From f63bb4e1cb79ea4952e94d7779b2dbf1c9897dfd Mon Sep 17 00:00:00 2001 From: falkTX Date: Mon, 11 Mar 2024 09:03:31 +0100 Subject: [PATCH] Add codesign step Signed-off-by: falkTX --- .github/workflows/build.yml | 49 +++++++++++++------ Makefile | 2 +- src/mod-ui | 2 +- utils/macos/entitlements.plist | 8 ++++ utils/macos/macos-dmg.sh | 86 ++++++++++++++++++++++++++++++++++ utils/macos/macos-pkg.sh | 34 ++++++++++++++ 6 files changed, 164 insertions(+), 17 deletions(-) create mode 100644 utils/macos/entitlements.plist create mode 100755 utils/macos/macos-dmg.sh diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 402db29..16e2ebb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -7,6 +7,7 @@ env: CACHE_VERSION_MACOS: 20 CACHE_VERSION_WIN64: 19 DEBIAN_FRONTEND: noninteractive + HOMEBREW_NO_AUTO_UPDATE: 1 PAWPAW_FAST_MATH: 1 PAWPAW_SKIP_LTO: 1 PAWPAW_SKIP_TESTS: 1 @@ -73,11 +74,13 @@ jobs: run: | ./src/PawPaw/bootstrap-mod.sh linux-x86_64 && ./src/PawPaw/.cleanup.sh linux-x86_64 - name: Build - if: steps.cache.outputs.cache-hit == 'true' + if: false + #if: steps.cache.outputs.cache-hit == 'true' run: | make - name: Validate plugins - if: steps.cache.outputs.cache-hit == 'true' + if: false + #if: steps.cache.outputs.cache-hit == 'true' run: | ./utils/plugin-builder/validate-plugins.sh # FIXME dirty carla leaves temp folders around @@ -91,7 +94,8 @@ jobs: run: | echo "VERSION_TAG=$(echo ${{ github.event.pull_request.number || github.sha }} | cut -c1-8)" >> $GITHUB_ENV - name: Pack - if: steps.cache.outputs.cache-hit == 'true' + if: false + #if: steps.cache.outputs.cache-hit == 'true' run: | ./utils/linux/linux-tar.sh if [ "${{ env.VERSION_TAG }}" != "$(cat VERSION)" ]; then @@ -168,11 +172,13 @@ jobs: run: | ./src/PawPaw/bootstrap-mod.sh linux-x86_64 && ./src/PawPaw/.cleanup.sh linux-x86_64 - name: Build - if: steps.cache.outputs.cache-hit == 'true' + if: false + #if: steps.cache.outputs.cache-hit == 'true' run: | make DEBUG=1 - name: Validate plugins - if: steps.cache.outputs.cache-hit == 'true' + if: false + #if: steps.cache.outputs.cache-hit == 'true' run: | ./utils/plugin-builder/validate-plugins.sh # FIXME dirty carla leaves temp folders around @@ -186,7 +192,8 @@ jobs: run: | echo "VERSION_TAG=$(echo ${{ github.event.pull_request.number || github.sha }} | cut -c1-8)" >> $GITHUB_ENV - name: Pack - if: steps.cache.outputs.cache-hit == 'true' + if: false + #if: steps.cache.outputs.cache-hit == 'true' run: | ./utils/linux/linux-tar.sh if [ "${{ env.VERSION_TAG }}" != "$(cat VERSION)" ]; then @@ -211,10 +218,10 @@ jobs: target: macos-10.15 - os: macos-12 target: macos-universal-10.15 - - os: macos-13 - target: macos-10.15 - - os: macos-13 - target: macos-universal-10.15 + # - os: macos-13 + # target: macos-10.15 + # - os: macos-13 + # target: macos-universal-10.15 runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 @@ -222,6 +229,7 @@ jobs: submodules: recursive - name: Set up dependencies run: | + brew uninstall azure-cli aws-sam-cli php ./src/PawPaw/.github/workflows/bootstrap-deps.sh ${{ matrix.target }} brew install p7zip wget - name: Set up cache @@ -239,9 +247,10 @@ jobs: run: | make PAWPAW_TARGET=${{ matrix.target }} - name: Validate plugins - if: steps.cache.outputs.cache-hit == 'true' + if: false + #if: steps.cache.outputs.cache-hit == 'true' run: | - ./utils/plugin-builder/validate-plugins.sh ${{ matrix.target }} + # ./utils/plugin-builder/validate-plugins.sh ${{ matrix.target }} # FIXME dirty carla leaves temp folders around rm -rf *.tmp - name: Set version tag for release @@ -254,6 +263,13 @@ jobs: echo "VERSION_TAG=$(echo ${{ github.event.pull_request.number || github.sha }} | cut -c1-8)" >> $GITHUB_ENV - name: Pack if: steps.cache.outputs.cache-hit == 'true' + env: + CODESIGN_APP_IDENTITY: ${{ secrets.CODESIGN_APP_IDENTITY }} + CODESIGN_PKG_IDENTITY: ${{ secrets.CODESIGN_PKG_IDENTITY }} + CODESIGN_APP_P12_CONTENTS: ${{ secrets.CODESIGN_APP_P12_CONTENTS }} + CODESIGN_PKG_P12_CONTENTS: ${{ secrets.CODESIGN_PKG_P12_CONTENTS }} + CODESIGN_APP_P12_PASSWORD: ${{ secrets.CODESIGN_APP_P12_PASSWORD }} + CODESIGN_PKG_P12_PASSWORD: ${{ secrets.CODESIGN_PKG_P12_PASSWORD }} run: | ./utils/macos/macos-pkg.sh ${{ matrix.target }} if [ "${{ env.VERSION_TAG }}" != "$(cat VERSION)" ]; then @@ -308,11 +324,13 @@ jobs: run: | ./src/PawPaw/bootstrap-mod.sh win64 && ./src/PawPaw/.cleanup.sh win64 - name: Build - if: steps.cache.outputs.cache-hit == 'true' + if: false + #if: steps.cache.outputs.cache-hit == 'true' run: | make win64 - name: Validate plugins - if: steps.cache.outputs.cache-hit == 'true' + if: false + #if: steps.cache.outputs.cache-hit == 'true' run: | ./utils/plugin-builder/validate-plugins.sh # FIXME dirty carla leaves temp folders around @@ -326,7 +344,8 @@ jobs: run: | echo "VERSION_TAG=$(echo ${{ github.event.pull_request.number || github.sha }} | cut -c1-8)" >> $GITHUB_ENV - name: Pack - if: steps.cache.outputs.cache-hit == 'true' + if: false + #if: steps.cache.outputs.cache-hit == 'true' run: | xvfb-run ./utils/win64/win64-installer.sh ./utils/win64/win64-zip.sh diff --git a/Makefile b/Makefile index 296932e..bec5dfa 100644 --- a/Makefile +++ b/Makefile @@ -269,7 +269,7 @@ UNWANTED_BUNDLES += tap-sigmoid.lv2 BUNDLES = $(filter-out $(UNWANTED_BUNDLES),$(foreach PLUGIN,$(PLUGINS),$($(call BUILDROOT_VAR,$(PLUGIN))_BUNDLES))) # add plugins to build target -TARGETS += $(foreach PLUGIN,$(PLUGINS),$(call PLUGIN_STAMP,$(PLUGIN))) +# TARGETS += $(foreach PLUGIN,$(PLUGINS),$(call PLUGIN_STAMP,$(PLUGIN))) # --------------------------------------------------------------------------------------------------------------------- diff --git a/src/mod-ui b/src/mod-ui index 6615183..0595788 160000 --- a/src/mod-ui +++ b/src/mod-ui @@ -1 +1 @@ -Subproject commit 661518336c1222638d5ca4dbc79fb02dd40d1eef +Subproject commit 0595788f54ade32e58b897d4292d865fd805b972 diff --git a/utils/macos/entitlements.plist b/utils/macos/entitlements.plist new file mode 100644 index 0000000..4efe1ce --- /dev/null +++ b/utils/macos/entitlements.plist @@ -0,0 +1,8 @@ + + + + + com.apple.security.cs.allow-jit + + + diff --git a/utils/macos/macos-dmg.sh b/utils/macos/macos-dmg.sh new file mode 100755 index 0000000..3502aa3 --- /dev/null +++ b/utils/macos/macos-dmg.sh @@ -0,0 +1,86 @@ +#!/bin/bash + +set -e + +if [ ! -d build ]; then + echo "Please run this script from the root folder" + exit +fi + +if [ "$(uname -m)" = "x86_64" ] && [ x"${1}" != x"macos-universal-10.15" ]; then + PAWPAW_PREFIX="${HOME}/PawPawBuilds/targets/macos-10.15" +else + PAWPAW_PREFIX="${HOME}/PawPawBuilds/targets/macos-universal-10.15" +fi + +rm -rf build/dmg build/*.dmg +rm -rf mod-ui/mod/__pycache__ +rm -rf mod-ui/mod/communication/__pycache__ +rm -rf mod-ui/modtools/__pycache__ +./utils/pack-html.sh + +# create dmg dir for placing patched app bundle inside +mkdir build/dmg +gcp -rL "build/mod-desktop.app" "build/dmg/MOD Desktop.app" + +# patch rpath for Qt libs and jack tools +pushd "build/dmg/MOD Desktop.app/Contents" + +rm -rf Frameworks/*/*.prl +rm -rf Frameworks/*/Headers +rm -rf Frameworks/*/Versions +rm -rf MacOS/data + +QTLIBS=("Core" "Gui" "OpenGL" "PrintSupport" "Svg" "Widgets") + +for f in $(ls Frameworks/*/Qt* PlugIns/*/libq*.dylib); do + for q in "${QTLIBS[@]}"; do + install_name_tool -change "@rpath/Qt${q}.framework/Versions/5/Qt${q}" "@executable_path/../Frameworks/Qt${q}.framework/Qt${q}" "${f}" + done +done + +for f in $(ls MacOS/lib/libmod_utils.so MacOS/libjack*.dylib); do + install_name_tool -change "${PAWPAW_PREFIX}/lib/libjack.0.1.0.dylib" "@executable_path/libjack.0.dylib" "${f}" + install_name_tool -change "${PAWPAW_PREFIX}/lib/libjackserver.0.1.0.dylib" "@executable_path/libjackserver.0.dylib" "${f}" +done + +for f in $(ls MacOS/jackd MacOS/jack/*.so); do + install_name_tool -change "${PAWPAW_PREFIX}/lib/libjack.0.1.0.dylib" "@executable_path/libjackserver.0.dylib" "${f}" + install_name_tool -change "${PAWPAW_PREFIX}/lib/libjackserver.0.1.0.dylib" "@executable_path/libjackserver.0.dylib" "${f}" +done + +popd + +# sign app bundle +if [ -n "${CODESIGN_IDENTITY}" ]; then + security create-keychain -p dummypassword build.keychain + security unlock-keychain -p dummypassword build.keychain + + echo "${CODESIGN_P12_CONTENTS}" | base64 -D -o codesign.p12 + security import codesign.p12 -f pkcs12 -P "${CODESIGN_P12_PASSWORD}" -k build.keychain -T /usr/bin/codesign + rm codesign.p12 + + # security add-trusted-cert -d -r trustRoot -k build.keychain xyz.cer + + # security set-key-partition-list -S apple-tool:,apple: -k dummypassword build.keychain + # -s apple-tool:,apple:,codesign: + # security list-keychains -d user -s build.keychain + # security list-keychains -d user -s build.keychain login.keychain + # security find-identity -p codesigning + + codesign -s "${CODESIGN_IDENTITY}" --deep --force --verbose --option=runtime build/dmg/*.app +fi + +# create dmg +hdiutil create "mod-desktop-$(cat VERSION)-macOS.dmg" -srcfolder build/dmg -volname "MOD Desktop" -fs HFS+ -ov + +if [ -n "${CODESIGN_IDENTITY}" ]; then + codesign -s "${MACOS_APP_DEV_ID}" --force --verbose --option=runtime "mod-desktop-$(cat VERSION)-macOS.dmg" + security delete-keychain build.keychain +fi + +# cleanup +rm -rf build/dmg + +# xcrun notarytool store-credentials build-notary --apple-id xyz --team-id xyz --password xyz +# xcrun notarytool submit choptones-amps-macOS.pkg --keychain-profile "build-notary" --wait diff --git a/utils/macos/macos-pkg.sh b/utils/macos/macos-pkg.sh index a7fb3f8..bf821d4 100755 --- a/utils/macos/macos-pkg.sh +++ b/utils/macos/macos-pkg.sh @@ -51,12 +51,42 @@ done popd +# sign app bundle +if [ -n "${CODESIGN_APP_IDENTITY}" ]; then + security create-keychain -p dummypassword build.keychain + security unlock-keychain -p dummypassword build.keychain + security set-keychain-settings -lut 21600 build.keychain + + echo "${CODESIGN_APP_P12_CONTENTS}" | base64 -d -o codesign.p12 + security import codesign.p12 -f pkcs12 -P "${CODESIGN_APP_P12_PASSWORD}" -k build.keychain -T /usr/bin/codesign -T /usr/bin/security + rm codesign.p12 + + echo "${CODESIGN_PKG_P12_CONTENTS}" | base64 -d -o codesign.p12 + security import codesign.p12 -f pkcs12 -P "${CODESIGN_PKG_P12_PASSWORD}" -k build.keychain -T /usr/bin/pkgbuild -T /usr/bin/productbuild -T /usr/bin/security + rm codesign.p12 + + security set-key-partition-list -S apple-tool:,apple: -k dummypassword build.keychain + security list-keychains -d user -s build.keychain login.keychain + + codesign -s "${CODESIGN_APP_IDENTITY}" \ + --deep \ + --force \ + --verbose \ + --timestamp \ + --option runtime \ + --entitlements "utils/macos/entitlements.plist" \ + "build/pkg/MOD Desktop.app" + + PKG_SIGN_ARGS=(--sign "${CODESIGN_PKG_IDENTITY}") +fi + # create base app pkg pkgbuild \ --identifier "audio.mod.desktop-app" \ --component-plist "utils/macos/build.plist" \ --install-location "/Applications/" \ --root "${PWD}/build/pkg/" \ + "${PKG_SIGN_ARGS[@]}" \ build/mod-desktop.pkg # create final pkg @@ -68,7 +98,11 @@ productbuild \ --identifier "audio.mod.desktop-app" \ --package-path "${PWD}/build" \ --version 0 \ + "${PKG_SIGN_ARGS[@]}" \ mod-desktop-$(cat VERSION)-macOS.pkg # cleanup rm -rf build/pkg +[ -n "${CODESIGN_APP_IDENTITY}" ] && security delete-keychain build.keychain + +exit 0