feat: notarize macos

2024-06-01 18:04:18 +02:00 · 2024-06-01 18:04:18 +02:00 · e2169a6075
commit e2169a6075
parent 1f38a0645f
3 changed files with 38 additions and 21 deletions
--- a/.github/workflows/insider-macos.yml
+++ b/.github/workflows/insider-macos.yml
@ -84,9 +84,10 @@ jobs:

      - name: Prepare assets
        env:
-          CERTIFICATE_OSX_P12: ${{ secrets.CERTIFICATE_OSX_P12 }}
-          CERTIFICATE_OSX_PASSWORD: ${{ secrets.CERTIFICATE_OSX_PASSWORD }}
-          CERTIFICATE_OSX_ID: ${{ secrets.CERTIFICATE_OSX_ID }}
+          CERTIFICATE_OSX_APP_PASSWORD: ${{ secrets.CERTIFICATE_OSX_NEW_APP_PASSWORD }}
+          CERTIFICATE_OSX_ID: ${{ secrets.CERTIFICATE_OSX_NEW_ID }}
+          CERTIFICATE_OSX_P12_FILE: ${{ secrets.CERTIFICATE_OSX_NEW_P12_FILE }}
+          CERTIFICATE_OSX_P12_PASSWORD: ${{ secrets.CERTIFICATE_OSX_NEW_P12_PASSWORD }}
        run: ./prepare_assets.sh
        if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true')

--- a/.github/workflows/stable-macos.yml
+++ b/.github/workflows/stable-macos.yml
@ -83,9 +83,10 @@ jobs:

      - name: Prepare assets
        env:
-          CERTIFICATE_OSX_P12: ${{ secrets.CERTIFICATE_OSX_P12 }}
-          CERTIFICATE_OSX_PASSWORD: ${{ secrets.CERTIFICATE_OSX_PASSWORD }}
-          CERTIFICATE_OSX_ID: ${{ secrets.CERTIFICATE_OSX_ID }}
+          CERTIFICATE_OSX_APP_PASSWORD: ${{ secrets.CERTIFICATE_OSX_NEW_APP_PASSWORD }}
+          CERTIFICATE_OSX_ID: ${{ secrets.CERTIFICATE_OSX_NEW_ID }}
+          CERTIFICATE_OSX_P12_FILE: ${{ secrets.CERTIFICATE_OSX_NEW_P12_FILE }}
+          CERTIFICATE_OSX_P12_PASSWORD: ${{ secrets.CERTIFICATE_OSX_NEW_P12_PASSWORD }}
        run: ./prepare_assets.sh
        if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true')

--- a/prepare_assets.sh
+++ b/prepare_assets.sh
@ -19,32 +19,47 @@ mkdir -p assets

 if [[ "${OS_NAME}" == "osx" ]]; then
  if [[ "${CI_BUILD}" != "no" ]]; then
-    cd "VSCode-darwin-${VSCODE_ARCH}"
-
    CERTIFICATE_P12="${APP_NAME}.p12"
-    KEYCHAIN="${RUNNER_TEMP}/build.keychain"
+    KEYCHAIN="${RUNNER_TEMP}/buildagent.keychain"

-    echo "${CERTIFICATE_OSX_P12}" | base64 --decode > "${CERTIFICATE_P12}"
+    echo "AGENT_TEMPDIRECTORY: ${AGENT_TEMPDIRECTORY}"
+    echo "RUNNER_TEMP: ${RUNNER_TEMP}"
+
+    echo "${CERTIFICATE_OSX_P12_FILE}" | base64 --decode > "${CERTIFICATE_P12}"

    echo "+ create temporary keychain"
-    security create-keychain -p mysecretpassword "${KEYCHAIN}"
+    security create-keychain -p pwd "${KEYCHAIN}"
    security set-keychain-settings -lut 21600 "${KEYCHAIN}"
-    security unlock-keychain -p mysecretpassword "${KEYCHAIN}"
-    security list-keychains -s "$(security list-keychains | xargs)" "${KEYCHAIN}"
-    security list-keychains -d user
+    security unlock-keychain -p pwd "${KEYCHAIN}"
    security show-keychain-info "${KEYCHAIN}"

    echo "+ import certificate to keychain"
-    security import "${CERTIFICATE_P12}" -k "${KEYCHAIN}" -P "${CERTIFICATE_OSX_PASSWORD}" -T /usr/bin/codesign
-    security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k mysecretpassword "${KEYCHAIN}" > /dev/null
+    security import "${CERTIFICATE_P12}" -k "${KEYCHAIN}" -P "${CERTIFICATE_OSX_P12_PASSWORD}" -T /usr/bin/codesign
+
+    CODESIGN_IDENTITY="$( security find-identity -v -p codesigning "${KEYCHAIN}" | grep -oEi "([0-9A-F]{40})" | head -n 1 )"
+    echo "CODESIGN_IDENTITY: ${CODESIGN_IDENTITY}"
+    export CODESIGN_IDENTITY
+
+    security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k pwd "${KEYCHAIN}" > /dev/null
    security find-identity "${KEYCHAIN}"

    echo "+ signing"
-    if [[ "${VSCODE_QUALITY}" == "insider" ]]; then
-      codesign --deep --force --verbose --sign "${CERTIFICATE_OSX_ID}" "${APP_NAME} - Insiders.app"
-    else
-      codesign --deep --force --verbose --sign "${CERTIFICATE_OSX_ID}" "${APP_NAME}.app"
-    fi
+    DEBUG="electron-osx-sign*" node vscode/build/darwin/sign.js "$( pwd )"
+
+    echo "+ notarize"
+
+    cd "VSCode-darwin-${VSCODE_ARCH}"
+    ZIP_FILE="./${APP_NAME}-darwin-${VSCODE_ARCH}-${RELEASE_VERSION}.zip"
+
+    zip -r -X -y "${ZIP_FILE}" ./*.app
+
+    xcrun notarytool store-credentials "notarytool-profile" --apple-id "${CERTIFICATE_OSX_ID}" --password "${CERTIFICATE_OSX_APP_PASSWORD}"
+    xcrun notarytool submit "${ZIP_FILE}" ---keychain-profile "notarytool-profile"  --wait
+
+    echo "+ attach staple"
+    xcrun stapler staple ./*.app
+
+    rm "${ZIP_FILE}"

    cd ..
  fi