From 3b643c9c08279b029226907f5c9db2a822b726c4 Mon Sep 17 00:00:00 2001 From: Joe Donofry Date: Fri, 3 Sep 2021 18:53:31 +0000 Subject: [PATCH] Macos notarization --- .ci/macos/notarize.sh | 73 +++++++++++++++++++++++++++++++++++++++++++ .gitlab-ci.yml | 32 +++++++++++++++---- 2 files changed, 99 insertions(+), 6 deletions(-) create mode 100755 .ci/macos/notarize.sh diff --git a/.ci/macos/notarize.sh b/.ci/macos/notarize.sh new file mode 100755 index 00000000..ca8646be --- /dev/null +++ b/.ci/macos/notarize.sh @@ -0,0 +1,73 @@ +#!/bin/sh + +set -u + +# Modified version of script found at: +# https://forum.qt.io/topic/96652/how-to-notarize-qt-application-on-macos/18 + +# Add Qt binaries to path +PATH="/usr/local/opt/qt@5/bin/:${PATH}" + +security unlock-keychain -p "${RUNNER_USER_PW}" login.keychain + +( cd build || exit + # macdeployqt does not copy symlinks over. + # this specifically addresses icu4c issues but nothing else. + # We might not even need this any longer... + # ICU_LIB="$(brew --prefix icu4c)/lib" + # export ICU_LIB + # mkdir -p nheko.app/Contents/Frameworks + # find "${ICU_LIB}" -type l -name "*.dylib" -exec cp -a -n {} nheko.app/Contents/Frameworks/ \; || true + + macdeployqt nheko.app -dmg -always-overwrite -qmldir=../resources/qml/ -sign-for-notarization="${APPLE_DEV_IDENTITY}" + + user=$(id -nu) + chown "${user}" nheko.dmg +) + +NOTARIZE_SUBMIT_LOG=$(mktemp -t notarize-submit) +NOTARIZE_STATUS_LOG=$(mktemp -t notarize-status) + +finish() { + rm "$NOTARIZE_SUBMIT_LOG" "$NOTARIZE_STATUS_LOG" +} +trap finish EXIT + +dmgbuild -s .ci/macos/settings.json "Nheko" nheko.dmg +codesign -s "${APPLE_DEV_IDENTITY}" nheko.dmg +user=$(id -nu) +chown "${user}" nheko.dmg + +echo "--> Start Notarization process" +xcrun altool -t osx -f nheko.dmg --primary-bundle-id "io.github.nheko-reborn.nheko" --notarize-app -u "${APPLE_DEV_USER}" -p "${APPLE_DEV_PASS}" > "$NOTARIZE_SUBMIT_LOG" 2>&1 +requestUUID="$(awk -F ' = ' '/RequestUUID/ {print $2}' "$NOTARIZE_SUBMIT_LOG")" + +while sleep 60 && date; do + echo "--> Checking notarization status for ${requestUUID}" + + xcrun altool --notarization-info "${requestUUID}" -u "${APPLE_DEV_USER}" -p "${APPLE_DEV_PASS}" > "$NOTARIZE_STATUS_LOG" 2>&1 + + isSuccess=$(grep "success" "$NOTARIZE_STATUS_LOG") + isFailure=$(grep "invalid" "$NOTARIZE_STATUS_LOG") + + if [ -n "${isSuccess}" ]; then + echo "Notarization done!" + xcrun stapler staple -v nheko.dmg + echo "Stapler done!" + break + fi + if [ -n "${isFailure}" ]; then + echo "Notarization failed" + cat "$NOTARIZE_STATUS_LOG" 1>&2 + return 1 + fi + echo "Notarization not finished yet, sleep 1m then check again..." +done + +VERSION=${CI_COMMIT_SHORT_SHA} + +if [ -n "$VERSION" ]; then + mv nheko.dmg "nheko-${VERSION}.dmg" + mkdir artifacts + cp "nheko-${VERSION}.dmg" artifacts/ +fi \ No newline at end of file diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index cea6be7b..e82e72d6 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -55,7 +55,6 @@ build-macos: #- brew update #- brew reinstall --force python3 #- brew bundle --file=./.ci/macos/Brewfile --force --cleanup - - pip3 install dmgbuild - rm -rf ../.hunter && mv .hunter ../.hunter || true script: - export PATH=/usr/local/opt/qt@5/bin/:${PATH} @@ -72,19 +71,40 @@ build-macos: - cmake --build build after_script: - mv ../.hunter .hunter - - ./.ci/macos/deploy.sh - - ./.ci/upload-nightly-gitlab.sh artifacts/nheko-${CI_COMMIT_SHORT_SHA}.dmg artifacts: paths: - - artifacts/nheko-${CI_COMMIT_SHORT_SHA}.dmg - name: nheko-${CI_COMMIT_SHORT_SHA}-macos - expose_as: 'macos-dmg' + - build/nheko.app + name: nheko-${CI_COMMIT_SHORT_SHA}-macos-app + expose_as: 'macos-app' + public: false cache: key: "${CI_JOB_NAME}" paths: - .hunter/ - "${CCACHE_DIR}" +codesign-macos: + stage: deploy + tags: [macos] + before_script: + - pip3 install dmgbuild + script: + - export PATH=/usr/local/opt/qt@5/bin/:${PATH} + - ./.ci/macos/notarize.sh + after_script: + - ./.ci/upload-nightly-gitlab.sh artifacts/nheko-${CI_COMMIT_SHORT_SHA}.dmg + needs: + - build-macos + rules: + - if: '$CI_COMMIT_BRANCH == "master"' + - if : $CI_COMMIT_TAG + artifacts: + paths: + - artifacts/nheko-${CI_COMMIT_SHORT_SHA}.dmg + name: nheko-${CI_COMMIT_SHORT_SHA}-macos + expose_as: 'macos-dmg' + + build-flatpak-amd64: stage: build image: ubuntu:latest