From b71d056559651b94eae7eb97397affe0493b6edf Mon Sep 17 00:00:00 2001 From: darodi <4682830+darodi@users.noreply.github.com> Date: Sun, 22 Jan 2023 10:30:06 +0100 Subject: [PATCH] prepare pipeline for signing --- .github/workflows/package-macos.yml | 43 +++++++++++++++++++++++++++-- setup.py | 1 + 2 files changed, 42 insertions(+), 2 deletions(-) diff --git a/.github/workflows/package-macos.yml b/.github/workflows/package-macos.yml index db10205..8994b83 100644 --- a/.github/workflows/package-macos.yml +++ b/.github/workflows/package-macos.yml @@ -33,13 +33,45 @@ jobs: cache: 'pip' - name: Install python dependencies run: | - python -m pip install --upgrade pip setuptools wheel pyinstaller + python -m pip install --upgrade pip setuptools wheel pyinstaller certifi pip install -r requirements.txt + - name: Install the Apple certificate and provisioning profile +# TODO signing +# https://federicoterzi.com/blog/automatic-code-signing-and-notarization-for-macos-apps-using-github-actions/ + if: ${{ false }} + env: + BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }} + P12_PASSWORD: ${{ secrets.P12_PASSWORD }} + BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }} + KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} + run: | + # create variables + CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 + PP_PATH=$RUNNER_TEMP/build_pp.mobileprovision + KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db + + # import certificate and provisioning profile from secrets + echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH + echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH + + # create temporary keychain + security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + security set-keychain-settings -lut 21600 $KEYCHAIN_PATH + security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + + # import certificate to keychain + security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH + security list-keychain -d user -s $KEYCHAIN_PATH + + # apply provisioning profile + mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles + cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles - uses: actions/setup-node@v3 with: node-version: 16 - run: npm install -g appdmg - name: build binary +# TODO /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime dist/Applications/Kindle\ Comic\ Converter.app -v run: | python setup.py build_binary - name: upload build @@ -56,4 +88,11 @@ jobs: files: | CHANGELOG.md LICENSE.txt - dist/*.dmg \ No newline at end of file + dist/*.dmg + - name: Clean up keychain and provisioning profile +# TODO signing + if: ${{ false }} +# if: ${{ always() }} + run: | + security delete-keychain $RUNNER_TEMP/app-signing.keychain-db + rm ~/Library/MobileDevice/Provisioning\ Profiles/build_pp.mobileprovision \ No newline at end of file diff --git a/setup.py b/setup.py index 3e580c1..2110f34 100644 --- a/setup.py +++ b/setup.py @@ -55,6 +55,7 @@ class BuildBinaryCommand(distutils.cmd.Command): shutil.copy('LICENSE.txt', 'dist/Kindle Comic Converter.app/Contents/Resources') shutil.copy('other/windows/Additional-LICENSE.txt', 'dist/Kindle Comic Converter.app/Contents/Resources') os.chmod('dist/Kindle Comic Converter.app/Contents/Resources/7z', 0o777) + # TODO /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime dist/Applications/Kindle\ Comic\ Converter.app -v os.system('appdmg kcc.json dist/KindleComicConverter_osx_' + VERSION + '.dmg') exit(0) elif sys.platform == 'win32':