prepare pipeline for signing

2025-12-11 08:46:25 +00:00 · 2023-01-22 10:30:06 +01:00
parent a822dfa3ae
commit b71d056559
2 changed files with 42 additions and 2 deletions
--- a/.github/workflows/package-macos.yml
+++ b/.github/workflows/package-macos.yml
@@ -33,13 +33,45 @@ jobs:
          cache: 'pip'
      - name: Install python dependencies
        run: |
-          python -m pip install --upgrade pip setuptools wheel pyinstaller
+          python -m pip install --upgrade pip setuptools wheel pyinstaller certifi
          pip install -r requirements.txt
+      - name: Install the Apple certificate and provisioning profile
+#        TODO signing
+#        https://federicoterzi.com/blog/automatic-code-signing-and-notarization-for-macos-apps-using-github-actions/
+        if: ${{ false }}
+        env:
+          BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
+          P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
+          BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
+          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+        run: |
+          # create variables
+          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+          PP_PATH=$RUNNER_TEMP/build_pp.mobileprovision
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          
+          # import certificate and provisioning profile from secrets
+          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
+          echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH
+          
+          # create temporary keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          
+          # import certificate to keychain
+          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
+          
+          # apply provisioning profile
+          mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
+          cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
      - uses: actions/setup-node@v3
        with:
          node-version: 16
      - run: npm install -g appdmg
      - name: build binary
+#        TODO /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime dist/Applications/Kindle\ Comic\ Converter.app -v
        run: |
          python setup.py build_binary
      - name: upload build
@@ -56,4 +88,11 @@ jobs:
          files: |
            CHANGELOG.md
            LICENSE.txt
-            dist/*.dmg
+            dist/*.dmg
+      - name: Clean up keychain and provisioning profile
+#        TODO signing
+        if: ${{ false }}
+#        if: ${{ always() }}
+        run: |
+          security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
+          rm ~/Library/MobileDevice/Provisioning\ Profiles/build_pp.mobileprovision