WIP: add codesigning

slint-ui · Jan 4, 2024 · 6f597c9 · 6f597c9
1 parent 8193d4d
commit 6f597c9
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 0 deletions.
diff --git a/.github/actions/codesign/action.yaml b/.github/actions/codesign/action.yaml
@@ -0,0 +1,43 @@
+# Copyright © SixtyFPS GmbH <info@slint.dev>
+# SPDX-License-Identifier: GPL-3.0-only OR LicenseRef-Slint-Royalty-free-1.1 OR LicenseRef-Slint-commercial
+
+---
+name: Apple Codesign Binary
+description: Sign the given binary with the developer certificate
+
+inputs:
+  binary:
+    description: 'Path to binary'
+    required: true
+    default: ""
+  certificate:
+    description: "certificate secret"
+    required: true
+  certificate_password:
+    description: "certificate password"
+    required: true
+  keychain_password:
+    description: "keychain password to use"
+    required: true
+  developer_id:
+    description: "developer id to use"
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Codesign binary
+      shell: bash    
+      env:
+          CERT: ${{ inputs.certificate }}
+          CERT_PW: ${{ inputs.certificate_password }}
+          KEYCHAIN_PW: ${{ inputs.keychain_password }}
+          DEV_ID: ${{ inputs.developer_id }}
+      run: |
+        echo -n "$CERT" | base64 —-decode -o certificate.p12
+        security create-keychain -p $KEYCHAIN_PW build.keychain
+        security default-keychain -s build.keychain
+        security unlock-keychain -p $KEYCHAIN_PW build.keychain
+        security import certificate.p12 -k build.keychain -P $CERT_PW -T /usr/bin/codesign
+        security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PW build.keychain
+        /usr/bin/codesign --force -s $DEV_ID ${{ inputs.binary }} -v  
diff --git a/.github/workflows/slint_tool_binary.yaml b/.github/workflows/slint_tool_binary.yaml
@@ -126,6 +126,13 @@ jobs:
             cd ..
             cd tools/${{ github.event.inputs.program || inputs.program }}
             ../../scripts/prepare_binary_package.sh ../../slint-${{ github.event.inputs.program || inputs.program }}
+      - uses: ./.github/actions/codesign
+        with:
+          binary: slint-${{ github.event.inputs.program || inputs.program }}/slint-${{ github.event.inputs.program || inputs.program }}
+          certificate: ${{ secrets.APPLE_CERTIFICATE_P12 }}
+          certificate_password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}
+          keychain_password: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
+          developer_id: ${{ secrets.APPLE_DEV_ID }}          
       - name: Tar artifacts to preserve permissions
         run: tar czvf slint-${{ github.event.inputs.program || inputs.program }}-macos.tar.gz slint-${{ github.event.inputs.program || inputs.program }}
       - name: Upload artifact