chore: Install Apple dev certificate for signing macOS distributables.

We don't have one, but if we did, this would do it.
TokTok · Dec 27, 2024 · ce0ab78 · ce0ab78
1 parent afe24fb
commit ce0ab78
Show file tree

Hide file tree

Showing 6 changed files with 66 additions and 19 deletions.
diff --git a/.github/scripts/install_apple_cert b/.github/scripts/install_apple_cert
@@ -0,0 +1,33 @@
+#!/bin/sh
+
+# https://docs.github.com/en/actions/use-cases-and-examples/deploying/installing-an-apple-certificate-on-macos-runners-for-xcode-development
+
+set -euo pipefail
+
+# Needs:
+#   BUILD_CERTIFICATE_BASE64: base64-encoded dev cert
+#   P12_PASSWORD:             password used to encrypt the dev cert
+#   KEYCHAIN_PASSWORD:        some random password
+
+# create variables
+CERTIFICATE_PATH="$RUNNER_TEMP/build_certificate.p12"
+KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"
+
+# if certificate is empty, do nothing
+if [ -z "$BUILD_CERTIFICATE_BASE64" ]; then
+  echo "No certificate provided, skipping..." >/dev/stderr
+  exit 0
+fi
+
+# import certificate and provisioning profile from secrets
+echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o "$CERTIFICATE_PATH"
+
+# create temporary keychain
+security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+# import certificate to keychain
+security import "$CERTIFICATE_PATH" -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
+security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+security list-keychain -d user -s "$KEYCHAIN_PATH"
diff --git a/.github/workflows/build-test-deploy.yaml b/.github/workflows/build-test-deploy.yaml
@@ -49,7 +49,7 @@ jobs:
       - name: Install docker-compose
         run: sudo apt-get install -y docker-compose
       - name: Run build
-        run: docker-compose run --rm fedora ./.ci-scripts/build-qtox-linux.sh --build-type Release --full --tidy
+        run: docker-compose run --rm fedora .ci-scripts/build-qtox-linux.sh --build-type Release --full --tidy
 
   translation-check:
     name: Check for translatable strings
@@ -86,7 +86,7 @@ jobs:
       - name: Install docker-compose
         run: sudo apt-get install -y docker-compose
       - name: Run build
-        run: docker-compose run --rm alpine ./.ci-scripts/build-qtox-linux.sh --build-type ${{ matrix.build_type }} --${{ matrix.features }}
+        run: docker-compose run --rm alpine .ci-scripts/build-qtox-linux.sh --build-type ${{ matrix.build_type }} --${{ matrix.features }}
 
   build-alpine-static:
     name: Alpine (static)
@@ -105,7 +105,7 @@ jobs:
       - name: Install docker-compose
         run: sudo apt-get install -y docker-compose
       - name: Run build
-        run: docker-compose run --rm alpine-static ./.ci-scripts/build-qtox-linux-static.sh --build-type ${{ matrix.build_type }}
+        run: docker-compose run --rm alpine-static .ci-scripts/build-qtox-linux-static.sh --build-type ${{ matrix.build_type }}
 
   build-debian:
     name: Debian
@@ -125,7 +125,7 @@ jobs:
       - name: Install docker-compose
         run: sudo apt-get install -y docker-compose
       - name: Run build
-        run: docker-compose run --rm debian ./.ci-scripts/build-qtox-linux.sh --build-type ${{ matrix.build_type }} --${{ matrix.features }}
+        run: docker-compose run --rm debian .ci-scripts/build-qtox-linux.sh --build-type ${{ matrix.build_type }} --${{ matrix.features }}
 
   build-fedora:
     name: Fedora with ASAN
@@ -145,7 +145,7 @@ jobs:
       - name: Install docker-compose
         run: sudo apt-get install -y docker-compose
       - name: Run build
-        run: docker-compose run --rm fedora ./.ci-scripts/build-qtox-linux.sh --build-type ${{ matrix.build_type }} --${{ matrix.features }} --sanitize
+        run: docker-compose run --rm fedora .ci-scripts/build-qtox-linux.sh --build-type ${{ matrix.build_type }} --${{ matrix.features }} --sanitize
 
   build-ubuntu:
     name: Ubuntu LTS
@@ -165,12 +165,12 @@ jobs:
       - name: Install docker-compose
         run: sudo apt-get install -y docker-compose
       - name: Run build
-        run: docker-compose run --rm ubuntu_lts ./.ci-scripts/build-qtox-linux.sh --build-type ${{ matrix.build_type }} --${{ matrix.features }}
+        run: docker-compose run --rm ubuntu_lts .ci-scripts/build-qtox-linux.sh --build-type ${{ matrix.build_type }} --${{ matrix.features }}
       - name: Code coverage
         run: |
           # https://github.com/actions/runner/issues/491
           if [ "${{ matrix.build_type }}" == "Release" ] && [ "${{ matrix.features }}" == "full" ]; then
-            docker-compose run --rm ubuntu_lts ./.ci-scripts/lcov.sh
+            docker-compose run --rm ubuntu_lts .ci-scripts/lcov.sh
             # Upload report to codecov.io
             bash <(curl -s https://codecov.io/bash) -f coverage.info || echo "Codecov did not collect coverage reports"
           fi
@@ -367,12 +367,19 @@ jobs:
         run: ccache --set-config=max_size=200M --set-config=cache_dir="$PWD/.cache/ccache" && ccache --show-config
       - name: Build dependencies (only Qt)
         if: steps.cache-qt.outputs.cache-hit != 'true'
-        run: ./.ci-scripts/build-macos-qt.sh ${{ matrix.arch }}
+        run: .ci-scripts/build-macos-qt.sh ${{ matrix.arch }}
       - name: Build dependencies (except Qt)
         if: steps.cache-deps.outputs.cache-hit != 'true'
-        run: ./.ci-scripts/build-macos-deps.sh ${{ matrix.arch }}
+        run: .ci-scripts/build-macos-deps.sh ${{ matrix.arch }}
+      - name: Install the Apple certificate
+#       if: github.event_name == 'push'
+        env:
+          BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_BUILD_CERTIFICATE_BASE64 }}
+          P12_PASSWORD: ${{ secrets.APPLE_P12_PASSWORD }}
+          KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
+        run: .github/scripts/install_apple_cert >/dev/null
       - name: Build qTox
-        run: ./.ci-scripts/build-qtox-macos.sh dist ${{ matrix.arch }}
+        run: .ci-scripts/build-qtox-macos.sh dist ${{ matrix.arch }}
       - name: Upload dmg
         uses: actions/upload-artifact@v4
         with:
@@ -455,7 +462,7 @@ jobs:
       - name: Install toxcore
         run: .ci-scripts/dockerfiles/qtox/build_toxcore_linux.sh sudo
       - name: Build qTox
-        run: ./.ci-scripts/build-qtox-macos.sh user ${{ matrix.arch }}
+        run: .ci-scripts/build-qtox-macos.sh user ${{ matrix.arch }}
 
   build-windows:
     name: Windows
@@ -554,9 +561,9 @@ jobs:
         with:
           fetch-depth: 0
       - name: Run
-        run: ./.ci-scripts/build-docs.sh
+        run: .ci-scripts/build-docs.sh
       - name: Deploy
         if: github.ref == 'refs/heads/master' && github.repository_owner == 'qTox'
         env:
           access_key: ${{ secrets.DOXYGEN_DEPLOY_KEY }}
-        run: ./.ci-scripts/deploy-docs.sh
+        run: .ci-scripts/deploy-docs.sh
diff --git a/cmake/Installation.cmake b/cmake/Installation.cmake
@@ -10,7 +10,7 @@
 
 if(APPLE)
   set_target_properties(${PROJECT_NAME} PROPERTIES
-    MACOSX_BUNDLE_INFO_PLIST "${CMAKE_SOURCE_DIR}/macos/info.plist")
+    MACOSX_BUNDLE_INFO_PLIST "${CMAKE_SOURCE_DIR}/macos/Info.plist")
 
   set(BUNDLE_PATH "${CMAKE_BINARY_DIR}/${PROJECT_NAME}.app")
 

diff --git a/macos/info.plist → macos/Info.plist b/macos/info.plist → macos/Info.plist
diff --git a/macos/createdmg b/macos/createdmg
@@ -4,7 +4,7 @@
 # Copyright © 2017-2019 by The qTox Project Contributors
 # Copyright © 2024 The TokTok team
 
-set -eu -o pipefail
+set -eux -o pipefail
 
 QTOX_DIR="$1"
 
@@ -20,6 +20,13 @@ fi
 
 rm -f "$BUILD_DIR/qTox.dmg"
 
+if security find-identity | grep -q Development; then
+  codesign -s "Development" "$BUNDLE_PATH"
+  codesign -v "$BUNDLE_PATH"
+else
+  echo "No Development identity found, skipping code signing"
+fi
+
 create-dmg \
   --filesystem APFS \
   --no-internet-enable \

diff --git a/macos/update-plist-version.sh b/macos/update-plist-version.sh
@@ -15,12 +15,12 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-# script to change qTox version in `info.plist` file to the supplied one
+# script to change qTox version in `Info.plist` file to the supplied one
 #
 # NOTE: it checkouts the files before appending a version to them!
 #
 # requires:
-#  * correctly formatted `info.plist file in working dir
+#  * correctly formatted `Info.plist file in working dir
 #  * GNU sed
 
 # usage:
@@ -31,7 +31,7 @@
 
 set -eu -o pipefail
 
-# update version in `info.plist` file to supplied one after the right lines
+# update version in `Info.plist` file to supplied one after the right lines
 update_version() {
   local vars=(
     '	<key>CFBundleShortVersionString</key>'
@@ -40,7 +40,7 @@ update_version() {
 
   for v in "${vars[@]}"; do
     sed -i -r "\\R$v\$R,+1 s,(<string>)[0-9\\.]+(</string>)$,\\1$@\\2," \
-      "./info.plist"
+      "./Info.plist"
   done
 }