From c2ccea2de3419838e46210780c3966f9841a6542 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 9 Feb 2024 21:30:07 +0100 Subject: [PATCH] Notarize distribution. --- .github/workflows/main.yml | 15 +++++++++++---- Makefile | 27 ++++++++++++++++++--------- qlview.xcodeproj/project.pbxproj | 14 ++++++++++---- 3 files changed, 39 insertions(+), 17 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 24b39d3..9a0b41b 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -30,6 +30,7 @@ jobs: CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 PP_PATH=$RUNNER_TEMP/build_pp.mobileprovision KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db + APP_STORE_KEY_PATH=$RUNNER_TEMP/key.p8 # import certificate profile from secrets echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH @@ -43,13 +44,18 @@ jobs: security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH security list-keychain -d user -s $KEYCHAIN_PATH + # import app store connect API key + echo -n "${APP_STORE_KEY_P8}" >${APP_STORE_KEY_PATH} + xcrun notarytool store-credentials -k "${APP_STORE_KEY_PATH}" -d "${APP_STORE_KEY_ID}" -i "${APP_STORE_ISSUER_ID}" --keychain "${KEYCHAIN_PATH}" --no-validate "App Store Connect - Notarization API Key" + rm "${APP_STORE_KEY_PATH}" + + # must come last + security set-key-partition-list -S apple-tool:,apple: -s -k "${MACOS_KEYCHAIN_PASSWORD}" "${RUNNER_TEMP}/keychain-db" + - name: Build code run: make release - - name: Run check - run: make check - - - name: Build ZIP + - name: Build and notarize distribution run: | make dist (cd build && echo "DIST=$(echo *.zip)" >>$GITHUB_ENV) @@ -63,6 +69,7 @@ jobs: if: ${{ always() }} run: | security delete-keychain $RUNNER_TEMP/app-signing.keychain-db + rm -f $RUNNER_TEMP/key.p8 publish_release: permissions: diff --git a/Makefile b/Makefile index d658135..150f3fc 100644 --- a/Makefile +++ b/Makefile @@ -1,21 +1,30 @@ VERSION=$(shell cat VERSION) +NOTARIZATION_PROFILE="App Store Connect - Notarization API Key" all: adhoc adhoc: - @xcodebuild -quiet -target qlview-adhoc -configuration Release + xcodebuild -quiet -target qlview-adhoc -configuration Release release: - @xcodebuild -quiet -target qlview-signed -configuration Release - -check: release + xcodebuild -quiet -target qlview-signed -configuration Release codesign --verify --verbose build/Release/qlview - spctl --assess --verbose build/Release/qlview -dist: release - @rm -rf build/dist - @mkdir -p build/dist +check: + +zip: + rm -rf build/dist + mkdir -p build/dist cp -R build/Release/qlview build/dist cd build/dist && zip -r ../qlview-$(VERSION).zip * - @ls build/*.zip + ls build/*.zip | sed 's/^/> /' + +notarize: + xcrun notarytool submit --keychain-profile $(NOTARIZATION_PROFILE) --wait --timeout 10m build/qlview-$(VERSION).zip + spctl --assess --verbose build/qlview-$(VERSION).zip + +dist: zip notarize + +clean: + rm -rf build diff --git a/qlview.xcodeproj/project.pbxproj b/qlview.xcodeproj/project.pbxproj index c7598b1..bf6587d 100644 --- a/qlview.xcodeproj/project.pbxproj +++ b/qlview.xcodeproj/project.pbxproj @@ -203,13 +203,16 @@ isa = XCBuildConfiguration; buildSettings = { CLANG_ENABLE_MODULES = YES; + "CODE_SIGN_IDENTITY[sdk=macosx*]" = "Developer ID Application"; CODE_SIGN_INJECT_BASE_ENTITLEMENTS = NO; - CODE_SIGN_STYLE = Automatic; - DEVELOPMENT_TEAM = 4UJK727T59; + CODE_SIGN_STYLE = Manual; + DEVELOPMENT_TEAM = ""; + "DEVELOPMENT_TEAM[sdk=macosx*]" = 4UJK727T59; ENABLE_HARDENED_RUNTIME = YES; OTHER_CODE_SIGN_FLAGS = "--timestamp"; "PRODUCT_BUNDLE_IDENTIFIER[sdk=macosx*]" = org.rsmmr.qlview; PRODUCT_NAME = qlview; + PROVISIONING_PROFILE_SPECIFIER = ""; SWIFT_OPTIMIZATION_LEVEL = "-Onone"; SWIFT_VERSION = 5.0; }; @@ -219,13 +222,16 @@ isa = XCBuildConfiguration; buildSettings = { CLANG_ENABLE_MODULES = YES; + "CODE_SIGN_IDENTITY[sdk=macosx*]" = "Developer ID Application"; CODE_SIGN_INJECT_BASE_ENTITLEMENTS = NO; - CODE_SIGN_STYLE = Automatic; - DEVELOPMENT_TEAM = 4UJK727T59; + CODE_SIGN_STYLE = Manual; + DEVELOPMENT_TEAM = ""; + "DEVELOPMENT_TEAM[sdk=macosx*]" = 4UJK727T59; ENABLE_HARDENED_RUNTIME = YES; OTHER_CODE_SIGN_FLAGS = "--timestamp"; "PRODUCT_BUNDLE_IDENTIFIER[sdk=macosx*]" = org.rsmmr.qlview; PRODUCT_NAME = qlview; + PROVISIONING_PROFILE_SPECIFIER = ""; SWIFT_VERSION = 5.0; }; name = Release;