From 5a7098cb4148c7c3f2c5f018ba9055542debc6ef Mon Sep 17 00:00:00 2001 From: Owen Rudge Date: Wed, 14 Jun 2023 16:14:45 +0100 Subject: [PATCH] Change: [Actions] Use notarytool for notarization instead of gon --- .github/workflows/release-macos.yml | 16 +++++++-------- os/macosx/notarize.sh | 32 ++++++----------------------- 2 files changed, 14 insertions(+), 34 deletions(-) diff --git a/.github/workflows/release-macos.yml b/.github/workflows/release-macos.yml index 596692eaab..ec82f8653e 100644 --- a/.github/workflows/release-macos.yml +++ b/.github/workflows/release-macos.yml @@ -162,19 +162,19 @@ jobs: rm -f bundles/*.sha256 echo "::endgroup::" - - name: Install gon - env: - HOMEBREW_NO_AUTO_UPDATE: 1 - HOMEBREW_NO_INSTALL_CLEANUP: 1 - run: | - brew tap mitchellh/gon - brew install mitchellh/gon/gon - - name: Notarize env: AC_USERNAME: ${{ secrets.APPLE_DEVELOPER_APP_USERNAME }} AC_PASSWORD: ${{ secrets.APPLE_DEVELOPER_APP_PASSWORD }} + AC_TEAM_ID: ${{ secrets.APPLE_DEVELOPER_TEAM_ID }} run: | + if [ -z "${AC_USERNAME}" ]; then + # We may be running on a fork that doesn't have notarization secrets set up; skip this step + echo No notarization secrets set up, skipping. + exit 0 + fi + + xcrun notarytool store-credentials --apple-id "${AC_USERNAME}" --password "${AC_PASSWORD}" --team-id "${AC_TEAM_ID}" openttd cd build-x64 ../os/macosx/notarize.sh diff --git a/os/macosx/notarize.sh b/os/macosx/notarize.sh index 55405cdd89..c34606bdc2 100755 --- a/os/macosx/notarize.sh +++ b/os/macosx/notarize.sh @@ -5,11 +5,8 @@ set -e # If you are building an unofficial branch of OpenTTD, please change the bundle # ID in Info.plist and below. # -# This uses `gon' to perform notarization: -# -# https://github.com/mitchellh/gon -# -# Follow the setup instructions on the gon site to install. +# This uses the Xcode notarytool to perform notarization. You must set up a keychain +# profile called "openttd" using the "store-credentials" notarytool command beforehand. # # Before executing this script, you must first configure CMake with at least the following # parameters: @@ -22,19 +19,11 @@ set -e # This will sign the application with your signing certificate, and will enable # the hardened runtime. # -# You also need to set your Apple Developer username and password (app-specific password -# is recommended) in the AC_USERNAME and AC_PASSWORD environment variables. -# # Then, ensuring you're in your build directory and that the "bundles" directory # exists with a .dmg in it (clear out any old DMGs first), run: # # ../os/macosx/notarize.sh -if [ -z "${AC_USERNAME}" ]; then - echo AC_USERNAME not set, skipping notarization. - exit 0 -fi; - dmg_filename=(bundles/*.dmg) if [ "${dmg_filename}" = "bundles/*.dmg" ]; then @@ -43,24 +32,15 @@ if [ "${dmg_filename}" = "bundles/*.dmg" ]; then exit 1 fi; -cat < notarize.json -{ - "notarize": [ - { - "path": "${dmg_filename[0]}", - "bundle_id": "org.openttd.openttd", - "staple": true - } - ] -} -EOF +xcrun notarytool submit ${dmg_filename[0]} --keychain-profile "openttd" --wait -gon notarize.json +# Staple the ticket to the .dmg +xcrun stapler staple "${dmg_filename[0]}" app_filename=(_CPack_Packages/*/Bundle/openttd-*/OpenTTD.app) if [ "${app_filename}" = "_CPack_Packages/*/Bundle/openttd-*/OpenTTD.app" ]; then - echo "No .app found in the _CPack_Packages directory, skipping stapling." + echo "No .app found in the _CPack_Packages directory, skipping app stapling." exit 0 fi;