enable signing on macOS (chaiNNer-org#2136)

* enable signing on macOS fixes chaiNNer-org#761 * added missing packages * add certificate to keychain * don't sign on publish --dry-run * don't run macOS certificate in release-test --------- Co-authored-by: Joey Ballentine <34788790+joeyballentine@users.noreply.github.com>
Kim2091 · Aug 28, 2023 · c1abf28 · c1abf28
1 parent 74578fc
commit c1abf28
Show file tree

Hide file tree

Showing 5 changed files with 102 additions and 15 deletions.
diff --git a/.github/workflows/release-test.yml b/.github/workflows/release-test.yml
@@ -1,4 +1,4 @@
-name: Release
+name: Release Test
 
 on:
     pull_request:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -33,8 +33,26 @@ jobs:
                   node-version: 16
                   cache: 'npm'
             - run: npm ci
+            - name: macOS certificate
+              if: matrix.os == 'macos-latest'
+              env:
+                  APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+                  APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+              run: |
+                  KEY_CHAIN=build.keychain
+                  CERTIFICATE_P12=certificate.p12
+                  echo $APPLE_CERTIFICATE | base64 --decode > $CERTIFICATE_P12
+                  security create-keychain -p actions $KEY_CHAIN
+                  security default-keychain -s $KEY_CHAIN
+                  security unlock-keychain -p actions $KEY_CHAIN
+                  security import $CERTIFICATE_P12 -k $KEY_CHAIN -P $APPLE_CERTIFICATE_PASSWORD -T /usr/bin/codesign;
+                  security set-key-partition-list -S apple-tool:,apple: -s -k actions $KEY_CHAIN
+                  rm -fr *.p12
             - name: publish
               env:
                   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                  APPLE_ID: ${{ secrets.APPLE_ID }}
+                  APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
+                  APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
               shell: bash
               run: npm run publish
diff --git a/forge.config.js b/forge.config.js
@@ -35,6 +35,17 @@ const config = {
         appBundleId: 'app.chainner',
         appCategoryType: 'public.app-category.graphics-design',
         extendInfo: './src/public/Info.plist',
+        ...(process.argv.includes('--dry-run')
+            ? {}
+            : {
+                  osxSign: {},
+                  osxNotarize: {
+                      tool: 'notarytool',
+                      appleId: process.env.APPLE_ID,
+                      appleIdPassword: process.env.APPLE_PASSWORD,
+                      teamId: process.env.APPLE_TEAM_ID,
+                  },
+              }),
     },
     publishers: [
         {

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -47,6 +47,8 @@
     "@electron-forge/maker-zip": "^6.2.1",
     "@electron-forge/plugin-webpack": "^6.2.1",
     "@electron-forge/publisher-github": "^6.2.1",
+    "@electron/notarize": "^2.1.0",
+    "@electron/osx-sign": "^1.0.5",
     "@pmmmwh/react-refresh-webpack-plugin": "^0.5.7",
     "@types/bezier-js": "^4.1.0",
     "@types/d3": "^7.4.0",