Apple codesigning and notarization

* Move APPLE_TEAM_ID into secrets and include my certificate
* Move DEVELOPER_NAME into secrets, with a default of the old "MuseScore".
* Remove reference to Autoupdate.app.
* Remove references to Qwebengine
* Prevent useless duplicate warning reg. notarization, also quote a shell variable, sync with master

.github/workflows/build_macos.yml

@@ -68,8 +68,7 @@ jobs:
           if [ -z "${{ secrets.APPLE_USERNAME }}" ]; then
             echo "::warning::APPLE_USERNAME is empty; notarization disabled"
             DO_NOTARIZE='false'
-          fi
-          if [ -z "${{ secrets.APPLE_PASSWORD }}" ]; then
+          elif [ -z "${{ secrets.APPLE_PASSWORD }}" ]; then
             echo "::warning::APPLE_PASSWORD is empty, notarization disabled"
             DO_NOTARIZE='false'
           fi
@@ -104,13 +103,15 @@ jobs:
       run: |
         S_S="${{ secrets.MAC_SIGN_CERTIFICATE_ENCRYPT_SECRET }}"; if [ -z "$S_S" ]; then S_S="''"; fi
         S_P="${{ secrets.MAC_SIGN_CERTIFICATE_PASSWORD }}"; if [ -z "$S_P" ]; then S_P="''"; fi
-        bash ./build/ci/macos/package.sh --signpass "$S_P" --signsecret "$S_S"
+        S_D="${{ secrets.DEVELOPER_NAME }}"; if [ -z "$S_D" ]; then S_D="MuseScore"; fi
+        bash ./build/ci/macos/package.sh --signpass "$S_P" --signsecret "$S_S" --developer_name "$S_D"
     - name: Notarize
       if: env.DO_NOTARIZE == 'true'
       run: |
         USER=${{ secrets.APPLE_USERNAME }}; if [ -z "$USER" ]; then USER=""; fi
         PW=${{ secrets.APPLE_PASSWORD }}; if [ -z "$PW" ]; then PW=""; fi
-        bash ./build/ci/macos/notarize.sh -u $USER -p $PW
+        TID=${{ secrets.APPLE_TEAM_ID }}; if [ -z "$TID" ]; then TID=""; fi
+        bash ./build/ci/macos/notarize.sh -u $USER -p $PW -t $TID
     - name: Checksum
       run: |
         bash ./build/ci/tools/checksum.sh

build/ci/macos/notarize.sh

@@ -6,24 +6,25 @@ trap 'echo Notarize failed; exit 1' ERR
 ARTIFACTS_DIR="build.artifacts"
 APPLE_USERNAME=""
 APPLE_PASSWORD=""
-
-# This information is public and can be extracted by anyone from the final .app file
-APPLE_TEAM_ID="6EPAF2X3PR"
+APPLE_TEAM_ID=""
 
 while [[ "$#" -gt 0 ]]; do
     case $1 in
         -u|--user) APPLE_USERNAME="$2"; shift ;;
         -p|--password) APPLE_PASSWORD="$2"; shift ;;
+        -t|--team) APPLE_TEAM_ID="$2"; shift ;;
         *) echo "Unknown parameter passed: $1"; exit 1 ;;
     esac
     shift
 done
 
 if [ -z "$APPLE_USERNAME" ]; then echo "error: not set APPLE_USERNAME"; exit 1; fi
 if [ -z "$APPLE_PASSWORD" ]; then echo "error: not set APPLE_PASSWORD"; exit 1; fi
+if [ -z "$APPLE_TEAM_ID" ]; then echo "error: not set APPLE_TEAM_ID"; exit 1; fi
 
 echo "APPLE_USERNAME: $APPLE_USERNAME"
 echo "APPLE_PASSWORD: $APPLE_PASSWORD"
+echo "APPLE_TEAM_ID: $APPLE_TEAM_ID"
 
 ARTIFACT_NAME="$(cat $ARTIFACTS_DIR/env/artifact_name.env)"
 echo "ARTIFACT_NAME: $ARTIFACT_NAME"
@@ -32,11 +33,11 @@ echo "Uploading to apple to notarize..."
 
 for i in 1 2 3; do
     c=0
-    xcrun notarytool submit \
+    xcrun notarytool submit $ARTIFACTS_DIR/$ARTIFACT_NAME \
         --apple-id $APPLE_USERNAME \
-        --team-id $APPLE_TEAM_ID \
         --password $APPLE_PASSWORD \
-        --wait $ARTIFACTS_DIR/$ARTIFACT_NAME \
+        --team-id $APPLE_TEAM_ID \
+        --wait \
         || c=$?
     if [ $c -eq 0 ]; then break; fi
     if [ $i -eq 3 ]; then

build/ci/macos/package.sh

@@ -6,11 +6,13 @@ trap 'echo Package failed; exit 1' ERR
 ARTIFACTS_DIR="build.artifacts"
 SIGN_CERTIFICATE_ENCRYPT_SECRET="''"
 SIGN_CERTIFICATE_PASSWORD="''"
+DEVELOPER_NAME="MuseSore"
 
 while [[ "$#" -gt 0 ]]; do
     case $1 in
         --signsecret) SIGN_CERTIFICATE_ENCRYPT_SECRET="$2"; shift ;;
         --signpass) SIGN_CERTIFICATE_PASSWORD="$2"; shift ;;
+        --developer_name) DEVELOPER_NAME="$2"; shift ;;
         *) echo "Unknown parameter passed: $1"; exit 1 ;;
     esac
     shift
@@ -75,7 +77,7 @@ if [ "$BUILD_MODE" == "stable" ]; then
   PACKAGE_VERSION="${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}"
 fi
 
-build/package_mac --longer_name "$APP_LONGER_NAME" --version "$PACKAGE_VERSION"
+build/package_mac --longer_name "$APP_LONGER_NAME" --version "$PACKAGE_VERSION" --developer_name "$DEVELOPER_NAME"
 
 DMGFILE="$(ls applebuild/*.dmg)"
 echo "DMGFILE: $DMGFILE"

build/package_mac

@@ -1,28 +1,31 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 APPNAME=mscore
 LONG_NAME="MuseScore"
 LONGER_NAME="MuseScore 3"
 VERSION=0
+DEVELOPER_NAME="MuseScore"
 
 while [[ "$#" -gt 0 ]]; do
     case $1 in
         --long_name) LONG_NAME="$2"; shift ;;
         --longer_name) LONGER_NAME="$2"; shift ;;
-        --version) VERSION=$2; shift ;;
+        --version) VERSION="$2"; shift ;;
+        --developer_name) DEVELOPER_NAME="$2"; shift ;;
         *) echo "Unknown parameter passed: $1"; exit 1 ;;
     esac
     shift
 done
 
-if [ $VERSION -eq 0 ]; then 
+if [ "$VERSION" == "0" ]; then 
     SCRIPT_DIR=$(cd "$(dirname ${BASH_SOURCE[0]})" && pwd)
     VERSION=$(cmake -P "$SCRIPT_DIR/../config.cmake" | sed -n -e "s/^.*VERSION  *//p")
 fi    
 
 echo "LONG_NAME: $LONG_NAME"
 echo "LONGER_NAME: $LONGER_NAME"
 echo "VERSION: $VERSION"
+echo "DEVELOPER_NAME: $DEVELOPER_NAME"
 
 WORKING_DIRECTORY=applebuild
 BACKGROUND=build/packaging/musescore-dmg-background.tiff
@@ -92,20 +95,7 @@ function change_rpath() {
    done
 }
 
-function change_rpath_QWebEngine() {
-   for P in `otool -L $1 | awk '{print $1}'`
-   do
-      if [[ "$P" == *@rpath* ]]
-      then
-         PSLASH=$(echo $P | sed 's,@rpath,@loader_path/../../../../../../..,g')
-         FNAME=$(echo $P | sed "s,@rpath,${VOLUME}/${APPNAME}.app/Contents/Frameworks,g")
-         install_name_tool -change $P $PSLASH $1
-      fi
-   done
-}
-
-
-rm ${WORKING_DIRECTORY}/${COMPRESSEDDMGNAME}
+rm -f ${WORKING_DIRECTORY}/${COMPRESSEDDMGNAME}
 
 #tip: increase the size if error on copy or macdeployqt
 hdiutil create -size 800m -fs HFS+ -volname ${VOLNAME} ${WORKING_DIRECTORY}/${DMGNAME}
@@ -151,9 +141,6 @@ macdeployqt ${VOLUME}/${APPNAME}.app
 # fix the libs, qt5.6 has @rpath...
 BIN_FILE=${VOLUME}/${APPNAME}.app/Contents/MacOS/mscore
 change_rpath $BIN_FILE
-# fix the QWebEngineProcess, qt5.9 has @rpath...
-WebEngineProcess=${VOLUME}/${APPNAME}.app/Contents/Frameworks/QtWebEngineCore.framework/Versions/5/Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess
-change_rpath_QWebEngine $WebEngineProcess
 
 # Workaround:
 # fix Homebrew libraries with hard coded absolute path, see QTBUG-56814
@@ -182,7 +169,6 @@ do
 done
 
 otool -L ${VOLUME}/${APPNAME}.app/Contents/MacOS/mscore
-otool -L ${VOLUME}/${APPNAME}.app/Contents/Frameworks/QtWebEngineCore.framework/Versions/5/Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess
 
 echo "Rename ${APPNAME}.app to ${VOLUME}/${LONGER_NAME}.app"
 mv ${VOLUME}/${APPNAME}.app "${VOLUME}/${LONGER_NAME}.app"
@@ -209,11 +195,9 @@ CODE_PATHS=(
 #codesign
 echo "Codesign"
 # `codesign --deep` doesn't seem to search for code in Contents/Resources directory so sign libraries in it manually
-find "${VOLUME}/${LONGER_NAME}.app/Contents/Resources" -name '*.dylib' -exec codesign --force --options runtime --deep -s "Developer ID Application: MuseScore" '{}' ';'
+find "${VOLUME}/${LONGER_NAME}.app/Contents/Resources" -name '*.dylib' -exec codesign --force --options runtime --deep -s "Developer ID Application: ${DEVELOPER_NAME}" '{}' ';'
 # Sign code in other (more conventional) locations
-codesign --force --options runtime --entitlements "${WORKING_DIRECTORY}/../build/macosx_entitlements.plist" --deep -s "Developer ID Application: MuseScore" "${CODE_PATHS[@]}"
-# Sign QtWebEngine application for MacOS Catalina
-codesign --force --verify --verbose --options runtime --entitlements "${WORKING_DIRECTORY}/../build/qtwebengineprocess.entitlements" --deep --sign "Developer ID Application: MuseScore" "${VOLUME}/${LONGER_NAME}.app/Contents/Frameworks/QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess"
+codesign --force --options runtime --entitlements "${WORKING_DIRECTORY}/../build/macosx_entitlements.plist" --deep -s "Developer ID Application: ${DEVELOPER_NAME}" "${CODE_PATHS[@]}"
 echo "spctl"
 spctl --assess --type execute "${VOLUME}/${LONGER_NAME}.app"
 echo "Codesign verify"