From 5b32b1cac430e3038319e46c9e10f459e95ca598 Mon Sep 17 00:00:00 2001 From: Filipe Coelho Date: Sat, 31 Jan 2026 07:27:03 +0100 Subject: [PATCH] macOS signing and notarization (#516) * Allow to pass p12 certificates to CI for macOS signing * test passing secrets to CI job * fix html file location for web-meters example * push all builds for notarization --- .github/workflows/cmake.yml | 14 ++++++++++++++ .github/workflows/example-plugins.yml | 14 ++++++++++++++ examples/WebMeters/Makefile | 8 ++++++-- utils/package-osx-bundles.sh | 14 ++++++++++++++ 4 files changed, 48 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index 4d2c77bd..b297f7af 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -49,6 +49,13 @@ jobs: with: submodules: recursive - uses: distrho/dpf-cmake-action@v1 + env: + MACOS_APP_CERTIFICATE: ${{ secrets.MACOS_APP_CERTIFICATE }} + MACOS_INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERTIFICATE }} + MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }} + MACOS_NOTARIZATION_USER: ${{ secrets.MACOS_NOTARIZATION_USER }} + MACOS_NOTARIZATION_PASS: ${{ secrets.MACOS_NOTARIZATION_PASS }} + MACOS_NOTARIZATION_TEAM: ${{ secrets.MACOS_NOTARIZATION_TEAM }} with: dpf_path: . suffix: _14 @@ -64,6 +71,13 @@ jobs: with: submodules: recursive - uses: distrho/dpf-cmake-action@v1 + env: + MACOS_APP_CERTIFICATE: ${{ secrets.MACOS_APP_CERTIFICATE }} + MACOS_INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERTIFICATE }} + MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }} + MACOS_NOTARIZATION_USER: ${{ secrets.MACOS_NOTARIZATION_USER }} + MACOS_NOTARIZATION_PASS: ${{ secrets.MACOS_NOTARIZATION_PASS }} + MACOS_NOTARIZATION_TEAM: ${{ secrets.MACOS_NOTARIZATION_TEAM }} with: dpf_path: . suffix: _15 diff --git a/.github/workflows/example-plugins.yml b/.github/workflows/example-plugins.yml index b0d164ad..b6fa574b 100644 --- a/.github/workflows/example-plugins.yml +++ b/.github/workflows/example-plugins.yml @@ -49,6 +49,13 @@ jobs: with: submodules: recursive - uses: distrho/dpf-makefile-action@v1 + env: + MACOS_APP_CERTIFICATE: ${{ secrets.MACOS_APP_CERTIFICATE }} + MACOS_INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERTIFICATE }} + MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }} + MACOS_NOTARIZATION_USER: ${{ secrets.MACOS_NOTARIZATION_USER }} + MACOS_NOTARIZATION_PASS: ${{ secrets.MACOS_NOTARIZATION_PASS }} + MACOS_NOTARIZATION_TEAM: ${{ secrets.MACOS_NOTARIZATION_TEAM }} with: dpf_path: . suffix: _14 @@ -64,6 +71,13 @@ jobs: with: submodules: recursive - uses: distrho/dpf-makefile-action@v1 + env: + MACOS_APP_CERTIFICATE: ${{ secrets.MACOS_APP_CERTIFICATE }} + MACOS_INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERTIFICATE }} + MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }} + MACOS_NOTARIZATION_USER: ${{ secrets.MACOS_NOTARIZATION_USER }} + MACOS_NOTARIZATION_PASS: ${{ secrets.MACOS_NOTARIZATION_PASS }} + MACOS_NOTARIZATION_TEAM: ${{ secrets.MACOS_NOTARIZATION_TEAM }} with: dpf_path: . suffix: _15 diff --git a/examples/WebMeters/Makefile b/examples/WebMeters/Makefile index 441269dc..2d5c125c 100644 --- a/examples/WebMeters/Makefile +++ b/examples/WebMeters/Makefile @@ -43,13 +43,17 @@ TARGETS += clap TARGETS += au ifeq ($(MACOS_APP_BUNDLE),true) +aufiles += $(TARGET_DIR)/$(NAME).component/Contents/Resources/index.html +clapfiles += $(TARGET_DIR)/$(NAME).clap/Contents/Resources/index.html jackfiles += $(TARGET_DIR)/$(NAME).app/Contents/Resources/index.html +vst2files += $(TARGET_DIR)/$(NAME).vst/Contents/Resources/index.html else +clapfiles += $(TARGET_DIR)/$(NAME).clap/resources/index.html jackfiles += $(TARGET_DIR)/resources/index.html +lv2files += $(TARGET_DIR)/$(NAME).lv2/resources/index.html +vst2files += $(TARGET_DIR)/$(NAME).vst/resources/index.html endif -clapfiles += $(TARGET_DIR)/$(NAME).clap/resources/index.html -vst2files += $(TARGET_DIR)/$(NAME).vst/resources/index.html vst3files += $(TARGET_DIR)/$(NAME).vst3/Contents/Resources/index.html all: $(TARGETS) $(jackfiles) $(clapfiles) $(vst2files) $(vst3files) diff --git a/utils/package-osx-bundles.sh b/utils/package-osx-bundles.sh index ecfeb41a..8dcca49f 100755 --- a/utils/package-osx-bundles.sh +++ b/utils/package-osx-bundles.sh @@ -20,6 +20,20 @@ else exit fi +if [ -n "${MACOS_APP_CERTIFICATE}" ] && [ -n "${MACOS_INSTALLER_CERTIFICATE}" ] && [ -n "${MACOS_CERTIFICATE_PASSWORD}" ]; then + security create-keychain -p "" $(pwd)/keychain.db + security unlock-keychain -p "" $(pwd)/keychain.db + echo -n "${MACOS_APP_CERTIFICATE}" | base64 --decode -o cert.p12 + security import cert.p12 -P "${MACOS_CERTIFICATE_PASSWORD}" -A -t cert -f pkcs12 -k $(pwd)/keychain.db + echo -n "${MACOS_INSTALLER_CERTIFICATE}" | base64 --decode -o cert.p12 + security import cert.p12 -P "${MACOS_CERTIFICATE_PASSWORD}" -A -t cert -f pkcs12 -k $(pwd)/keychain.db + rm cert.p12 + # security set-key-partition-list -S apple-tool:,apple: -k "" $(pwd)/keychain.db + security list-keychain -d user -s $(pwd)/keychain.db + export MACOS_APP_DEV_ID="$(security find-identity -v $(pwd)/keychain.db | grep 'Developer ID Application:' | head -n 1 | cut -d' ' -f 5-99 | sed 's/\"//g')" + export MACOS_INSTALLER_DEV_ID="$(security find-identity -v $(pwd)/keychain.db | grep 'Developer ID Installer:' | head -n 1 | cut -d' ' -f 5-99 | sed 's/\"//g')" +fi + # can be overridden by environment variables MACOS_PKG_LICENSE_FILE=${MACOS_PKG_LICENSE_FILE:=""} MACOS_PKG_NAME=${MACOS_PKG_NAME:="$(basename $(git rev-parse --show-toplevel))"}