-
Notifications
You must be signed in to change notification settings - Fork 8
104 lines (93 loc) · 4.09 KB
/
codesign.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
name: Codesign
on:
push:
branches: [ "main", "next" ]
pull_request:
branches: [ "main", "next" ]
permissions:
contents: read
# Testing codesigning on macOS runners
# https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development
jobs:
build_with_signing:
runs-on: macos-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install the Apple certificate and provisioning profile
id: keychain
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
AUTH_KEY_BASE64: ${{ secrets.AUTH_KEY_BASE64 }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
PP_PATH=$RUNNER_TEMP/build_pp.provisionprofile
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
AUTH_KEY_PATH=$RUNNER_TEMP/AuthKey.p8
# import certificate and provisioning profile from secrets
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
# apply provisioning profile
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
# create auth key file for notarization
echo -n "$AUTH_KEY_BASE64" | base64 --decode -o $AUTH_KEY_PATH
# setup outputs
echo "auth_key_path=$AUTH_KEY_PATH" >> $GITHUB_OUTPUT
echo "keychain_path=$KEYCHAIN_PATH" >> $GITHUB_OUTPUT
echo "pp_path=$PP_PATH" >> $GITHUB_OUTPUT
echo "certificate_path=$CERTIFICATE_PATH" >> $GITHUB_OUTPUT
- name: Fetch PaperAge release
uses: robinraju/[email protected]
with:
repository: "matiaskorhonen/paper-age"
latest: true
extract: true
fileName: paper-age-universal-apple-darwin.tar.gz
out-file-path: tmp
- name: Show the contents of the release
run: ls -la tmp
- name: Sign the binary
env:
CODESIGN_IDENTITY: "7FP48PW9TN"
CODESIGN_PREFIX: "fi.matias.korhonen."
run: |
# sign the binary
codesign --force --sign "$CODESIGN_IDENTITY" --prefix "$CODESIGN_PREFIX" --options runtime tmp/paper-age
- name: Zip the signed binary
run: zip -r tmp/paper-age-signed.zip tmp/paper-age
- name: Notarize the binary
env:
KEY_ID: ${{ secrets.KEY_ID }}
ISSUER: ${{ secrets.ISSUER }}
run: |
xcrun notarytool submit tmp/paper-age-signed.zip \
--key "${{ steps.keychain.outputs.auth_key_path }}" \
--key-id "$KEY_ID" \
--issuer "$ISSUER" \
--wait
- name: Upload the signed binary
uses: actions/upload-artifact@v4
with:
name: signed-paper-age
path: tmp/paper-age
retention-days: 7
- name: Clean up keychain and provisioning profile
if: ${{ always() }}
run: |
security delete-keychain "${{ steps.keychain.outputs.keychain_path }}"
rm "${{ steps.keychain.outputs.pp_path }}"
rm "${{ steps.keychain.outputs.certificate_path }}"
rm "${{ steps.keychain.outputs.auth_key_path }}"