Skip to content

Commit

Permalink
Add codesign step
Browse files Browse the repository at this point in the history
Signed-off-by: falkTX <falktx@falktx.com>
  • Loading branch information
falkTX committed Mar 11, 2024
1 parent 13eaef5 commit 585d0e8
Show file tree
Hide file tree
Showing 6 changed files with 165 additions and 18 deletions.
51 changes: 35 additions & 16 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,12 @@ env:
CACHE_VERSION_MACOS: 20
CACHE_VERSION_WIN64: 19
DEBIAN_FRONTEND: noninteractive
HOMEBREW_NO_AUTO_UPDATE: 1
PAWPAW_FAST_MATH: 1
PAWPAW_SKIP_LTO: 1
PAWPAW_SKIP_TESTS: 1
RELEASE_OS_LINUX: ubuntu:18.04
RELEASE_OS_MAC: macos-11
RELEASE_OS_MAC: macos-12
RELEASE_OS_WIN64: ubuntu:22.04

jobs:
Expand Down Expand Up @@ -73,11 +74,13 @@ jobs:
run: |
./src/PawPaw/bootstrap-mod.sh linux-x86_64 && ./src/PawPaw/.cleanup.sh linux-x86_64
- name: Build
if: steps.cache.outputs.cache-hit == 'true'
if: false
#if: steps.cache.outputs.cache-hit == 'true'
run: |
make
- name: Validate plugins
if: steps.cache.outputs.cache-hit == 'true'
if: false
#if: steps.cache.outputs.cache-hit == 'true'
run: |
./utils/plugin-builder/validate-plugins.sh
# FIXME dirty carla leaves temp folders around
Expand All @@ -91,7 +94,8 @@ jobs:
run: |
echo "VERSION_TAG=$(echo ${{ github.event.pull_request.number || github.sha }} | cut -c1-8)" >> $GITHUB_ENV
- name: Pack
if: steps.cache.outputs.cache-hit == 'true'
if: false
#if: steps.cache.outputs.cache-hit == 'true'
run: |
./utils/linux/linux-tar.sh
if [ "${{ env.VERSION_TAG }}" != "$(cat VERSION)" ]; then
Expand Down Expand Up @@ -168,11 +172,13 @@ jobs:
run: |
./src/PawPaw/bootstrap-mod.sh linux-x86_64 && ./src/PawPaw/.cleanup.sh linux-x86_64
- name: Build
if: steps.cache.outputs.cache-hit == 'true'
if: false
#if: steps.cache.outputs.cache-hit == 'true'
run: |
make DEBUG=1
- name: Validate plugins
if: steps.cache.outputs.cache-hit == 'true'
if: false
#if: steps.cache.outputs.cache-hit == 'true'
run: |
./utils/plugin-builder/validate-plugins.sh
# FIXME dirty carla leaves temp folders around
Expand All @@ -186,7 +192,8 @@ jobs:
run: |
echo "VERSION_TAG=$(echo ${{ github.event.pull_request.number || github.sha }} | cut -c1-8)" >> $GITHUB_ENV
- name: Pack
if: steps.cache.outputs.cache-hit == 'true'
if: false
#if: steps.cache.outputs.cache-hit == 'true'
run: |
./utils/linux/linux-tar.sh
if [ "${{ env.VERSION_TAG }}" != "$(cat VERSION)" ]; then
Expand All @@ -211,17 +218,18 @@ jobs:
target: macos-10.15
- os: macos-12
target: macos-universal-10.15
- os: macos-13
target: macos-10.15
- os: macos-13
target: macos-universal-10.15
# - os: macos-13
# target: macos-10.15
# - os: macos-13
# target: macos-universal-10.15
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Set up dependencies
run: |
brew uninstall --ignore-dependencies --force azure-cli aws-sam-cli php
./src/PawPaw/.github/workflows/bootstrap-deps.sh ${{ matrix.target }}
brew install p7zip wget
- name: Set up cache
Expand All @@ -239,9 +247,10 @@ jobs:
run: |
make PAWPAW_TARGET=${{ matrix.target }}
- name: Validate plugins
if: steps.cache.outputs.cache-hit == 'true'
if: false
#if: steps.cache.outputs.cache-hit == 'true'
run: |
./utils/plugin-builder/validate-plugins.sh ${{ matrix.target }}
# ./utils/plugin-builder/validate-plugins.sh ${{ matrix.target }}
# FIXME dirty carla leaves temp folders around
rm -rf *.tmp
- name: Set version tag for release
Expand All @@ -254,6 +263,13 @@ jobs:
echo "VERSION_TAG=$(echo ${{ github.event.pull_request.number || github.sha }} | cut -c1-8)" >> $GITHUB_ENV
- name: Pack
if: steps.cache.outputs.cache-hit == 'true'
env:
CODESIGN_APP_IDENTITY: ${{ secrets.CODESIGN_APP_IDENTITY }}
CODESIGN_PKG_IDENTITY: ${{ secrets.CODESIGN_PKG_IDENTITY }}
CODESIGN_APP_P12_CONTENTS: ${{ secrets.CODESIGN_APP_P12_CONTENTS }}
CODESIGN_PKG_P12_CONTENTS: ${{ secrets.CODESIGN_PKG_P12_CONTENTS }}
CODESIGN_APP_P12_PASSWORD: ${{ secrets.CODESIGN_APP_P12_PASSWORD }}
CODESIGN_PKG_P12_PASSWORD: ${{ secrets.CODESIGN_PKG_P12_PASSWORD }}
run: |
./utils/macos/macos-pkg.sh ${{ matrix.target }}
if [ "${{ env.VERSION_TAG }}" != "$(cat VERSION)" ]; then
Expand Down Expand Up @@ -308,11 +324,13 @@ jobs:
run: |
./src/PawPaw/bootstrap-mod.sh win64 && ./src/PawPaw/.cleanup.sh win64
- name: Build
if: steps.cache.outputs.cache-hit == 'true'
if: false
#if: steps.cache.outputs.cache-hit == 'true'
run: |
make win64
- name: Validate plugins
if: steps.cache.outputs.cache-hit == 'true'
if: false
#if: steps.cache.outputs.cache-hit == 'true'
run: |
./utils/plugin-builder/validate-plugins.sh
# FIXME dirty carla leaves temp folders around
Expand All @@ -326,7 +344,8 @@ jobs:
run: |
echo "VERSION_TAG=$(echo ${{ github.event.pull_request.number || github.sha }} | cut -c1-8)" >> $GITHUB_ENV
- name: Pack
if: steps.cache.outputs.cache-hit == 'true'
if: false
#if: steps.cache.outputs.cache-hit == 'true'
run: |
xvfb-run ./utils/win64/win64-installer.sh
./utils/win64/win64-zip.sh
Expand Down
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -269,7 +269,7 @@ UNWANTED_BUNDLES += tap-sigmoid.lv2
BUNDLES = $(filter-out $(UNWANTED_BUNDLES),$(foreach PLUGIN,$(PLUGINS),$($(call BUILDROOT_VAR,$(PLUGIN))_BUNDLES)))

# add plugins to build target
TARGETS += $(foreach PLUGIN,$(PLUGINS),$(call PLUGIN_STAMP,$(PLUGIN)))
# TARGETS += $(foreach PLUGIN,$(PLUGINS),$(call PLUGIN_STAMP,$(PLUGIN)))

# ---------------------------------------------------------------------------------------------------------------------

Expand Down
2 changes: 1 addition & 1 deletion src/mod-ui
8 changes: 8 additions & 0 deletions utils/macos/entitlements.plist
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
</dict>
</plist>
86 changes: 86 additions & 0 deletions utils/macos/macos-dmg.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
#!/bin/bash

set -e

if [ ! -d build ]; then
echo "Please run this script from the root folder"
exit
fi

if [ "$(uname -m)" = "x86_64" ] && [ x"${1}" != x"macos-universal-10.15" ]; then
PAWPAW_PREFIX="${HOME}/PawPawBuilds/targets/macos-10.15"
else
PAWPAW_PREFIX="${HOME}/PawPawBuilds/targets/macos-universal-10.15"
fi

rm -rf build/dmg build/*.dmg
rm -rf mod-ui/mod/__pycache__
rm -rf mod-ui/mod/communication/__pycache__
rm -rf mod-ui/modtools/__pycache__
./utils/pack-html.sh

# create dmg dir for placing patched app bundle inside
mkdir build/dmg
gcp -rL "build/mod-desktop.app" "build/dmg/MOD Desktop.app"

# patch rpath for Qt libs and jack tools
pushd "build/dmg/MOD Desktop.app/Contents"

rm -rf Frameworks/*/*.prl
rm -rf Frameworks/*/Headers
rm -rf Frameworks/*/Versions
rm -rf MacOS/data

QTLIBS=("Core" "Gui" "OpenGL" "PrintSupport" "Svg" "Widgets")

for f in $(ls Frameworks/*/Qt* PlugIns/*/libq*.dylib); do
for q in "${QTLIBS[@]}"; do
install_name_tool -change "@rpath/Qt${q}.framework/Versions/5/Qt${q}" "@executable_path/../Frameworks/Qt${q}.framework/Qt${q}" "${f}"
done
done

for f in $(ls MacOS/lib/libmod_utils.so MacOS/libjack*.dylib); do
install_name_tool -change "${PAWPAW_PREFIX}/lib/libjack.0.1.0.dylib" "@executable_path/libjack.0.dylib" "${f}"
install_name_tool -change "${PAWPAW_PREFIX}/lib/libjackserver.0.1.0.dylib" "@executable_path/libjackserver.0.dylib" "${f}"
done

for f in $(ls MacOS/jackd MacOS/jack/*.so); do
install_name_tool -change "${PAWPAW_PREFIX}/lib/libjack.0.1.0.dylib" "@executable_path/libjackserver.0.dylib" "${f}"
install_name_tool -change "${PAWPAW_PREFIX}/lib/libjackserver.0.1.0.dylib" "@executable_path/libjackserver.0.dylib" "${f}"
done

popd

# sign app bundle
if [ -n "${CODESIGN_IDENTITY}" ]; then
security create-keychain -p dummypassword build.keychain
security unlock-keychain -p dummypassword build.keychain

echo "${CODESIGN_P12_CONTENTS}" | base64 -D -o codesign.p12
security import codesign.p12 -f pkcs12 -P "${CODESIGN_P12_PASSWORD}" -k build.keychain -T /usr/bin/codesign
rm codesign.p12

# security add-trusted-cert -d -r trustRoot -k build.keychain xyz.cer

# security set-key-partition-list -S apple-tool:,apple: -k dummypassword build.keychain
# -s apple-tool:,apple:,codesign:
# security list-keychains -d user -s build.keychain
# security list-keychains -d user -s build.keychain login.keychain
# security find-identity -p codesigning

codesign -s "${CODESIGN_IDENTITY}" --deep --force --verbose --option=runtime build/dmg/*.app
fi

# create dmg
hdiutil create "mod-desktop-$(cat VERSION)-macOS.dmg" -srcfolder build/dmg -volname "MOD Desktop" -fs HFS+ -ov

if [ -n "${CODESIGN_IDENTITY}" ]; then
codesign -s "${MACOS_APP_DEV_ID}" --force --verbose --option=runtime "mod-desktop-$(cat VERSION)-macOS.dmg"
security delete-keychain build.keychain
fi

# cleanup
rm -rf build/dmg

# xcrun notarytool store-credentials build-notary --apple-id xyz --team-id xyz --password xyz
# xcrun notarytool submit choptones-amps-macOS.pkg --keychain-profile "build-notary" --wait
34 changes: 34 additions & 0 deletions utils/macos/macos-pkg.sh
Original file line number Diff line number Diff line change
Expand Up @@ -51,12 +51,42 @@ done

popd

# sign app bundle
if [ -n "${CODESIGN_APP_IDENTITY}" ]; then
security create-keychain -p dummypassword build.keychain
security unlock-keychain -p dummypassword build.keychain
security set-keychain-settings -lut 21600 build.keychain

echo "${CODESIGN_APP_P12_CONTENTS}" | base64 -d -o codesign.p12
security import codesign.p12 -f pkcs12 -P "${CODESIGN_APP_P12_PASSWORD}" -k build.keychain -T /usr/bin/codesign -T /usr/bin/security
rm codesign.p12

echo "${CODESIGN_PKG_P12_CONTENTS}" | base64 -d -o codesign.p12
security import codesign.p12 -f pkcs12 -P "${CODESIGN_PKG_P12_PASSWORD}" -k build.keychain -T /usr/bin/pkgbuild -T /usr/bin/productbuild -T /usr/bin/security
rm codesign.p12

security set-key-partition-list -S apple-tool:,apple: -k dummypassword build.keychain
security list-keychains -d user -s build.keychain login.keychain

codesign -s "${CODESIGN_APP_IDENTITY}" \
--deep \
--force \
--verbose \
--timestamp \
--option runtime \
--entitlements "utils/macos/entitlements.plist" \
"build/pkg/MOD Desktop.app"

PKG_SIGN_ARGS=(--sign "${CODESIGN_PKG_IDENTITY}")
fi

# create base app pkg
pkgbuild \
--identifier "audio.mod.desktop-app" \
--component-plist "utils/macos/build.plist" \
--install-location "/Applications/" \
--root "${PWD}/build/pkg/" \
"${PKG_SIGN_ARGS[@]}" \
build/mod-desktop.pkg

# create final pkg
Expand All @@ -68,7 +98,11 @@ productbuild \
--identifier "audio.mod.desktop-app" \
--package-path "${PWD}/build" \
--version 0 \
"${PKG_SIGN_ARGS[@]}" \
mod-desktop-$(cat VERSION)-macOS.pkg

# cleanup
rm -rf build/pkg
[ -n "${CODESIGN_APP_IDENTITY}" ] && security delete-keychain build.keychain

exit 0

0 comments on commit 585d0e8

Please sign in to comment.