ci: add cirrus for macos m1 builds

kyokan · Feb 14, 2023 · 8bb083b · 8bb083b
1 parent 2c4c376
commit 8bb083b
Show file tree

Hide file tree

Showing 4 changed files with 130 additions and 1 deletion.
diff --git a/.cirrus.yml b/.cirrus.yml
@@ -0,0 +1,60 @@
+macos_instance:
+  image: ghcr.io/cirruslabs/macos-ventura-xcode:latest
+
+build_task:
+  # Load public key to env
+  environment:
+    SIGNING_PUBLIC_KEY: ENCRYPTED[9ecd1dce11858b0bdbaf664e08c89de152aa57a32cf46bd56a28c3ed38127464ca4f17f1fbca1e00894f442949ba6205]
+    APPSTORECONNECT_KEY: ENCRYPTED[7ff7b3572ccb3bbe0e4ca4c1b3219731b5a6eaa9296ad3446ef67557e843725d3f64955983620c135542e6d7cd1620a5]
+
+  # Save public key from env to file
+  signing_public_key_file:
+    path: /tmp/signing_public_key.pem
+    variable_name: SIGNING_PUBLIC_KEY
+
+  # Save appstoreconnect key from env to file
+  appstoreconnect_key_file:
+    path: /tmp/appstoreconnect_key.json
+    variable_name: APPSTORECONNECT_KEY
+
+  # Install nodejs
+  nodejs_script:
+    # - brew update
+    - brew install node
+
+  # # Cache
+  # node_modules_cache:
+  #   folder: node_modules
+  #   reupload_on_changes: false # since there is a fingerprint script
+  #   fingerprint_script:
+  #     - echo $CIRRUS_OS
+  #     - node --version
+  #     - cat package.json package-lock.json
+
+  # Install deps
+  install_deps_script:
+    - npm install dmg-license --no-save
+    - npm rebuild
+
+  # Build and Test
+  test_script:
+    - npm run test
+
+  # Package app
+  package_script:
+    - npm run package-mac
+    - unzip release/Bob-2.0.0-arm64-mac.zip -d release/
+
+  # # Install rcodesign
+  # install_rcodesign_script:
+  #   - curl -sL https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F0.22.0/apple-codesign-0.22.0-aarch64-apple-darwin.tar.gz | tar xzvf -
+
+  # # Sign and notarize zip
+  # sign_and_notarize_script:
+  #   - chmod +x scripts/macos-ci-sign.sh
+  #   - ./scripts/macos-ci-sign.sh `pwd`/apple-codesign-0.22.0-aarch64-apple-darwin/rcodesign
+  #   - zip -r release/Bob-macos-arm64-signed.zip --symlinks release/Bob.app
+
+  # Upload artifacts
+  binaries_artifacts:
+    path: "release/*"
diff --git a/package.json b/package.json
@@ -48,7 +48,8 @@
     ],
     "mac": {
       "target": [
-        "dmg"
+        "dmg",
+        "zip"
       ],
       "icon": "resources/icon.icns"
     },

diff --git a/resources/entitlements.plist b/resources/entitlements.plist
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-jit</key><true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+    <key>com.apple.security.cs.disable-executable-page-protection</key><true/>
+  </dict>
+</plist>
diff --git a/scripts/macos-ci-sign.sh b/scripts/macos-ci-sign.sh
@@ -0,0 +1,58 @@
+set -e
+
+if command -v rcodesign &> /dev/null; then
+    # If rcodesign is in PATH, call it directly
+    program="rcodesign"
+else
+    # If not, check if a path was provided as first argument
+    if [[ -n "$1" && "$1" == *rcodesign ]]; then
+        # If a path was provided, call rcodesign with that path
+        program="$1"
+    else
+        # If no path was provided, print an error message
+        echo "Error: rcodesign not found in PATH and no path provided as argument" >&2
+        echo "Usage: ./macos-ci-sign.sh [</path/to/rcodesign>]" >&2
+        exit 1
+    fi
+fi
+
+entitlements="`pwd`/resources/entitlements.plist"
+release_dir="`pwd`/release/Bob.app"
+
+echo "using rcodesign: $program"
+echo "using entitlements: $entitlements"
+echo "using release_dir: $release_dir"
+
+# Sign
+echo "[*] Signing..."
+
+additional_files=(
+    "Contents/Resources/app.asar.unpacked/node_modules/leveldown/build/Release/leveldown.node"
+    "Contents/Resources/app.asar.unpacked/node_modules/leveldown/build/node_gyp_bins/python3"
+    "Contents/Resources/app.asar.unpacked/node_modules/leveldown/prebuilds/darwin-x64/node.napi.node"
+    "Contents/Resources/app.asar.unpacked/node_modules/mrmr/build/Release/mrmr.node"
+    "Contents/Resources/app.asar.unpacked/node_modules/mrmr/build/node_gyp_bins/python3"
+    "Contents/Resources/app.asar.unpacked/node_modules/node-hid/build/Release/HID.node"
+    "Contents/Resources/app.asar.unpacked/node_modules/node-hid/build/node_gyp_bins/python3"
+    "Contents/Resources/app.asar.unpacked/node_modules/bdb/build/Release/leveldown.node"
+    "Contents/Resources/app.asar.unpacked/node_modules/bdb/build/node_gyp_bins/python3"
+    "Contents/Resources/app.asar.unpacked/node_modules/bcrypto/build/Release/bcrypto.node"
+    "Contents/Resources/app.asar.unpacked/node_modules/bcrypto/build/node_gyp_bins/python3"
+    "Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt"
+    "Contents/Frameworks/Electron\ Framework.framework/Versions/A/Libraries/libffmpeg.dylib"
+)
+
+# Sign each file individally, rcodesign does not pick them up (bug)
+echo "[*] Signing ${#additional_files[@]} additional files first..."
+for s in "${additional_files[@]}"; do
+    $program sign --remote-signer --remote-public-key-pem-file /tmp/signing_public_key.pem --code-signature-flags runtime --entitlements-xml-path $entitlements $release_dir/$s
+done
+
+echo "[*] Signing final bundle..."
+$program sign --remote-signer --remote-public-key-pem-file /tmp/signing_public_key.pem --code-signature-flags runtime --entitlements-xml-path $entitlements $release_dir
+
+# Notarize
+echo "[*] Notarizing..."
+$program notary-submit --api-key-path /tmp/appstoreconnect_key.json --staple $release_dir
+
+echo "[*] Done."