Add signing to Github Action Workflow (#912)

.github/workflows/build-macos.yml

@@ -30,11 +30,12 @@ jobs:
     - name: Install build dependencies
       run: |
         brew install --cask sparkle
-        pip install -r dev.txt
+        brew install create-dmg
+        pip3 install -r dev.txt
       working-directory: requirements.d
     - name: Install Vorta
       run: |
-        pip install .
+        pip3 install .
     - name: Package with PyInstaller
       run: |
         pyinstaller --clean --noconfirm package/vorta.spec
@@ -42,9 +43,34 @@ jobs:
         curl -LJO https://github.com/borgbackup/borg/releases/download/${{ github.event.inputs.borg_version }}/borg-macosx64.tgz
         tar xvf borg-macosx64.tgz -C dist/Vorta.app/Contents/Resources/
         cd dist && zip -rq --symlinks Vorta.zip Vorta.app
+
+    - name: Codesign executable
+      continue-on-error: false
+      working-directory: dist
+      env:
+        MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+        MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+        CERTIFICATE_NAME: ${{ secrets.MACOS_CERTIFICATE_NAME }}
+        APPLE_ID_USER: ${{ secrets.APPLE_ID_USER }}
+        APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+      run: |
+        echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+        security create-keychain -p 123 build.keychain
+        security default-keychain -s build.keychain
+        security unlock-keychain -p 123 build.keychain
+        security import certificate.p12 -k build.keychain -A -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
+        security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k 123 build.keychain
+        python3 ../package/fix_app_qt_folder_names_for_codesign.py Vorta.app
+        sh ../package/macos-package-app.sh
+
+    # - name: Setup tmate session
+    #   uses: mxschmitt/action-tmate@v3
+    #   if: ${{ failure() }}
+    #   timeout-minutes: 15
+
     - name: Upload build
       uses: actions/upload-artifact@v2
       with:
-        name: Vorta macOS
-        path: dist/Vorta.zip
+        name: Vorta.dmg
+        path: dist/Vorta.dmg
         retention-days: 10

.github/workflows/test.yml

@@ -49,7 +49,7 @@ jobs:
         pip install -r requirements.d/dev.txt
 
     # - name: Setup tmate session
-    #   uses: mxschmitt/action-tmate@v1
+    #   uses: mxschmitt/action-tmate@v3
 
     - name: Test with pytest (Linux)
       if: runner.os == 'Linux'

package/macos-package-app.sh

@@ -44,8 +44,7 @@ RESULT=$(xcrun altool --notarize-app --type osx \
     --username $APPLE_ID_USER --password $APPLE_ID_PASSWORD \
     --file "$APP_BUNDLE.dmg" --output-format xml)
 
-REQUEST_UUID=$(echo "$RESULT" | xpath -q -e \
-  "//key[normalize-space(text()) = 'RequestUUID']/following-sibling::string[1]/text()" 2> /dev/null)
+REQUEST_UUID=$(echo "$RESULT" | xpath5.18 "//key[normalize-space(text()) = 'RequestUUID']/following-sibling::string[1]/text()" 2> /dev/null)
 
 # Poll for notarization status
 echo "Submitted notarization request $REQUEST_UUID, waiting for response..."
@@ -56,7 +55,7 @@ do
     --username "$APPLE_ID_USER" \
     --password "$APPLE_ID_PASSWORD" \
     --output-format xml)
-  STATUS=$(echo "$RESULT" | xpath -q -e "//key[normalize-space(text()) = 'Status']/following-sibling::string[1]/text()" 2> /dev/null)
+  STATUS=$(echo "$RESULT" | xpath5.18 "//key[normalize-space(text()) = 'Status']/following-sibling::string[1]/text()" 2> /dev/null)
 
   if [ "$STATUS" = "success" ]; then
     echo "Notarization of $APP_BUNDLE succeeded!"

requirements.d/dev.txt

@@ -1,5 +1,6 @@
 coverage
 flake8
+macholib
 pyinstaller
 pylint
 pytest