summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOwen Rudge <owen@owenrudge.net>2021-01-12 21:47:08 +0000
committerOwen Rudge <owen@owenrudge.net>2021-01-13 13:45:52 +0000
commit60851ef1a69a22b5efc43223363d3a4f62b1167e (patch)
tree68d918c9fc3b4969ab061b5b1eec2370e46edd76
parentc6fd6cfd1580f0f743ddb91a0d161758e3f8c7ac (diff)
downloadopenttd-60851ef1a69a22b5efc43223363d3a4f62b1167e.tar.xz
Feature: Sign macOS builds
-rw-r--r--.github/workflows/release.yml30
-rw-r--r--os/macosx/Info.plist.in2
-rwxr-xr-xos/macosx/notarize.sh58
3 files changed, 86 insertions, 4 deletions
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index efd58bfbd..d1eb1b525 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -420,6 +420,16 @@ jobs:
- name: Install GCC problem matcher
uses: ammaraskar/gcc-problem-matcher@master
+ - name: Import code signing certificates
+ uses: Apple-Actions/import-codesign-certs@v1
+ with:
+ # The certificates in a PKCS12 file encoded as a base64 string
+ p12-file-base64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
+ # The password used to import the PKCS12 file.
+ p12-password: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
+ # If this is run on a fork, there may not be a certificate set up - continue in this case
+ continue-on-error: true
+
- name: Build
run: |
mkdir build
@@ -432,6 +442,8 @@ jobs:
-DCMAKE_TOOLCHAIN_FILE=/tmp/vcpkg/scripts/buildsystems/vcpkg.cmake \
-DHOST_BINARY_DIR=${GITHUB_WORKSPACE}/build-host \
-DCMAKE_BUILD_TYPE=RelWithDebInfo \
+ -DCPACK_BUNDLE_APPLE_CERT_APP=${{ secrets.APPLE_DEVELOPER_CERTIFICATE_ID }} \
+ "-DCPACK_BUNDLE_APPLE_CODESIGN_PARAMETER=--deep -f --options runtime" \
# EOF
echo "::endgroup::"
@@ -440,9 +452,21 @@ jobs:
make -j$(sysctl -n hw.logicalcpu) package
echo "::endgroup::"
- # Remove the sha256 files CPack generates; we will do this ourself at
- # the end of this workflow.
- rm -f bundles/*.sha256
+ - name: Install gon
+ env:
+ HOMEBREW_NO_AUTO_UPDATE: 1
+ HOMEBREW_NO_INSTALL_CLEANUP: 1
+ run: |
+ brew tap mitchellh/gon
+ brew install mitchellh/gon/gon
+
+ - name: Notarize
+ env:
+ AC_USERNAME: ${{ secrets.APPLE_DEVELOPER_APP_USERNAME }}
+ AC_PASSWORD: ${{ secrets.APPLE_DEVELOPER_APP_PASSWORD }}
+ run: |
+ cd build
+ ../os/macosx/notarize.sh
- name: Store bundles
uses: actions/upload-artifact@v2
diff --git a/os/macosx/Info.plist.in b/os/macosx/Info.plist.in
index b3285589d..04d6ea6d3 100644
--- a/os/macosx/Info.plist.in
+++ b/os/macosx/Info.plist.in
@@ -8,7 +8,7 @@
<key>CFBundleDisplayName</key>
<string>${CPACK_BUNDLE_NAME}</string>
<key>CFBundleExecutable</key>
- <string>${CPACK_BUNDLE_NAME}</string>
+ <string>openttd</string>
<key>CFBundleGetInfoString</key>
<string>#CPACK_PACKAGE_VERSION#, Copyright 2004-${CURRENT_YEAR} The OpenTTD team</string>
<key>CFBundleIconFile</key>
diff --git a/os/macosx/notarize.sh b/os/macosx/notarize.sh
new file mode 100755
index 000000000..3434c3125
--- /dev/null
+++ b/os/macosx/notarize.sh
@@ -0,0 +1,58 @@
+#!/bin/bash
+set -e
+
+# This script attempts to notarize the OpenTTD DMG generated by CPack.
+# If you are building an unofficial branch of OpenTTD, please change the bundle
+# ID in Info.plist and below.
+#
+# This uses `gon' to perform notarization:
+#
+# https://github.com/mitchellh/gon
+#
+# Follow the setup instructions on the gon site to install.
+#
+# Before executing this script, you must first configure CMake with at least the following
+# parameters:
+#
+# -DCPACK_BUNDLE_APPLE_CERT_APP={certificate ID}
+# "-DCPACK_BUNDLE_APPLE_CODESIGN_PARAMETER=--deep -f --options runtime"
+#
+# then run "make package" or "cpack".
+#
+# This will sign the application with your signing certificate, and will enable
+# the hardened runtime.
+#
+# You also need to set your Apple Developer username and password (app-specific password
+# is recommended) in the AC_USERNAME and AC_PASSWORD environment variables.
+#
+# Then, ensuring you're in your build directory and that the "bundles" directory
+# exists with a .dmg in it (clear out any old DMGs first), run:
+#
+# ../os/macosx/notarize.sh
+
+if [ -z "${AC_USERNAME}" ]; then
+ echo AC_USERNAME not set, skipping notarization.
+ exit 0
+fi;
+
+dmg_filename=(bundles/*.dmg)
+
+if [ "${dmg_filename}" = "bundles/*.dmg" ]; then
+ echo "No .dmg found in the bundles directory, skipping notarization. Please read this"
+ echo "script's source for execution instructions."
+ exit 1
+fi;
+
+cat <<EOF > notarize.json
+{
+ "notarize": [
+ {
+ "path": "${dmg_filename[0]}",
+ "bundle_id": "org.openttd.openttd",
+ "staple": true
+ }
+ ]
+}
+EOF
+
+gon notarize.json