From 7dbf76c72a9886df9bea9abd79a97370b6b1f55a Mon Sep 17 00:00:00 2001 From: alemuntoni Date: Thu, 1 Dec 2022 13:01:12 +0100 Subject: [PATCH] sign macos appbundle on build --- .github/workflows/BuildMeshLab.yml | 10 +++- .github/workflows/CreateRelease.yml | 51 ++++++++----------- scripts/Windows/2_deploy.sh | 8 ++- scripts/Windows/internal/2b_sign_dlls.sh | 12 ++--- scripts/Windows/internal/sign_dlls.ps1 | 12 ----- scripts/macOS/2_deploy.sh | 15 +++++- scripts/macOS/internal/2b_sign_appbundle.sh | 26 ++++++++++ .../macOS/internal/{2b_dmg.sh => 2c_dmg.sh} | 0 8 files changed, 83 insertions(+), 51 deletions(-) delete mode 100644 scripts/Windows/internal/sign_dlls.ps1 create mode 100644 scripts/macOS/internal/2b_sign_appbundle.sh rename scripts/macOS/internal/{2b_dmg.sh => 2c_dmg.sh} (100%) diff --git a/.github/workflows/BuildMeshLab.yml b/.github/workflows/BuildMeshLab.yml index 2e760a0a8..33616474e 100644 --- a/.github/workflows/BuildMeshLab.yml +++ b/.github/workflows/BuildMeshLab.yml @@ -21,7 +21,13 @@ jobs: submodules: recursive - name: Setup MSVC uses: ilammy/msvc-dev-cmd@v1 - - name: Set Certificate Windows + - name: Set CodeSign Certificate macOS + if: runner.os == 'macOS' + uses: apple-actions/import-codesign-certs@v1 + with: + p12-file-base64: ${{ secrets.MACOS_CERTIFICATE }} + p12-password: ${{ secrets.MACOS_CERTIFICATE_PSSW }} + - name: Set CodeSign Certificate Windows if: runner.os == 'Windows' run: | New-Item -ItemType directory -Path certificate @@ -62,7 +68,7 @@ jobs: - name: Deploy shell: bash run: | - bash scripts/${{ runner.os }}/2_deploy.sh --cert_pssw='${{ secrets.WIN_CERTIFICATE_PSSW }}' + bash scripts/${{ runner.os }}/2_deploy.sh --cert_pssw='${{ secrets.WIN_CERTIFICATE_PSSW }}' --cert_id=${{ secrets.MACOS_CERT_ID }} - name: Upload MeshLab Portable uses: actions/upload-artifact@v3 with: diff --git a/.github/workflows/CreateRelease.yml b/.github/workflows/CreateRelease.yml index 9c08a0750..1b21d680c 100644 --- a/.github/workflows/CreateRelease.yml +++ b/.github/workflows/CreateRelease.yml @@ -40,8 +40,21 @@ jobs: - uses: actions/checkout@v3 with: submodules: recursive + ref: main - name: Setup MSVC uses: ilammy/msvc-dev-cmd@v1 + - name: Set CodeSign Certificate macOS + if: runner.os == 'macOS' + uses: apple-actions/import-codesign-certs@v1 + with: + p12-file-base64: ${{ secrets.MACOS_CERTIFICATE }} + p12-password: ${{ secrets.MACOS_CERTIFICATE_PSSW }} + - name: Set CodeSign Certificate Windows + if: runner.os == 'Windows' + run: | + New-Item -ItemType directory -Path certificate + Set-Content -Path certificate\certificate.txt -Value '${{ secrets.WIN_CERTIFICATE }}' + certutil -decode certificate\certificate.txt certificate\certificate.pfx - name: Install Qt uses: jurplel/install-qt-action@v3 with: @@ -74,50 +87,30 @@ jobs: shell: bash run: | bash scripts/${{ runner.os }}/1_build.sh --${{ matrix.precision }} --ccache - - name: Set Certificate Windows - if: runner.os == 'Windows' - run: | - New-Item -ItemType directory -Path certificate - Set-Content -Path certificate\certificate.txt -Value '${{ secrets.WIN_CERTIFICATE }}' - certutil -decode certificate\certificate.txt certificate\certificate.pfx - - name: Sign Portable content Windows - if: runner.os == 'Windows' - run: | - .\scripts\Windows\internal\sign_dlls.ps1 -pssw '${{ secrets.WIN_CERTIFICATE_PSSW }}' -path 'install\' - name: Deploy shell: bash run: | - bash scripts/${{ runner.os }}/2_deploy.sh - - name: Import macOS Cert and Key - if: runner.os == 'macOS' - uses: apple-actions/import-codesign-certs@v1 - with: - p12-file-base64: ${{ secrets.MACOS_CERTIFICATE }} - p12-password: ${{ secrets.MACOS_CERTIFICATE_PSSW }} - - name: Sign macOS + bash scripts/${{ runner.os }}/2_deploy.sh --cert_pssw='${{ secrets.WIN_CERTIFICATE_PSSW }}' --cert_id=${{ secrets.MACOS_CERT_ID }} + - name: Get AppBundle Name if: runner.os == 'macOS' + id: abn + shell: bash run: | - codesign --options "runtime" --timestamp --force --deep --sign ${{ secrets.MACOS_CERT_ID }} install/meshlab.app + cd install + NAME=$(ls -d MeshLab*) + echo "app_bundle_name=$NAME" >> $GITHUB_OUTPUT - name: Notarize macOS if: runner.os == 'macOS' uses: devbotsxyz/xcode-notarize@v1 with: - product-path: "install/meshlab.app" + product-path: "install/${{steps.abn.outputs.app_bundle_name}}" appstore-connect-username: ${{ secrets.MACOS_NOTARIZATION_USER }} appstore-connect-password: ${{ secrets.MACOS_NOTARIZATION_PSSW }} - name: Staple Release macOS if: runner.os == 'macOS' uses: devbotsxyz/xcode-staple@v1 with: - product-path: "install/meshlab.app" - - name: Packaging - shell: bash - run: | - bash scripts/${{ runner.os }}/3_pack.sh - - name: Sign Installer Windows - if: runner.os == 'Windows' - run: | - .\scripts\Windows\internal\sign_dlls.ps1 -pssw '${{ secrets.WIN_CERTIFICATE_PSSW }}' -path 'packages\' + product-path: "install/${{steps.abn.outputs.app_bundle_name}}" - name: Upload MeshLab Portable uses: actions/upload-artifact@v3 with: diff --git a/scripts/Windows/2_deploy.sh b/scripts/Windows/2_deploy.sh index 8e8b4ff9e..5a2cffb3c 100644 --- a/scripts/Windows/2_deploy.sh +++ b/scripts/Windows/2_deploy.sh @@ -52,4 +52,10 @@ fi bash $SCRIPTS_PATH/internal/2c_installer.sh -i=$INSTALL_PATH -p=$PACKAGES_PATH -echo "======= Installer Created =======" \ No newline at end of file +echo "======= Installer Created =======" + +if [ "$SIGN" = true ] ; then + bash $SCRIPTS_PATH/internal/2b_sign_dlls.sh -i=$PACKAGES_PATH $CERT_FILE_OPTION -cp=$CERT_PSSW + + echo "======= Installer Signed =======" +fi \ No newline at end of file diff --git a/scripts/Windows/internal/2b_sign_dlls.sh b/scripts/Windows/internal/2b_sign_dlls.sh index 9690b9e95..6f570d694 100644 --- a/scripts/Windows/internal/2b_sign_dlls.sh +++ b/scripts/Windows/internal/2b_sign_dlls.sh @@ -29,14 +29,14 @@ done cd $INSTALL_PATH -CERT_REL=$(realpath --relative-to=$INSTALL_PATH $CERT_FILE) -CERT_WIN=$(echo "$CERT_REL" | sed 's/^\///' | sed 's/\//\\/g') -echo "=== Cert win path: $CERT_WIN" +CERT_REL=$(realpath --relative-to=$INSTALL_PATH $CERT_FILE) # get relative path of the cert file +CERT_WIN=$(echo "$CERT_REL" | sed 's/^\///' | sed 's/\//\\/g') # get windows relative path (with backslashes) of the cert + +# will sign all dll and exe files inside INSTALL_PATH, recursively for file in $(find $INSTALL_PATH -name '*.dll' -or -name '*.exe'); do - FILE_REL=$(realpath --relative-to=$INSTALL_PATH $file) - FILE_WIN=$(echo "$FILE_REL" | sed 's/^\///' | sed 's/\//\\/g') - echo "=== File win path: $FILE_WIN" + FILE_REL=$(realpath --relative-to=$INSTALL_PATH $file) # relative path + FILE_WIN=$(echo "$FILE_REL" | sed 's/^\///' | sed 's/\//\\/g') # win relative path signtool.exe sign //fd SHA256 //f $CERT_WIN //p $CERT_PSSW //t http://timestamp.comodoca.com/authenticode $FILE_WIN done \ No newline at end of file diff --git a/scripts/Windows/internal/sign_dlls.ps1 b/scripts/Windows/internal/sign_dlls.ps1 deleted file mode 100644 index 777705ee1..000000000 --- a/scripts/Windows/internal/sign_dlls.ps1 +++ /dev/null @@ -1,12 +0,0 @@ -param($pssw, $path, $cert_path="") - -if ([string]::IsNullOrEmpty($cert_path)) { - $cert_path = Join-Path $PSScriptRoot ..\..\..\certificate\certificate.pfx -} - -$files = Get-ChildItem $path -include ('*.exe', '*.dll') -Recurse - -for ($i=0; $i -lt $files.Count; $i++) { - $file = $files[$i].FullName - signtool.exe sign /fd SHA256 /f $cert_path /p $pssw /t http://timestamp.comodoca.com/authenticode $file -} diff --git a/scripts/macOS/2_deploy.sh b/scripts/macOS/2_deploy.sh index 25d0f4a8d..cd3ad26b8 100755 --- a/scripts/macOS/2_deploy.sh +++ b/scripts/macOS/2_deploy.sh @@ -5,6 +5,8 @@ SCRIPTS_PATH="$(dirname "$(realpath "$0")")" INSTALL_PATH=$SCRIPTS_PATH/../../install QT_DIR_OPTION="" PACKAGES_PATH=$SCRIPTS_PATH/../../packages +SIGN=false +CERT_ID="" #checking for parameters for i in "$@" @@ -22,6 +24,11 @@ case $i in PACKAGES_PATH="${i#*=}" shift # past argument=value ;; + -ci=*|--cert_id=*) + SIGN=true + CERT_ID="${i#*=}" + shift # past argument=value + ;; *) # unknown option ;; @@ -32,6 +39,12 @@ bash $SCRIPTS_PATH/internal/2a_appbundle.sh -i=$INSTALL_PATH $QT_DIR_OPTION echo "======= AppBundle Created =======" -bash $SCRIPTS_PATH/internal/2b_dmg.sh -i=$INSTALL_PATH -p=$PACKAGES_PATH +if [ "$SIGN" = true ] ; then + bash $SCRIPTS_PATH/internal/2b_sign_appbundle.sh -i=$INSTALL_PATH -ci=$CERT_ID + + echo "======= AppBundle Signed =======" +fi + +bash $SCRIPTS_PATH/internal/2c_dmg.sh -i=$INSTALL_PATH -p=$PACKAGES_PATH echo "======= DMG Created =======" \ No newline at end of file diff --git a/scripts/macOS/internal/2b_sign_appbundle.sh b/scripts/macOS/internal/2b_sign_appbundle.sh new file mode 100644 index 000000000..9837efb8a --- /dev/null +++ b/scripts/macOS/internal/2b_sign_appbundle.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +SCRIPTS_PATH="$(dirname "$(realpath "$0")")"/.. + +INSTALL_PATH=$SCRIPTS_PATH/../../install +CERT_ID="" + +#checking for parameters +for i in "$@" +do +case $i in + -i=*|--install_path=*) + INSTALL_PATH="${i#*=}" + shift # past argument=value + ;; + -ci=*|--cert_id=*) + CERT_ID="${i#*=}" + shift # past argument=value + ;; + *) + # unknown option + ;; +esac +done + +codesign --options "runtime" --timestamp --force --deep --sign $CERT_ID $INSTALL_PATH/meshlab.app \ No newline at end of file diff --git a/scripts/macOS/internal/2b_dmg.sh b/scripts/macOS/internal/2c_dmg.sh similarity index 100% rename from scripts/macOS/internal/2b_dmg.sh rename to scripts/macOS/internal/2c_dmg.sh