add signing

MarshalX · MarshalX · commit b9cd9ba3539e · 2023-12-18T15:32:25.000+01:00
diff --git a/.github/workflows/nutika_test.yml b/.github/workflows/nutika_test.yml
@@ -35,15 +35,7 @@ jobs:
       - name: Install dependencies
         run: pip install cycode nuitka
 
-      - name: Build executable
-        run: python -m nuitka --onefile --include-data-files=cycode/cli/config.yaml=cycode/cli/config.yaml --include-data-files=cycode/cyclient/config.yaml=cycode/cyclient/config.yaml --output-dir=dist cycode/cli/main.py
-
-      - name: Test executable
-        run: |
-          cp dist/main.bin dist/cycode
-          time ./dist/cycode version
-
-      - name: Sign macOS executable
+      - name: Import macOS cert
         if: runner.os == 'macOS'
         env:
           APPLE_CERT: ${{ secrets.APPLE_CERT }}
@@ -65,8 +57,40 @@ jobs:
           security import $CERTIFICATE_PATH -P "$APPLE_CERT_PWD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
           security list-keychain -d user -s $KEYCHAIN_PATH
 
-          # sign executable
-          codesign --deep --force --options=runtime --entitlements entitlements.plist --sign "$APPLE_CERT_NAME" --timestamp dist/cycode
+      - name: Build executable
+        env:
+          APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }}
+        run: python -m nuitka --onefile --include-data-files=cycode/cli/config.yaml=cycode/cli/config.yaml --include-data-files=cycode/cyclient/config.yaml=cycode/cyclient/config.yaml --output-dir=out cycode/cli/main.py --macos-sign-identity "$APPLE_CERT_NAME"
+
+      - name: Test executable
+        run: |
+          cp out/main.bin dist/cycode
+          time ./dist/cycode version
+
+#      - name: Sign macOS executable
+#        if: runner.os == 'macOS'
+#        env:
+#          APPLE_CERT: ${{ secrets.APPLE_CERT }}
+#          APPLE_CERT_PWD: ${{ secrets.APPLE_CERT_PWD }}
+#          APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }}
+#          APPLE_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
+#        run: |
+#          # import certificate
+#          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+#          echo -n "$APPLE_CERT" | base64 --decode -o $CERTIFICATE_PATH
+#
+#          # create temporary keychain
+#          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+#          security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+#          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+#          security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+#
+#          # import certificate to keychain
+#          security import $CERTIFICATE_PATH -P "$APPLE_CERT_PWD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+#          security list-keychain -d user -s $KEYCHAIN_PATH
+#
+#          # sign executable
+#          codesign --deep --force --options=runtime --entitlements entitlements.plist --sign "$APPLE_CERT_NAME" --timestamp dist/cycode
 
       - name: Notarize macOS executable
         if: runner.os == 'macOS'
