diff options
author | Owen Rudge <owen@owenrudge.net> | 2021-01-12 21:47:08 +0000 |
---|---|---|
committer | Owen Rudge <owen@owenrudge.net> | 2021-01-13 13:45:52 +0000 |
commit | 60851ef1a69a22b5efc43223363d3a4f62b1167e (patch) | |
tree | 68d918c9fc3b4969ab061b5b1eec2370e46edd76 | |
parent | c6fd6cfd1580f0f743ddb91a0d161758e3f8c7ac (diff) | |
download | openttd-60851ef1a69a22b5efc43223363d3a4f62b1167e.tar.xz |
Feature: Sign macOS builds
-rw-r--r-- | .github/workflows/release.yml | 30 | ||||
-rw-r--r-- | os/macosx/Info.plist.in | 2 | ||||
-rwxr-xr-x | os/macosx/notarize.sh | 58 |
3 files changed, 86 insertions, 4 deletions
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index efd58bfbd..d1eb1b525 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -420,6 +420,16 @@ jobs: - name: Install GCC problem matcher uses: ammaraskar/gcc-problem-matcher@master + - name: Import code signing certificates + uses: Apple-Actions/import-codesign-certs@v1 + with: + # The certificates in a PKCS12 file encoded as a base64 string + p12-file-base64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }} + # The password used to import the PKCS12 file. + p12-password: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }} + # If this is run on a fork, there may not be a certificate set up - continue in this case + continue-on-error: true + - name: Build run: | mkdir build @@ -432,6 +442,8 @@ jobs: -DCMAKE_TOOLCHAIN_FILE=/tmp/vcpkg/scripts/buildsystems/vcpkg.cmake \ -DHOST_BINARY_DIR=${GITHUB_WORKSPACE}/build-host \ -DCMAKE_BUILD_TYPE=RelWithDebInfo \ + -DCPACK_BUNDLE_APPLE_CERT_APP=${{ secrets.APPLE_DEVELOPER_CERTIFICATE_ID }} \ + "-DCPACK_BUNDLE_APPLE_CODESIGN_PARAMETER=--deep -f --options runtime" \ # EOF echo "::endgroup::" @@ -440,9 +452,21 @@ jobs: make -j$(sysctl -n hw.logicalcpu) package echo "::endgroup::" - # Remove the sha256 files CPack generates; we will do this ourself at - # the end of this workflow. - rm -f bundles/*.sha256 + - name: Install gon + env: + HOMEBREW_NO_AUTO_UPDATE: 1 + HOMEBREW_NO_INSTALL_CLEANUP: 1 + run: | + brew tap mitchellh/gon + brew install mitchellh/gon/gon + + - name: Notarize + env: + AC_USERNAME: ${{ secrets.APPLE_DEVELOPER_APP_USERNAME }} + AC_PASSWORD: ${{ secrets.APPLE_DEVELOPER_APP_PASSWORD }} + run: | + cd build + ../os/macosx/notarize.sh - name: Store bundles uses: actions/upload-artifact@v2 diff --git a/os/macosx/Info.plist.in b/os/macosx/Info.plist.in index b3285589d..04d6ea6d3 100644 --- a/os/macosx/Info.plist.in +++ b/os/macosx/Info.plist.in @@ -8,7 +8,7 @@ <key>CFBundleDisplayName</key> <string>${CPACK_BUNDLE_NAME}</string> <key>CFBundleExecutable</key> - <string>${CPACK_BUNDLE_NAME}</string> + <string>openttd</string> <key>CFBundleGetInfoString</key> <string>#CPACK_PACKAGE_VERSION#, Copyright 2004-${CURRENT_YEAR} The OpenTTD team</string> <key>CFBundleIconFile</key> diff --git a/os/macosx/notarize.sh b/os/macosx/notarize.sh new file mode 100755 index 000000000..3434c3125 --- /dev/null +++ b/os/macosx/notarize.sh @@ -0,0 +1,58 @@ +#!/bin/bash +set -e + +# This script attempts to notarize the OpenTTD DMG generated by CPack. +# If you are building an unofficial branch of OpenTTD, please change the bundle +# ID in Info.plist and below. +# +# This uses `gon' to perform notarization: +# +# https://github.com/mitchellh/gon +# +# Follow the setup instructions on the gon site to install. +# +# Before executing this script, you must first configure CMake with at least the following +# parameters: +# +# -DCPACK_BUNDLE_APPLE_CERT_APP={certificate ID} +# "-DCPACK_BUNDLE_APPLE_CODESIGN_PARAMETER=--deep -f --options runtime" +# +# then run "make package" or "cpack". +# +# This will sign the application with your signing certificate, and will enable +# the hardened runtime. +# +# You also need to set your Apple Developer username and password (app-specific password +# is recommended) in the AC_USERNAME and AC_PASSWORD environment variables. +# +# Then, ensuring you're in your build directory and that the "bundles" directory +# exists with a .dmg in it (clear out any old DMGs first), run: +# +# ../os/macosx/notarize.sh + +if [ -z "${AC_USERNAME}" ]; then + echo AC_USERNAME not set, skipping notarization. + exit 0 +fi; + +dmg_filename=(bundles/*.dmg) + +if [ "${dmg_filename}" = "bundles/*.dmg" ]; then + echo "No .dmg found in the bundles directory, skipping notarization. Please read this" + echo "script's source for execution instructions." + exit 1 +fi; + +cat <<EOF > notarize.json +{ + "notarize": [ + { + "path": "${dmg_filename[0]}", + "bundle_id": "org.openttd.openttd", + "staple": true + } + ] +} +EOF + +gon notarize.json |