From 889d0bc0f95b026611fbd165968456671c45bf2b Mon Sep 17 00:00:00 2001 From: falkTX Date: Fri, 30 Jan 2026 23:31:51 +0100 Subject: [PATCH] Sign and Notarize macOS builds Signed-off-by: falkTX --- .github/workflows/build.yml | 7 ++++++ dpf | 2 +- utils/create-macos-installer.sh | 41 +++++++++++++++++++++++++++++++++ 3 files changed, 49 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c1dd648..57369d4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -202,6 +202,13 @@ jobs: - name: Build macOS (packaging) if: steps.cache.outputs.cache-hit == 'true' shell: bash + env: + MACOS_APP_CERTIFICATE: ${{ secrets.MACOS_APP_CERTIFICATE }} + MACOS_INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERTIFICATE }} + MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }} + MACOS_NOTARIZATION_USER: ${{ secrets.MACOS_NOTARIZATION_USER }} + MACOS_NOTARIZATION_PASS: ${{ secrets.MACOS_NOTARIZATION_PASS }} + MACOS_NOTARIZATION_TEAM: ${{ secrets.MACOS_NOTARIZATION_TEAM }} run: | source deps/PawPaw/local.env macos-universal-10.15 ./utils/create-macos-installer.sh diff --git a/dpf b/dpf index d38701a..1f459dc 160000 --- a/dpf +++ b/dpf @@ -1 +1 @@ -Subproject commit d38701abff789f44f2f483a6360416a9adbcc8f9 +Subproject commit 1f459dc33d58761b53fbecbfdabbb03b241781b4 diff --git a/utils/create-macos-installer.sh b/utils/create-macos-installer.sh index c88d2d1..c8d4880 100755 --- a/utils/create-macos-installer.sh +++ b/utils/create-macos-installer.sh @@ -26,10 +26,34 @@ rm -rf vst2/*.vst/Contents/Resources rm -rf vst3/*.vst3/Contents/Resources rm -rf clap/*.clap/Contents/Resources +if [ -n "${MACOS_APP_CERTIFICATE}" ] && [ -n "${MACOS_INSTALLER_CERTIFICATE}" ] && [ -n "${MACOS_CERTIFICATE_PASSWORD}" ]; then + security create-keychain -p "" $(pwd)/keychain.db + security unlock-keychain -p "" $(pwd)/keychain.db + echo -n "${MACOS_APP_CERTIFICATE}" | base64 --decode -o cert.p12 + security import cert.p12 -P "${MACOS_CERTIFICATE_PASSWORD}" -A -t cert -f pkcs12 -k $(pwd)/keychain.db + echo -n "${MACOS_INSTALLER_CERTIFICATE}" | base64 --decode -o cert.p12 + security import cert.p12 -P "${MACOS_CERTIFICATE_PASSWORD}" -A -t cert -f pkcs12 -k $(pwd)/keychain.db + rm cert.p12 + security list-keychain -d user -s $(pwd)/keychain.db + + MACOS_APP_DEV_ID="$(security find-identity -v $(pwd)/keychain.db | grep 'Developer ID Application:' | head -n 1 | cut -d' ' -f 5-99 | sed 's/\"//g')" + codesign -s "${MACOS_APP_DEV_ID}" --deep --force --verbose --option=runtime au/*.component + codesign -s "${MACOS_APP_DEV_ID}" --deep --force --verbose --option=runtime clap/*.clap + codesign -s "${MACOS_APP_DEV_ID}" --deep --force --verbose --option=runtime jack/*.app + codesign -s "${MACOS_APP_DEV_ID}" --deep --force --verbose --option=runtime native/*.app + codesign -s "${MACOS_APP_DEV_ID}" --deep --force --verbose --option=runtime vst2/*.vst + codesign -s "${MACOS_APP_DEV_ID}" --deep --force --verbose --option=runtime vst3/*.vst3 + codesign -s "${MACOS_APP_DEV_ID}" --force --verbose --option=runtime lv2/*.lv2/*.dylib + + MACOS_INSTALLER_DEV_ID="$(security find-identity -v $(pwd)/keychain.db | grep 'Developer ID Installer:' | head -n 1 | cut -d' ' -f 5-99 | sed 's/\"//g')" + PKG_SIGN_ARGS=(--sign "${MACOS_INSTALLER_DEV_ID}") +fi + pkgbuild \ --identifier "studio.kx.distrho.cardinal.resources" \ --install-location "/Library/Application Support/Cardinal/" \ --root "${PWD}/res/" \ + "${PKG_SIGN_ARGS[@]}" \ ../dpf-cardinal-resources.pkg pkgbuild \ @@ -37,6 +61,7 @@ pkgbuild \ --component-plist "../utils/macOS/Build_JACK.plist" \ --install-location "/Applications/" \ --root "${PWD}/jack/" \ + "${PKG_SIGN_ARGS[@]}" \ ../dpf-cardinal-jack.pkg pkgbuild \ @@ -44,36 +69,42 @@ pkgbuild \ --component-plist "../utils/macOS/Build_Native.plist" \ --install-location "/Applications/" \ --root "${PWD}/native/" \ + "${PKG_SIGN_ARGS[@]}" \ ../dpf-cardinal-native.pkg pkgbuild \ --identifier "studio.kx.distrho.plugins.cardinal.components" \ --install-location "/Library/Audio/Plug-Ins/Components/" \ --root "${PWD}/au/" \ + "${PKG_SIGN_ARGS[@]}" \ ../dpf-cardinal-components.pkg pkgbuild \ --identifier "studio.kx.distrho.plugins.cardinal.lv2bundles" \ --install-location "/Library/Audio/Plug-Ins/LV2/" \ --root "${PWD}/lv2/" \ + "${PKG_SIGN_ARGS[@]}" \ ../dpf-cardinal-lv2bundles.pkg pkgbuild \ --identifier "studio.kx.distrho.plugins.cardinal.vst2bundles" \ --install-location "/Library/Audio/Plug-Ins/VST/" \ --root "${PWD}/vst2/" \ + "${PKG_SIGN_ARGS[@]}" \ ../dpf-cardinal-vst2bundles.pkg pkgbuild \ --identifier "studio.kx.distrho.plugins.cardinal.vst3bundles" \ --install-location "/Library/Audio/Plug-Ins/VST3/" \ --root "${PWD}/vst3/" \ + "${PKG_SIGN_ARGS[@]}" \ ../dpf-cardinal-vst3bundles.pkg pkgbuild \ --identifier "studio.kx.distrho.plugins.cardinal.clapbundles" \ --install-location "/Library/Audio/Plug-Ins/CLAP/" \ --root "${PWD}/clap/" \ + "${PKG_SIGN_ARGS[@]}" \ ../dpf-cardinal-clapbundles.pkg cd .. @@ -86,4 +117,14 @@ productbuild \ --identifier "studio.kx.distrho.cardinal" \ --package-path "${PWD}" \ --version 0 \ + "${PKG_SIGN_ARGS[@]}" \ Cardinal-macOS.pkg + +if [ -n "${MACOS_NOTARIZATION_USER}" ] && [ -n "${MACOS_NOTARIZATION_PASS}" ] && [ -n "${MACOS_NOTARIZATION_TEAM}" ]; then + xcrun notarytool submit Cardinal-macOS.pkg \ + --apple-id ${MACOS_NOTARIZATION_USER} \ + --password ${MACOS_NOTARIZATION_PASS} \ + --team-id ${MACOS_NOTARIZATION_TEAM} \ + --wait + xcrun stapler staple Cardinal-macOS.pkg +fi