if: contains(matrix.target, 'apple-darwin') + run: codesign --timestamp --sign "${{ steps.import_certs.outputs.identity }}" dash-evo-tool/dash-evo-tool${{ matrix.ext }} + + - name: Package release + run: "${GITHUB_WORKSPACE}/scripts/pack.sh ${{ env.VERSION }} ${{ matrix.platform }} ${{ matrix.ext }}" + + # Sign the .dmg for macOS + - name: Sign .dmg + if: contains(matrix.target, 'apple-darwin') + run: codesign --timestamp --sign "${{ steps.import_certs.outputs.identity }}" dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} + + # Notarize the .dmg for macOS + - name: Notarize .dmg + if: contains(matrix.target, 'apple-darwin') + uses: apple-actions/macos-notarize@v1 + with: + app-path: dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} + primary-bundle-id: com.yourcompany.dash-evo-tool + env: + AC_USERNAME: ${{ secrets.APPLE_ID }} + AC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} + + # Staple the notarization ticket to the .dmg for macOS + - name: Staple Notarization Ticket + if: contains(matrix.target, 'apple-darwin') + run: xcrun stapler staple dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} + - name: Package release run: "${GITHUB_WORKSPACE}/scripts/pack.sh ${{ env.VERSION }} ${{ matrix.platform }} ${{ matrix.ext }}" From fcdcd4e474e972c9374673d62505b6ca4086a7f0 Mon Sep 17 00:00:00 2001 From: Odysseas Gabrielides Date: Mon, 2 Dec 2024 21:57:18 +0200 Subject: [PATCH 10/17] switch to samuelmeuli action --- .github/workflows/release.yml | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e484d3ad1..facc8735d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -163,21 +163,22 @@ jobs: if: contains(matrix.target, 'apple-darwin') run: codesign --timestamp --sign "${{ steps.import_certs.outputs.identity }}" dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} - # Notarize the .dmg for macOS + # Notarize the .dmg for macOS using samuelmeuli/action-notarize - name: Notarize .dmg if: contains(matrix.target, 'apple-darwin') - uses: apple-actions/macos-notarize@v1 + uses: samuelmeuli/action-notarize@v1 with: - app-path: dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} - primary-bundle-id: com.yourcompany.dash-evo-tool + appPath: dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} + bundleId: dcg.dash-evo-tool + #ascProvider: ${{ secrets.APPLE_TEAM_ID }} # Optional, remove if not needed env: - AC_USERNAME: ${{ secrets.APPLE_ID }} - AC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} + NOTARIZE_USERNAME: ${{ secrets.APPLE_ID }} + NOTARIZE_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} - # Staple the notarization ticket to the .dmg for macOS - - name: Staple Notarization Ticket - if: contains(matrix.target, 'apple-darwin') - run: xcrun stapler staple dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} + # Stapling is handled by the action-notarize, so this step is optional + # - name: Staple Notarization Ticket + # if: contains(matrix.target, 'apple-darwin') + # run: xcrun stapler staple dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} - name: Package release run: "${GITHUB_WORKSPACE}/scripts/pack.sh ${{ env.VERSION }} ${{ matrix.platform }} ${{ matrix.ext }}" From 643915403507804bd0cd8081ac18dca1998b2a33 Mon Sep 17 00:00:00 2001 From: Odysseas Gabrielides Date: Mon, 2 Dec 2024 22:08:18 +0200 Subject: [PATCH 11/17] xcrun notarytool --- .github/workflows/release.yml | 31 +++++++++++++------------------ 1 file changed, 13 insertions(+), 18 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index facc8735d..3d1a2549a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -163,25 +163,20 @@ jobs: if: contains(matrix.target, 'apple-darwin') run: codesign --timestamp --sign "${{ steps.import_certs.outputs.identity }}" dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} - # Notarize the .dmg for macOS using samuelmeuli/action-notarize - - name: Notarize .dmg + # Notarize MacOS Release Build using xcrun notarytool + - name: Notarize MacOS Release Build if: contains(matrix.target, 'apple-darwin') - uses: samuelmeuli/action-notarize@v1 - with: - appPath: dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} - bundleId: dcg.dash-evo-tool - #ascProvider: ${{ secrets.APPLE_TEAM_ID }} # Optional, remove if not needed - env: - NOTARIZE_USERNAME: ${{ secrets.APPLE_ID }} - NOTARIZE_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }} - - # Stapling is handled by the action-notarize, so this step is optional - # - name: Staple Notarization Ticket - # if: contains(matrix.target, 'apple-darwin') - # run: xcrun stapler staple dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} - - - name: Package release - run: "${GITHUB_WORKSPACE}/scripts/pack.sh ${{ env.VERSION }} ${{ matrix.platform }} ${{ matrix.ext }}" + run: | + xcrun notarytool submit "dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }}" \ + --apple-id "${{ secrets.APPLE_ID }}" \ + --team-id "${{ secrets.APPLE_TEAM_ID }}" \ + --password "${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}" \ + --wait + + # Staple Notarization Ticket + - name: Staple Notarization Ticket + if: contains(matrix.target, 'apple-darwin') + run: xcrun stapler staple "dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }}" - name: Attest uses: actions/attest-build-provenance@v1 From ccc0d92d6fbaa24f4775c1c3a7099890351f3b73 Mon Sep 17 00:00:00 2001 From: Odysseas Gabrielides Date: Mon, 2 Dec 2024 22:29:40 +0200 Subject: [PATCH 12/17] fix install apple certification --- .github/workflows/release.yml | 46 ++++++++++++++++++++++++++--------- 1 file changed, 35 insertions(+), 11 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3d1a2549a..6b6544a0d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -140,28 +140,53 @@ jobs: AR_x86_64_pc_windows_gnu: x86_64-w64-mingw32-ar CFLAGS_x86_64_pc_windows_gnu: "-O2" - # Import code signing certificate for macOS - - name: Import code signing certificate + # Install the Apple certificate + - name: Install the Apple certificate if: contains(matrix.target, 'apple-darwin') - id: import_certs - uses: apple-actions/import-codesign-certs@v1 - with: - p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }} - p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} - keychain: 'login' + env: + BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE }} + P12_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} + KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} + run: | + # create variables + CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 + KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db + + # import certificate from secrets + echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH + + # create temporary keychain + security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + security set-keychain-settings -lut 21600 $KEYCHAIN_PATH + security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + + # import certificate to keychain + security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH + + # List the keychains and set the temporary one as default + security list-keychains -d user -s $KEYCHAIN_PATH login.keychain-db + security default-keychain -s $KEYCHAIN_PATH + + # Set key partition list to allow codesign to access the key without prompting + CODE_SIGN_IDENTITY=$(security find-identity -v -p codesigning $KEYCHAIN_PATH | grep -oE '"(.*)"' | sed 's/"//g') + security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + + # Export CODE_SIGN_IDENTITY for use in subsequent steps + echo "CODE_SIGN_IDENTITY=$CODE_SIGN_IDENTITY" >> $GITHUB_ENV # Sign the binary for macOS - name: Sign binary if: contains(matrix.target, 'apple-darwin') - run: codesign --timestamp --sign "${{ steps.import_certs.outputs.identity }}" dash-evo-tool/dash-evo-tool${{ matrix.ext }} + run: codesign --timestamp --sign "$CODE_SIGN_IDENTITY" dash-evo-tool/dash-evo-tool${{ matrix.ext }} + # Package release - name: Package release run: "${GITHUB_WORKSPACE}/scripts/pack.sh ${{ env.VERSION }} ${{ matrix.platform }} ${{ matrix.ext }}" # Sign the .dmg for macOS - name: Sign .dmg if: contains(matrix.target, 'apple-darwin') - run: codesign --timestamp --sign "${{ steps.import_certs.outputs.identity }}" dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} + run: codesign --timestamp --sign "$CODE_SIGN_IDENTITY" dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} # Notarize MacOS Release Build using xcrun notarytool - name: Notarize MacOS Release Build @@ -169,7 +194,6 @@ jobs: run: | xcrun notarytool submit "dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }}" \ --apple-id "${{ secrets.APPLE_ID }}" \ - --team-id "${{ secrets.APPLE_TEAM_ID }}" \ --password "${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}" \ --wait From c250def82644924bb4562efc11f26b0571386e22 Mon Sep 17 00:00:00 2001 From: Odysseas Gabrielides Date: Mon, 2 Dec 2024 22:44:36 +0200 Subject: [PATCH 13/17] fix for notirizing --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6b6544a0d..62328e233 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -195,6 +195,7 @@ jobs: xcrun notarytool submit "dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }}" \ --apple-id "${{ secrets.APPLE_ID }}" \ --password "${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}" \ + --team-id "${{ secrets.APPLE_TEAM_ID }}" \ --wait # Staple Notarization Ticket From 5472fb8ce55c7ba35f8d28dba32eb82c2cc65625 Mon Sep 17 00:00:00 2001 From: Odysseas Gabrielides Date: Mon, 2 Dec 2024 23:17:09 +0200 Subject: [PATCH 14/17] verify code signing --- .github/workflows/release.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 62328e233..d2f146f4d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -188,6 +188,12 @@ jobs: if: contains(matrix.target, 'apple-darwin') run: codesign --timestamp --sign "$CODE_SIGN_IDENTITY" dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} + - name: Verify Code Signing + if: contains(matrix.target, 'apple-darwin') + run: | + codesign --verify --deep --strict --verbose=2 dash-evo-tool/dash-evo-tool${{ matrix.ext }} + codesign --verify --deep --strict --verbose=2 dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} + # Notarize MacOS Release Build using xcrun notarytool - name: Notarize MacOS Release Build if: contains(matrix.target, 'apple-darwin') From 047b7a2da25fbec247094d0a3560280de3a6d3d0 Mon Sep 17 00:00:00 2001 From: Odysseas Gabrielides Date: Mon, 2 Dec 2024 23:36:15 +0200 Subject: [PATCH 15/17] fix verify code --- .github/workflows/release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d2f146f4d..7d5bc4148 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -191,7 +191,6 @@ jobs: - name: Verify Code Signing if: contains(matrix.target, 'apple-darwin') run: | - codesign --verify --deep --strict --verbose=2 dash-evo-tool/dash-evo-tool${{ matrix.ext }} codesign --verify --deep --strict --verbose=2 dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} # Notarize MacOS Release Build using xcrun notarytool From f7e85620ebadfd0b02e381741e4d5f2990111a9f Mon Sep 17 00:00:00 2001 From: Odysseas Gabrielides Date: Mon, 2 Dec 2024 23:49:37 +0200 Subject: [PATCH 16/17] disable staple (temp) --- .github/workflows/release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7d5bc4148..7c3ba454b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -204,9 +204,9 @@ jobs: --wait # Staple Notarization Ticket - - name: Staple Notarization Ticket - if: contains(matrix.target, 'apple-darwin') - run: xcrun stapler staple "dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }}" + #- name: Staple Notarization Ticket + # if: contains(matrix.target, 'apple-darwin') + # run: xcrun stapler staple "dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }}" - name: Attest uses: actions/attest-build-provenance@v1 From 0c7296b77e3b15cce33a0f046fd66077e4d3aeef Mon Sep 17 00:00:00 2001 From: Odysseas Gabrielides Date: Tue, 3 Dec 2024 00:32:58 +0200 Subject: [PATCH 17/17] strict sign verify --- .github/workflows/release.yml | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7c3ba454b..1ee6689d6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -177,7 +177,14 @@ jobs: # Sign the binary for macOS - name: Sign binary if: contains(matrix.target, 'apple-darwin') - run: codesign --timestamp --sign "$CODE_SIGN_IDENTITY" dash-evo-tool/dash-evo-tool${{ matrix.ext }} + run: | + codesign --strict --timestamp --options runtime --sign "$CODE_SIGN_IDENTITY" dash-evo-tool/dash-evo-tool${{ matrix.ext }} + + # Verify binary code signing + - name: Verify binary code signing + if: contains(matrix.target, 'apple-darwin') + run: | + codesign --verify --strict --verbose=2 dash-evo-tool/dash-evo-tool${{ matrix.ext }} # Package release - name: Package release @@ -186,12 +193,14 @@ jobs: # Sign the .dmg for macOS - name: Sign .dmg if: contains(matrix.target, 'apple-darwin') - run: codesign --timestamp --sign "$CODE_SIGN_IDENTITY" dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} + run: | + codesign --strict --timestamp --options runtime --sign "$CODE_SIGN_IDENTITY" dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} - - name: Verify Code Signing + # Verify .dmg code signing + - name: Verify .dmg code signing if: contains(matrix.target, 'apple-darwin') run: | - codesign --verify --deep --strict --verbose=2 dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} + codesign --verify --strict --verbose=2 dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }} # Notarize MacOS Release Build using xcrun notarytool - name: Notarize MacOS Release Build @@ -204,9 +213,9 @@ jobs: --wait # Staple Notarization Ticket - #- name: Staple Notarization Ticket - # if: contains(matrix.target, 'apple-darwin') - # run: xcrun stapler staple "dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }}" + - name: Staple Notarization Ticket + if: contains(matrix.target, 'apple-darwin') + run: xcrun stapler staple "dist/dash-evo-tool-${{ matrix.platform }}.${{ matrix.release-ext }}" - name: Attest uses: actions/attest-build-provenance@v1