Merge pull request #220 from LLK/fastlane

Use Fastlane Match to help with signed builds
This commit is contained in:
Christopher Willis-Ford 2022-02-17 08:31:21 -08:00 committed by GitHub
commit 032619ce60
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 135 additions and 38 deletions

View file

@ -29,10 +29,9 @@ aliases:
jobs: jobs:
build_for_macos: build_for_macos:
macos: macos:
# CircleCI's Xcode 11.1.0 image is the last of their images to be based on macOS 10.14 # CircleCI's Xcode 12.4.0 image is the last of their images to be based on macOS 10.15
# I've had trouble building for earlier versions of macOS on Catalina but it's unclear whether that was due to # CircleCI no longer supports Xcode 11+ on macOS 10.14
# Catalina or the version of Xcode. We should investigate this further. xcode: 12.4.0
xcode: 11.1.0
steps: steps:
- checkout - checkout
- npm_install: - npm_install:
@ -44,37 +43,12 @@ jobs:
condition: condition:
*should_sign *should_sign
steps: steps:
- add_ssh_keys
- run: - run:
name: Import CI context name: Import CI context
command: | command: |
set -e set -e
function decodeToFile () { fastlane circleci
if [ -z "$1" ]; then
echo "Missing or invalid filename"
return 1
fi
if [ -z "$2" ]; then
echo "Missing environment variable contents for file: $1"
return 2
fi
echo "$2" | base64 --decode > "$1"
}
decodeToFile embedded.provisionprofile "${MAC_PROVISION_PROFILE}"
decodeToFile mas-dev.provisionprofile "${MAC_DEV_PROVISION_PROFILE}"
decodeToFile macos-certs-scratch-foundation.p12.gz "${CSC_MACOS_GZ}"
decodeToFile apple-dev-cert.p12 "${MAC_DEV_CERT}"
gunzip macos-certs-scratch-foundation.p12.gz
security -v create-keychain -p circleci circleci.keychain
security -v default-keychain -s circleci.keychain
security -v import macos-certs-scratch-foundation.p12 -k circleci.keychain -P "${CSC_MACOS_PASSWORD}" -T /usr/bin/codesign -T /usr/bin/productbuild
security -v import apple-dev-cert.p12 -k circleci.keychain -P "${MAC_DEV_CERT_PASSWORD}" -T /usr/bin/codesign -T /usr/bin/productbuild
security -v unlock-keychain -p circleci circleci.keychain
# "set-key-partition-list" prints extensive not-so-useful output and adding "-q" (even multiple times) doesn't suppress it.
# The "grep -v" at the end of this line suppresses all of that so any errors or warnings might be more visible.
security -v set-key-partition-list -S apple-tool:,apple:,codesign: -s -k circleci circleci.keychain | grep -v '^ 0x'
security -v set-keychain-settings -lut 600 circleci.keychain
security -v find-identity circleci.keychain
rm macos-certs-scratch-foundation.p12 apple-dev-cert.p12
- restore_cache: - restore_cache:
# Caching Homebrew's files (see the save_cache step below) means that Homebrew doesn't have to update as # Caching Homebrew's files (see the save_cache step below) means that Homebrew doesn't have to update as
# much. The Homebrew update can take several minutes without this, but with the cache it tends to take less # much. The Homebrew update can take several minutes without this, but with the cache it tends to take less
@ -90,9 +64,6 @@ jobs:
git -C ~/app-builder checkout b85740334fec875f5dd8dcd22eb1f729599109db git -C ~/app-builder checkout b85740334fec875f5dd8dcd22eb1f729599109db
make --directory=~/app-builder build make --directory=~/app-builder build
ln -sfv ~/app-builder/dist/app-builder_darwin_amd64/app-builder ./node_modules/app-builder-bin/mac/ ln -sfv ~/app-builder/dist/app-builder_darwin_amd64/app-builder ./node_modules/app-builder-bin/mac/
- run:
name: Upgrade to Node 14
command: brew install node@14
- save_cache: - save_cache:
name: Save Homebrew cache name: Save Homebrew cache
paths: paths:

7
.gitignore vendored
View file

@ -25,3 +25,10 @@ npm-*
# generated translation files # generated translation files
/translations /translations
/locale /locale
# Fastlane
**/fastlane/Matchfile
**/fastlane/report.xml
**/fastlane/Preview.html
**/fastlane/screenshots
**/fastlane/test_output

View file

@ -15,7 +15,7 @@ mac:
gatekeeperAssess: true gatekeeperAssess: true
hardenedRuntime: true hardenedRuntime: true
icon: buildResources/ScratchDesktop.icns icon: buildResources/ScratchDesktop.icns
provisioningProfile: embedded.provisionprofile provisioningProfile: build/AppStore_edu.mit.scratch.scratch-desktop.provisionprofile
artifactName: "Scratch ${version}.${ext}" artifactName: "Scratch ${version}.${ext}"
target: target:
- dmg - dmg
@ -30,7 +30,7 @@ mas:
icon: buildResources/ScratchDesktop.icns icon: buildResources/ScratchDesktop.icns
masDev: masDev:
type: development type: development
provisioningProfile: mas-dev.provisionprofile provisioningProfile: build/Development_edu.mit.scratch.scratch-desktop.provisionprofile
win: win:
icon: buildResources/ScratchDesktop.ico icon: buildResources/ScratchDesktop.ico
target: target:

3
fastlane/Appfile Normal file
View file

@ -0,0 +1,3 @@
app_identifier "edu.mit.scratch.scratch-desktop" # The bundle identifier of your app
apple_id "bot-apple@scratch.mit.edu" # Your Apple email address
team_id "W7AR3WMP87"

36
fastlane/Fastfile Normal file
View file

@ -0,0 +1,36 @@
# This file contains the fastlane.tools configuration
# You can find the documentation at https://docs.fastlane.tools
#
# For a list of all available actions, check out
#
# https://docs.fastlane.tools/actions
#
# For a list of all available plugins, check out
#
# https://docs.fastlane.tools/plugins/available-plugins
#
# Uncomment the line if you want fastlane to automatically update itself
# update_fastlane
default_platform(:mac)
platform :mac do
desc "Use Fastlane Match to install development certificates"
lane :match_dev do
match(type: "development", platform: "macos", output_path: "build", readonly: is_ci)
end
desc "Use Fastlane Match to install distribution certificates"
lane :match_dist do
match(type: "appstore", platform: "macos", output_path: "build", readonly: is_ci, additional_cert_types: "mac_installer_distribution")
match(type: "developer_id", platform: "macos", output_path: "build", readonly: is_ci, additional_cert_types: "developer_id_installer")
end
desc "Prepare for a CircleCI signed build"
lane :circleci do
setup_circle_ci
match_dev
match_dist
end
end

31
fastlane/README-match.md Normal file
View file

@ -0,0 +1,31 @@
# Fastlane Match setup
## You might not need to do this!
If you don't plan to build this application, you don't need Fastlane Match.
If you don't plan to build this application for macOS, you don't need Fastlane Match.
If you plan to only run your builds locally for your own debug purposes, you don't need Fastlane Match.
If you don't have access to a Fastlane Match storage repository or bucket, you don't need Fastlane Match.
## Initial Configuration
The `Matchfile` containing settings for Fastlane Match includes private information about our storage, so it's set to be ignored by `git`.
This means that you'll need to initialize Fastlane Match yourself when you clone this repository in a new place.
To initialize Fastlane Match:
1. Enter this repository's base directory (not the `fastlane` subdirectory)
2. Run `fastlane match init` and answer the questions
...yep, that's it.
## Obtaining & Updating Certs
1. If you plan to make and internally share development builds for testing purposes, run:
* `fastlane match_dev`
2. If you plan to make builds for release, run:
* `fastlane match_dist`

48
fastlane/README.md Normal file
View file

@ -0,0 +1,48 @@
fastlane documentation
----
# Installation
Make sure you have the latest version of the Xcode command line tools installed:
```sh
xcode-select --install
```
For _fastlane_ installation instructions, see [Installing _fastlane_](https://docs.fastlane.tools/#installing-fastlane)
# Available Actions
## Mac
### mac match_dev
```sh
[bundle exec] fastlane mac match_dev
```
Use Fastlane Match to install development certificates
### mac match_dist
```sh
[bundle exec] fastlane mac match_dist
```
Use Fastlane Match to install distribution certificates
### mac circleci
```sh
[bundle exec] fastlane mac circleci
```
Prepare for a CircleCI signed build
----
This README.md is auto-generated and will be re-generated every time [_fastlane_](https://fastlane.tools) is run.
More information about _fastlane_ can be found on [fastlane.tools](https://fastlane.tools).
The documentation of _fastlane_ can be found on [docs.fastlane.tools](https://docs.fastlane.tools).

View file

@ -9,6 +9,8 @@
const {spawnSync} = require('child_process'); const {spawnSync} = require('child_process');
const fs = require('fs'); const fs = require('fs');
const masDevProfile = 'build/Development_edu.mit.scratch.scratch-desktop.provisionprofile';
/** /**
* Strip any code signing configuration (CSC) from a set of environment variables. * Strip any code signing configuration (CSC) from a set of environment variables.
* @param {object} environment - a collection of environment variables which might include code signing configuration. * @param {object} environment - a collection of environment variables which might include code signing configuration.
@ -58,7 +60,7 @@ const runBuilder = function (wrapperConfig, target) {
if (target.platform === 'darwin') { if (target.platform === 'darwin') {
allArgs.push(`--c.mac.type=${wrapperConfig.mode === 'dist' ? 'distribution' : 'development'}`); allArgs.push(`--c.mac.type=${wrapperConfig.mode === 'dist' ? 'distribution' : 'development'}`);
if (target.name === 'mas-dev') { if (target.name === 'mas-dev') {
allArgs.push('--c.mac.provisioningProfile=mas-dev.provisionprofile'); allArgs.push(`--c.mac.provisioningProfile=${masDevProfile}`);
} }
if (wrapperConfig.doSign) { if (wrapperConfig.doSign) {
// really this is "notarize only if we also sign" // really this is "notarize only if we also sign"
@ -95,7 +97,6 @@ const runBuilder = function (wrapperConfig, target) {
* same time but doing so limits has unwanted side effects on both macOS and Windows (see function body). * same time but doing so limits has unwanted side effects on both macOS and Windows (see function body).
*/ */
const calculateTargets = function (wrapperConfig) { const calculateTargets = function (wrapperConfig) {
const masDevProfile = 'mas-dev.provisionprofile';
const availableTargets = { const availableTargets = {
macAppStore: { macAppStore: {
name: 'mas', name: 'mas',