Move APPLE_TEAM_ID into secrets and include my certificate

Jojo-Schmitz · Jan 8, 2025 · a0932ec · a0932ec
1 parent 640a6a8
commit a0932ec
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 8 deletions.
diff --git a/.github/workflows/build_macos.yml b/.github/workflows/build_macos.yml
@@ -109,7 +109,8 @@ jobs:
       run: |
         USER=${{ secrets.APPLE_USERNAME }}; if [ -z "$USER" ]; then USER=""; fi
         PW=${{ secrets.APPLE_PASSWORD }}; if [ -z "$PW" ]; then PW=""; fi
-        bash ./build/ci/macos/notarize.sh -u $USER -p $PW
+        TID=${{ secrets.APPLE_TEAM_ID }}; if [ -z "$TID" ]; then TID=""; fi
+        bash ./build/ci/macos/notarize.sh -u $USER -p $PW -t $TID
     - name: Checksum
       run: |
         bash ./build/ci/tools/checksum.sh

diff --git a/build/ci/macos/notarize.sh b/build/ci/macos/notarize.sh
@@ -6,24 +6,25 @@ trap 'echo Notarize failed; exit 1' ERR
 ARTIFACTS_DIR="build.artifacts"
 APPLE_USERNAME=""
 APPLE_PASSWORD=""
-
-# This information is public and can be extracted by anyone from the final .app file
-APPLE_TEAM_ID="9QTZUZM4J9"
+APPLE_TEAM_ID=""
 
 while [[ "$#" -gt 0 ]]; do
     case $1 in
         -u|--user) APPLE_USERNAME="$2"; shift ;;
         -p|--password) APPLE_PASSWORD="$2"; shift ;;
+        -t|--team) APPLE_TEAM_ID="$2"; shift ;;
         *) echo "Unknown parameter passed: $1"; exit 1 ;;
     esac
     shift
 done
 
 if [ -z "$APPLE_USERNAME" ]; then echo "error: not set APPLE_USERNAME"; exit 1; fi
 if [ -z "$APPLE_PASSWORD" ]; then echo "error: not set APPLE_PASSWORD"; exit 1; fi
+if [ -z "$APPLE_TEAM_ID" ]; then echo "error: not set APPLE_TEAM_ID"; exit 1; fi
 
 echo "APPLE_USERNAME: $APPLE_USERNAME"
 echo "APPLE_PASSWORD: $APPLE_PASSWORD"
+echo "APPLE_TEAM_ID: $APPLE_TEAM_ID"
 
 ARTIFACT_NAME="$(cat $ARTIFACTS_DIR/env/artifact_name.env)"
 echo "ARTIFACT_NAME: $ARTIFACT_NAME"

diff --git a/build/ci/macos/resources/mac_musescore.p12.enc b/build/ci/macos/resources/mac_musescore.p12.enc
diff --git a/build/package_mac b/build/package_mac
@@ -166,7 +166,6 @@ do
 done
 
 otool -L ${VOLUME}/${APPNAME}.app/Contents/MacOS/mscore
-otool -L ${VOLUME}/${APPNAME}.app/Contents/Frameworks/QtWebEngineCore.framework/Versions/5/Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess
 
 echo "Rename ${APPNAME}.app to ${VOLUME}/${LONGER_NAME}.app"
 mv ${VOLUME}/${APPNAME}.app "${VOLUME}/${LONGER_NAME}.app"
@@ -195,9 +194,7 @@ echo "Codesign"
 # `codesign --deep` doesn't seem to search for code in Contents/Resources directory so sign libraries in it manually
 find "${VOLUME}/${LONGER_NAME}.app/Contents/Resources" -name '*.dylib' -exec codesign --force --options runtime --deep -s "Developer ID Application: MuseScore" '{}' ';'
 # Sign code in other (more conventional) locations
-codesign --force --options runtime --entitlements "${WORKING_DIRECTORY}/../build/macosx_entitlements.plist" --deep -s "Developer ID Application: MuseScore" "${CODE_PATHS[@]}"
-# Sign QtWebEngine application for MacOS Catalina
-codesign --force --verify --verbose --options runtime --entitlements "${WORKING_DIRECTORY}/../build/qtwebengineprocess.entitlements" --deep --sign "Developer ID Application: MuseScore" "${VOLUME}/${LONGER_NAME}.app/Contents/Frameworks/QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess"
+codesign --force --options runtime --entitlements "${WORKING_DIRECTORY}/../build/macosx_entitlements.plist" --deep -s "Developer ID Application: Joachim Schmitz" "${CODE_PATHS[@]}"
 echo "spctl"
 spctl --assess --type execute "${VOLUME}/${LONGER_NAME}.app"
 echo "Codesign verify"