Fix Sparkle 2 build error on older Xcode / fix sign/notarize scripts #1336
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sparkle 2: Seems like older Xcode versions (before 12.5) have problems signing frameworks that only have a Versions/B but not a Versions/A folder. Sparkle 2 moved to only having Versions/B which is causing code sign to fail on build step. Just fix this issue by disabling Sign on Copy for Sparkle.framework. We don't really need it because it already comes with an ad-hoc signature anyway, and for publish we have a custom signing script (sign-developer-id) to do manual signing. Also, fix CI to use Sparkle 2 again for old Xcode (11.7) builds to test this working. Previously we made it use Sparkle 1 because we didn't work around this issue, which was kind of a hack. For Sparkle 2, also add a `cleanup-after-build` script to remove the XPC Services folder in the framework. Sparkle dev added this to the bundle for sandboxed apps but non-sandbox apps don't really need it and it's recommended by Sparkle to remove them, so we unfortunately need to manually do it as a post-build step. Fix macvim-dev#1335 Signing / notarization scripts: Make sure to sign Sparkle 2 binaries in `sign-developer-id`. Also, seems like the "--deep" flag in codesign is now deprecated as of macOS 13, so just stop using it and manually sign all the relevant binaries explicitly. For notarization script, the current behavior doesn't correctly detect failure as `xcrun notarytool submit` always exits with 0 even if the submission failed. Add logic to manually query whether the submission succeeded. If failed, print out the logs for easier diagnosis, and exits with -1 so it will block progress.
7 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Sparkle 2:
Seems like older Xcode versions (before 12.5) have problems signing frameworks that only have a Versions/B but not a Versions/A folder. Sparkle 2 moved to only having Versions/B which is causing code sign to fail on build step. Just fix this issue by disabling Sign on Copy for Sparkle.framework. We don't really need it because it already comes with an ad-hoc signature anyway, and for publish we have a custom signing script (sign-developer-id) to do manual signing.
Also, fix CI to use Sparkle 2 again for old Xcode (11.7) builds to test this working. Previously we made it use Sparkle 1 because we didn't work around this issue, which was kind of a hack.
For Sparkle 2, also add a
cleanup-after-buildscript to remove the XPC Services folder in the framework. Sparkle dev added this to the bundle for sandboxed apps but non-sandbox apps don't really need it and it's recommended by Sparkle to remove them, so we unfortunately need to manually do it as a post-build step.Fix #1335
Signing / notarization scripts:
Make sure to sign Sparkle 2 binaries in
sign-developer-id. Also, seems like the "--deep" flag in codesign is now deprecated as of macOS 13, so just stop using it and manually sign all the relevant binaries explicitly.For notarization script, the current behavior doesn't correctly detect failure as
xcrun notarytool submitalways exits with 0 even if the submission failed. Add logic to manually query whether the submission succeeded. If failed, print out the logs for easier diagnosis, and exits with -1 so it will block progress.