sign macos appbundle on build

.github/workflows/BuildMeshLab.yml

@@ -21,7 +21,13 @@ jobs:
         submodules: recursive
     - name: Setup MSVC
       uses: ilammy/msvc-dev-cmd@v1
-    - name: Set Certificate Windows
+    - name: Set CodeSign Certificate macOS
+      if: runner.os == 'macOS'
+      uses: apple-actions/import-codesign-certs@v1
+      with:
+        p12-file-base64: ${{ secrets.MACOS_CERTIFICATE }}
+        p12-password: ${{ secrets.MACOS_CERTIFICATE_PSSW }}
+    - name: Set CodeSign Certificate Windows
       if: runner.os == 'Windows'
       run: |
         New-Item -ItemType directory -Path certificate
@@ -62,7 +68,7 @@ jobs:
     - name: Deploy
       shell: bash
       run: |
-        bash scripts/${{ runner.os }}/2_deploy.sh --cert_pssw='${{ secrets.WIN_CERTIFICATE_PSSW }}'
+        bash scripts/${{ runner.os }}/2_deploy.sh --cert_pssw='${{ secrets.WIN_CERTIFICATE_PSSW }}' --cert_id=${{ secrets.MACOS_CERT_ID }}
     - name: Upload MeshLab Portable
       uses: actions/upload-artifact@v3
       with:

.github/workflows/CreateRelease.yml

@@ -40,8 +40,21 @@ jobs:
     - uses: actions/checkout@v3
       with:
         submodules: recursive
+        ref: main
     - name: Setup MSVC
       uses: ilammy/msvc-dev-cmd@v1
+    - name: Set CodeSign Certificate macOS
+      if: runner.os == 'macOS'
+      uses: apple-actions/import-codesign-certs@v1
+      with:
+        p12-file-base64: ${{ secrets.MACOS_CERTIFICATE }}
+        p12-password: ${{ secrets.MACOS_CERTIFICATE_PSSW }}
+    - name: Set CodeSign Certificate Windows
+      if: runner.os == 'Windows'
+      run: |
+        New-Item -ItemType directory -Path certificate
+        Set-Content -Path certificate\certificate.txt -Value '${{ secrets.WIN_CERTIFICATE }}'
+        certutil -decode certificate\certificate.txt certificate\certificate.pfx
     - name: Install Qt
       uses: jurplel/install-qt-action@v3
       with:
@@ -74,50 +87,30 @@ jobs:
       shell: bash
       run: |
         bash scripts/${{ runner.os }}/1_build.sh --${{ matrix.precision }} --ccache
-    - name: Set Certificate Windows
-      if: runner.os == 'Windows'
-      run: |
-        New-Item -ItemType directory -Path certificate
-        Set-Content -Path certificate\certificate.txt -Value '${{ secrets.WIN_CERTIFICATE }}'
-        certutil -decode certificate\certificate.txt certificate\certificate.pfx
-    - name: Sign Portable content Windows
-      if: runner.os == 'Windows'
-      run: |
-        .\scripts\Windows\internal\sign_dlls.ps1 -pssw '${{ secrets.WIN_CERTIFICATE_PSSW }}' -path 'install\'
     - name: Deploy
       shell: bash
       run: |
-        bash scripts/${{ runner.os }}/2_deploy.sh
-    - name: Import macOS Cert and Key
-      if: runner.os == 'macOS'
-      uses: apple-actions/import-codesign-certs@v1
-      with:
-        p12-file-base64: ${{ secrets.MACOS_CERTIFICATE }}
-        p12-password: ${{ secrets.MACOS_CERTIFICATE_PSSW }}
-    - name: Sign macOS
+        bash scripts/${{ runner.os }}/2_deploy.sh --cert_pssw='${{ secrets.WIN_CERTIFICATE_PSSW }}' --cert_id=${{ secrets.MACOS_CERT_ID }}
+    - name: Get AppBundle Name
       if: runner.os == 'macOS'
+      id: abn
+      shell: bash
       run: |
-        codesign --options "runtime" --timestamp --force --deep --sign ${{ secrets.MACOS_CERT_ID }} install/meshlab.app
+        cd install
+        NAME=$(ls -d MeshLab*)
+        echo "app_bundle_name=$NAME" >> $GITHUB_OUTPUT
     - name: Notarize macOS
       if: runner.os == 'macOS'
       uses: devbotsxyz/xcode-notarize@v1
       with:
-        product-path: "install/meshlab.app"
+        product-path: "install/${{steps.abn.outputs.app_bundle_name}}"
         appstore-connect-username: ${{ secrets.MACOS_NOTARIZATION_USER }}
         appstore-connect-password: ${{ secrets.MACOS_NOTARIZATION_PSSW }}
     - name: Staple Release macOS
       if: runner.os == 'macOS'
       uses: devbotsxyz/xcode-staple@v1
       with:
-        product-path: "install/meshlab.app"
-    - name: Packaging
-      shell: bash
-      run: |
-        bash scripts/${{ runner.os }}/3_pack.sh
-    - name: Sign Installer Windows
-      if: runner.os == 'Windows'
-      run: |
-        .\scripts\Windows\internal\sign_dlls.ps1 -pssw '${{ secrets.WIN_CERTIFICATE_PSSW }}' -path 'packages\'
+        product-path: "install/${{steps.abn.outputs.app_bundle_name}}"
     - name: Upload MeshLab Portable
       uses: actions/upload-artifact@v3
       with:

scripts/Windows/2_deploy.sh

@@ -52,4 +52,10 @@ fi
 
 bash $SCRIPTS_PATH/internal/2c_installer.sh -i=$INSTALL_PATH -p=$PACKAGES_PATH
 
-echo "======= Installer Created ======="
+echo "======= Installer Created ======="
+
+if [ "$SIGN" = true ] ; then
+    bash $SCRIPTS_PATH/internal/2b_sign_dlls.sh -i=$PACKAGES_PATH  $CERT_FILE_OPTION -cp=$CERT_PSSW
+
+    echo "======= Installer Signed ======="
+fi

scripts/Windows/internal/2b_sign_dlls.sh

@@ -29,14 +29,14 @@ done
 
 cd $INSTALL_PATH
 
-CERT_REL=$(realpath --relative-to=$INSTALL_PATH $CERT_FILE)
-CERT_WIN=$(echo "$CERT_REL" | sed 's/^\///' | sed 's/\//\\/g')
-echo "=== Cert win path: $CERT_WIN" 
 
+CERT_REL=$(realpath --relative-to=$INSTALL_PATH $CERT_FILE) # get relative path of the cert file
+CERT_WIN=$(echo "$CERT_REL" | sed 's/^\///' | sed 's/\//\\/g') # get windows relative path (with backslashes) of the cert
+
+# will sign all dll and exe files inside INSTALL_PATH, recursively
 for file in $(find $INSTALL_PATH -name '*.dll' -or -name '*.exe');
 do
-    FILE_REL=$(realpath --relative-to=$INSTALL_PATH $file)
-    FILE_WIN=$(echo "$FILE_REL" | sed 's/^\///' | sed 's/\//\\/g')
-    echo "=== File win path: $FILE_WIN" 
+    FILE_REL=$(realpath --relative-to=$INSTALL_PATH $file) # relative path
+    FILE_WIN=$(echo "$FILE_REL" | sed 's/^\///' | sed 's/\//\\/g')  # win relative path
     signtool.exe sign //fd SHA256 //f $CERT_WIN //p $CERT_PSSW //t http://timestamp.comodoca.com/authenticode $FILE_WIN
 done

scripts/Windows/internal/sign_dlls.ps1

@@ -1,12 +0,0 @@
-param($pssw, $path, $cert_path="")
-
-if ([string]::IsNullOrEmpty($cert_path)) {
-    $cert_path = Join-Path $PSScriptRoot ..\..\..\certificate\certificate.pfx
-}
-
-$files = Get-ChildItem $path -include ('*.exe', '*.dll') -Recurse
-
-for ($i=0; $i -lt $files.Count; $i++) {
-    $file = $files[$i].FullName
-    signtool.exe sign /fd SHA256 /f $cert_path /p $pssw /t http://timestamp.comodoca.com/authenticode $file
-}

scripts/macOS/2_deploy.sh

@@ -5,6 +5,8 @@ SCRIPTS_PATH="$(dirname "$(realpath "$0")")"
 INSTALL_PATH=$SCRIPTS_PATH/../../install
 QT_DIR_OPTION=""
 PACKAGES_PATH=$SCRIPTS_PATH/../../packages
+SIGN=false
+CERT_ID=""
 
 #checking for parameters
 for i in "$@"
@@ -22,6 +24,11 @@ case $i in
         PACKAGES_PATH="${i#*=}"
         shift # past argument=value
         ;;
+    -ci=*|--cert_id=*)
+        SIGN=true
+        CERT_ID="${i#*=}"
+        shift # past argument=value
+        ;;
     *)
         # unknown option
         ;;
@@ -32,6 +39,12 @@ bash $SCRIPTS_PATH/internal/2a_appbundle.sh -i=$INSTALL_PATH $QT_DIR_OPTION
 
 echo "======= AppBundle Created ======="
 
-bash $SCRIPTS_PATH/internal/2b_dmg.sh -i=$INSTALL_PATH -p=$PACKAGES_PATH
+if [ "$SIGN" = true ] ; then
+    bash $SCRIPTS_PATH/internal/2b_sign_appbundle.sh -i=$INSTALL_PATH -ci=$CERT_ID
+
+    echo "======= AppBundle Signed ======="
+fi
+
+bash $SCRIPTS_PATH/internal/2c_dmg.sh -i=$INSTALL_PATH -p=$PACKAGES_PATH
 
 echo "======= DMG Created ======="

scripts/macOS/internal/2b_sign_appbundle.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+SCRIPTS_PATH="$(dirname "$(realpath "$0")")"/..
+
+INSTALL_PATH=$SCRIPTS_PATH/../../install
+CERT_ID=""
+
+#checking for parameters
+for i in "$@"
+do
+case $i in
+    -i=*|--install_path=*)
+        INSTALL_PATH="${i#*=}"
+        shift # past argument=value
+        ;;
+    -ci=*|--cert_id=*)
+        CERT_ID="${i#*=}"
+        shift # past argument=value
+        ;;
+    *)
+        # unknown option
+        ;;
+esac
+done
+
+codesign --options "runtime" --timestamp --force --deep --sign $CERT_ID $INSTALL_PATH/meshlab.app