Add signing to Github Action Workflow (#912)

2021-03-03 20:59:10 +08:00 · 2021-03-03 20:59:10 +08:00 · 7dc6f83b92
parent af2d6a9e73
commit 7dc6f83b92
4 changed files with 34 additions and 8 deletions
--- a/.github/workflows/build-macos.yml
+++ b/.github/workflows/build-macos.yml
@ -30,11 +30,12 @@ jobs:
    - name: Install build dependencies
      run: |
        brew install --cask sparkle
-        pip install -r dev.txt
+        brew install create-dmg
+        pip3 install -r dev.txt
      working-directory: requirements.d
    - name: Install Vorta
      run: |
-        pip install .
+        pip3 install .
    - name: Package with PyInstaller
      run: |
        pyinstaller --clean --noconfirm package/vorta.spec
@ -42,9 +43,34 @@ jobs:
        curl -LJO https://github.com/borgbackup/borg/releases/download/${{ github.event.inputs.borg_version }}/borg-macosx64.tgz
        tar xvf borg-macosx64.tgz -C dist/Vorta.app/Contents/Resources/
        cd dist && zip -rq --symlinks Vorta.zip Vorta.app
+
+    - name: Codesign executable
+      continue-on-error: false
+      working-directory: dist
+      env:
+        MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+        MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+        CERTIFICATE_NAME: ${{ secrets.MACOS_CERTIFICATE_NAME }}
+        APPLE_ID_USER: ${{ secrets.APPLE_ID_USER }}
+        APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+      run: |
+        echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+        security create-keychain -p 123 build.keychain
+        security default-keychain -s build.keychain
+        security unlock-keychain -p 123 build.keychain
+        security import certificate.p12 -k build.keychain -A -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
+        security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k 123 build.keychain
+        python3 ../package/fix_app_qt_folder_names_for_codesign.py Vorta.app
+        sh ../package/macos-package-app.sh
+
+    # - name: Setup tmate session
+    #   uses: mxschmitt/action-tmate@v3
+    #   if: ${{ failure() }}
+    #   timeout-minutes: 15
+
    - name: Upload build
      uses: actions/upload-artifact@v2
      with:
-        name: Vorta macOS
-        path: dist/Vorta.zip
+        name: Vorta.dmg
+        path: dist/Vorta.dmg
        retention-days: 10
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -49,7 +49,7 @@ jobs:
        pip install -r requirements.d/dev.txt

    # - name: Setup tmate session
-    #   uses: mxschmitt/action-tmate@v1
+    #   uses: mxschmitt/action-tmate@v3

    - name: Test with pytest (Linux)
      if: runner.os == 'Linux'
--- a/package/macos-package-app.sh
+++ b/package/macos-package-app.sh
@ -44,8 +44,7 @@ RESULT=$(xcrun altool --notarize-app --type osx \
    --username $APPLE_ID_USER --password $APPLE_ID_PASSWORD \
    --file "$APP_BUNDLE.dmg" --output-format xml)

-REQUEST_UUID=$(echo "$RESULT" | xpath -q -e \
-  "//key[normalize-space(text()) = 'RequestUUID']/following-sibling::string[1]/text()" 2> /dev/null)
+REQUEST_UUID=$(echo "$RESULT" | xpath5.18 "//key[normalize-space(text()) = 'RequestUUID']/following-sibling::string[1]/text()" 2> /dev/null)

 # Poll for notarization status
 echo "Submitted notarization request $REQUEST_UUID, waiting for response..."
@ -56,7 +55,7 @@ do
    --username "$APPLE_ID_USER" \
    --password "$APPLE_ID_PASSWORD" \
    --output-format xml)
-  STATUS=$(echo "$RESULT" | xpath -q -e "//key[normalize-space(text()) = 'Status']/following-sibling::string[1]/text()" 2> /dev/null)
+  STATUS=$(echo "$RESULT" | xpath5.18 "//key[normalize-space(text()) = 'Status']/following-sibling::string[1]/text()" 2> /dev/null)

  if [ "$STATUS" = "success" ]; then
    echo "Notarization of $APP_BUNDLE succeeded!"
--- a/requirements.d/dev.txt
+++ b/requirements.d/dev.txt
@ -1,5 +1,6 @@
 coverage
 flake8
+macholib
 pyinstaller
 pylint
 pytest