GA Signing

anvilproject · Oct 17, 2023 · 16df446 · 16df446
1 parent d818ea9
commit 16df446
Showing 1 changed file with 56 additions and 30 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -88,41 +88,67 @@ jobs:
           pip install -r requirements.txt -r requirements-dev.txt
           pyinstaller drs_downloader/cli.py --name drs-downloader-${{ runner.os }} 
 
-      # - name: Setup tmate session
-      #   uses: mxschmitt/action-tmate@v3
-
-      - name: Sign executable
-        uses: lando/code-sign-action@v2
-        with:
-          file: ./dist/drs-downloader-${{ runner.os }}/drs-downloader-${{ runner.os }}
-          certificate-data: ${{ secrets.APPLE_CERT_DATA }}
-          certificate-password: ${{ secrets.APPLE_CERT_PASSWORD }}
-          apple-team-id: ZA685R3CWP
-          apple-product-id: org.anvilproject.drs_downloader.pkg
-          options: --options=runtime
-
-      - name: setup tmate session
+      - name: Setup tmate session
+        env:
+          APPLE_CERT_DATA: ${{ secrets.APPLE_CERT_DATA }}
+          APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }}
+          APPLE_NOTARY_USER: ${{ secrets.APPLE_NOTARY_USER }}
+          APPLE_NOTARY_PASSWORD: ${{ secrets.APPLE_NOTARY_PASSWORD }}
+          APPLE_TEAM_ID: ZA685R3CWP
         uses: mxschmitt/action-tmate@v3
 
-      - name: Build installer
+      - name: Build executable
         shell: bash
+        env: 
+          APPLE_CERT_DATA: ${{ secrets.APPLE_CERT_DATA }}
+          APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }}
+          APPLE_NOTARY_USER: ${{ secrets.APPLE_NOTARY_USER }}
+          APPLE_NOTARY_PASSWORD: ${{ secrets.APPLE_NOTARY_PASSWORD }}
+          APPLE_TEAM_ID: ZA685R3CWP
         run: |
-          productbuild --sign "Developer ID Installer: Oregon Health & Science University Apps (ZA685R3CWP)" --resources ./resources --distribution ./distribution.xml drs_downloader.pkg
-
-      - name: setup tmate session
-        uses: mxschmitt/action-tmate@v3
+          pip install -r requirements.txt -r requirements-dev.txt
+          pyinstaller drs_downloader/cli.py --name drs-downloader-${{ runner.os }} 
 
-      - name: Sign executable
-        uses: lando/code-sign-action@v2
-        with:
-          file: ./drs_downloader.pkg
-          certificate-data: ${{ secrets.APPLE_CERT_DATA }}
-          certificate-password: ${{ secrets.APPLE_CERT_PASSWORD }}
-          apple-notary-user: ${{ secrets.APPLE_NOTARY_USER }}
-          apple-notary-password: ${{ secrets.APPLE_NOTARY_PASSWORD }}
-          apple-team-id: ZA685R3CWP
-          apple-product-id: org.anvilproject.drs_downloader.pkg
-          options: --options=runtime
+          # Setup
+          SIGNFILE="$(pwd)/dist/drs-downloader-${{ runner.os }}/drs-downloader-${{ runner.os }}"
+          
+          # Throw error if file does not exist
+          if [ ! -f "$SIGNFILE" ]; then
+            echo "$SIGNFILE does not exist!"
+            exit 5
+          fi
+          
+          # Export certs
+          echo "$APPLE_CERT_DATA" | base64 --decode > /tmp/certs.p12
+          
+          # Create keychain
+          security create-keychain -p actions macos-build.keychain
+          security default-keychain -s macos-build.keychain
+          security unlock-keychain -p actions macos-build.keychain
+          security set-keychain-settings -t 3600 -u macos-build.keychain
+          
+          # Import certs to keychain
+          security import /tmp/certs.p12 -k ~/Library/Keychains/macos-build.keychain -P "$APPLE_CERT_PASSWORD" -T /usr/bin/codesign -T /usr/bin/productsign
+          
+          # Key signing
+          security set-key-partition-list -S apple-tool:,apple: -s -k actions macos-build.keychain
+          
+          # Verify keychain things
+          security find-identity -v macos-build.keychain | grep "$APPLE_TEAM_ID" | grep "Developer ID Application"
+          security find-identity -v macos-build.keychain | grep "$APPLE_TEAM_ID" | grep "Developer ID Installer"
+          
+          # Force the codesignature
+          codesign --force $OPTIONS -s "$APPLE_TEAM_ID" "$SIGNFILE"
+          
+          # Verify the code signature
+          codesign -v "$SIGNFILE" --verbose
+
+          productbuild --identifier "org.anvilproject.drs_downloader.pkg" --sign "$APPLE_TEAM_ID" --timestamp --root ./dist/drs_downloader /Applications installer.pkg
+          productbuild --sign "$APPLE_TEAM_ID" --resources ./resources --distribution ./distribution.xml drs_downloader.pkg
+
+          xcrun notarytool store-credentials "notarytool-profile" --apple-id "$APPLE_NOTARY_USER" --team-id "$APPLE_TEAM_ID" --password "$APPLE_NOTARY_PASSWORD"
+          xcrun notarytool submit drs_downloader.pkg --keychain-profile "notarytool-profile" --wait
+          xcrun stapler staple drs_downloader.pkg
 
       - name: Setup tmate session
         uses: mxschmitt/action-tmate@v3