From 56d152c8b008f4c0cc129ff575ccac2f56ad465c Mon Sep 17 00:00:00 2001 From: Caelan Sayler Date: Sat, 14 May 2022 12:31:04 +0100 Subject: [PATCH] Add apple code-signing to build --- .github/workflows/build.yml | 38 ++++++++++++++++++++++++++++++++----- Squirrel.entitlements | 16 ++++++++++++++++ Squirrel.sln | 1 + 3 files changed, 50 insertions(+), 5 deletions(-) create mode 100644 Squirrel.entitlements diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e2a00278..65e1fc00 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -59,15 +59,43 @@ jobs: dotnet-version: ${{ env.DOTNET_VERSION }} - name: Build SquirrelMac run: | - dotnet publish -v minimal --self-contained -c Release -r osx.10.12-x64 ./src/Squirrel.CommandLine.OSX/Squirrel.CommandLine.OSX.csproj -o ./bundle - ls -la ./bundle + dotnet publish -v minimal --self-contained -c Release -r osx.10.12-x64 ./src/Squirrel.CommandLine.OSX/Squirrel.CommandLine.OSX.csproj -o ./publish + ls -la ./publish - name: Build UpdateMac run: | - dotnet publish -v minimal --self-contained -c Release -r osx.10.12-x64 ./src/Update.OSX/Update.OSX.csproj -o ./bundle - ls -la ./bundle + dotnet publish -v minimal --self-contained -c Release -r osx.10.12-x64 ./src/Update.OSX/Update.OSX.csproj -o ./publish + ls -la ./publish + # https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development + - name: Install Apple Certificate + env: + BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_BUILD_CERTIFICATE_BASE64 }} + P12_PASSWORD: ${{ secrets.APPLE_BUILD_CERTIFICATE_PASSWORD }} + KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} + run: | + # write certificate to file + CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 + echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode --output $CERTIFICATE_PATH + + # create temporary keychain + KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db + security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + security set-keychain-settings -lut 21600 $KEYCHAIN_PATH + security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + + # import certificate to keychain + security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH + security list-keychain -d user -s $KEYCHAIN_PATH + - name: CodeSign Binaries + run: | + codesign --force --timestamp --options=runtime --keychain $KEYCHAIN_PATH --entitlements Squirrel.entitlements --sign "Developer ID: Caelan Sayler" ./publish/SquirrelMac + codesign --force --timestamp --options=runtime --keychain $KEYCHAIN_PATH --entitlements Squirrel.entitlements --sign "Developer ID: Caelan Sayler" ./publish/UpdateMac + - name: Clean up KeyChain + if: ${{ always() }} + run: | + security delete-keychain $RUNNER_TEMP/app-signing.keychain-db - name: Upload MacOS Artifacts uses: actions/upload-artifact@v3 with: name: osx-tools - path: ./bundle/* + path: ./publish/* \ No newline at end of file diff --git a/Squirrel.entitlements b/Squirrel.entitlements new file mode 100644 index 00000000..73700f05 --- /dev/null +++ b/Squirrel.entitlements @@ -0,0 +1,16 @@ + + + + + com.apple.security.cs.allow-jit + + com.apple.security.automation.apple-events + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.allow-dyld-environment-variables + + com.apple.security.cs.disable-library-validation + + + diff --git a/Squirrel.sln b/Squirrel.sln index 98535ed2..0be17c64 100644 --- a/Squirrel.sln +++ b/Squirrel.sln @@ -19,6 +19,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "SolutionLevel", "SolutionLe .github\workflows\build.yml = .github\workflows\build.yml build.ps1 = build.ps1 pack.ps1 = pack.ps1 + Squirrel.entitlements = Squirrel.entitlements EndProjectSection EndProject Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Squirrel.CommandLine.Windows", "src\Squirrel.CommandLine.Windows\Squirrel.CommandLine.Windows.csproj", "{19E8EBF5-0277-422F-BF49-C66D9DBA5AA4}"