From fdf00e0bcc1a6804119e86998ad8043381f9c8d3 Mon Sep 17 00:00:00 2001 From: Tom Lokhorst Date: Sun, 16 Apr 2023 15:16:14 +0200 Subject: [PATCH] Update notarization to use notarytool, instead of altool --- .github/workflows/release.yml | 37 +++++++++++++----------- notarize.sh | 54 ----------------------------------- 2 files changed, 21 insertions(+), 70 deletions(-) delete mode 100644 notarize.sh diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 99c2e6f0..e139e9ab 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -33,7 +33,7 @@ jobs: asset_name: rswift-${{ github.event.release.tag_name }}-source.tar.gz asset_content_type: application/tar+gzip - - name: Build fat binary + - name: Build universal binary run: | swift build -c release --arch x86_64 --arch arm64 @@ -43,11 +43,13 @@ jobs: - name: Import Signing Certificates uses: apple-actions/import-codesign-certs@v1 with: - p12-file-base64: ${{ secrets.APPLE_CERTS }} - p12-password: ${{ secrets.APPLE_CERTS_PASSWORD }} + p12-file-base64: ${{ secrets.APPLE_CERTIFICATES }} + p12-password: ${{ secrets.APPLE_CERTIFICATES_PASSWORD }} - name: Code Sign run: | - codesign --force --options runtime --sign 'Developer ID Application: Mathijs Kadijk (5Z49PA849J)' .build/apple/Products/Release/rswift + codesign --force --options runtime --sign "$IDENTITY" .build/apple/Products/Release/rswift + env: + IDENTITY: 'Developer ID Application: Nonstrict B.V. (WT5N9FK54M)' - name: Store build artifact uses: actions/upload-artifact@v3 with: @@ -60,12 +62,12 @@ jobs: FILENAME: ${{ runner.temp }}/rswift-${{ github.event.release.tag_name }}.zip - name: Notarize ZIP run: | - sh notarize.sh + xcrun notarytool submit $FILENAME --apple-id $APPLE_ID --password $APP_PASSWORD --team-id $TEAM_ID --wait env: - BUNDLE_ID: nl.mathijskadijk.rswift - DEV_ACCOUNT: ${{ secrets.APPLE_ID_EMAIL }} - PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} - DEV_TEAM: 5Z49PA849J + BUNDLE_ID: com.nonstrict.rswift + APPLE_ID: ${{ secrets.APPLE_IDENTIFIER }} + APP_PASSWORD: ${{ secrets.APPLE_IDENTIFIER_PASSWORD }} + TEAM_ID: WT5N9FK54M FILENAME: ${{ runner.temp }}/rswift-${{ github.event.release.tag_name }}.zip - name: Attach ZIP to release uses: actions/upload-release-asset@v1 @@ -89,21 +91,23 @@ jobs: run: | mkdir -p $PKG_ROOT/$BINARY_ROOT cp .build/apple/Products/Release/rswift $PKG_ROOT/$BINARY_ROOT - pkgbuild --root $PKG_ROOT --identifier "nl.mathijskadijk.rswift" --version $TAG_NAME --install-location "/" --sign "Developer ID Installer: Mathijs Kadijk (5Z49PA849J)" $FILENAME + pkgbuild --root $PKG_ROOT --identifier $BUNDLE_ID --version $TAG_NAME --install-location "/" --sign "$IDENTITY" $FILENAME env: TAG_NAME: ${{ github.event.release.tag_name }} FILENAME: ${{ runner.temp }}/rswift-${{ github.event.release.tag_name }}.pkg - BUNDLE_ID: nl.mathijskadijk.rswift + BUNDLE_ID: com.nonstrict.rswift + IDENTITY: 'Developer ID Installer: Nonstrict B.V. (WT5N9FK54M)' PKG_ROOT: ${{ runner.temp }}/pkgroot BINARY_ROOT: /usr/local/bin - name: Notarize PKG run: | - sh notarize.sh && xcrun stapler staple "$FILENAME" + xcrun notarytool submit $FILENAME --apple-id $APPLE_ID --password $APP_PASSWORD --team-id $TEAM_ID --wait + xcrun stapler staple $FILENAME env: - BUNDLE_ID: nl.mathijskadijk.rswift - DEV_ACCOUNT: ${{ secrets.APPLE_ID_EMAIL }} - PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} - DEV_TEAM: 5Z49PA849J + BUNDLE_ID: com.nonstrict.rswift + APPLE_ID: ${{ secrets.APPLE_IDENTIFIER }} + APP_PASSWORD: ${{ secrets.APPLE_IDENTIFIER_PASSWORD }} + TEAM_ID: WT5N9FK54M FILENAME: ${{ runner.temp }}/rswift-${{ github.event.release.tag_name }}.pkg - name: Attach PKG to release uses: actions/upload-release-asset@v1 @@ -117,3 +121,4 @@ jobs: - name: Publish to Homebrew run: brew bump-formula-pr --tag $TAG_NAME --revision $REVISION rswift || exit 0 + diff --git a/notarize.sh b/notarize.sh deleted file mode 100644 index 5ad1ecec..00000000 --- a/notarize.sh +++ /dev/null @@ -1,54 +0,0 @@ - -requeststatus() { # $1: requestUUID - requestUUID=${1?:"need a request UUID"} - req_status=$(xcrun altool --notarization-info "$requestUUID" \ - --username "$DEV_ACCOUNT" \ - --password "$PASSWORD" 2>&1 \ - | awk -F ': ' '/Status:/ { print $2; }' ) - echo "$req_status" -} - - -notarizefile() { # $1: path to file to notarize, $2: identifier - filepath=${1:?"need a filepath"} - identifier=${2:?"need an identifier"} - - # upload file - echo "## uploading $filepath for notarization" - requestUUID=$(xcrun altool --notarize-app \ - --primary-bundle-id "$BUNDLE_ID" \ - --username "$DEV_ACCOUNT" \ - --password "$PASSWORD" \ - --asc-provider "$DEV_TEAM" \ - --file "$FILENAME" \ - | awk '/RequestUUID/ { print $NF; }') - - echo "Notarization RequestUUID: $requestUUID" - - if [[ $requestUUID == "" ]]; then - echo "could not upload for notarization" - exit 1 - fi - - # wait for status to be not "in progress" any more - request_status="in progress" - while [[ "$request_status" == "in progress" ]]; do - echo -n "waiting... " - sleep 10 - request_status=$(requeststatus "$requestUUID") - echo "$request_status" - done - - # print status information - xcrun altool --notarization-info "$requestUUID" \ - --username "$DEV_ACCOUNT" \ - --password "$PASSWORD" - echo - - if [[ $request_status != "success" ]]; then - echo "## could not notarize $filepath" - exit 1 - fi -} - -notarizefile "$FILENAME" "$BUNDLE_ID"