ci(macOS): use macos-12 builder and fix notarization/signing (#15)

* ci(macOS): test macos-12 builder

* Port over notarytool upgrades

* fix entitlements path

* Alter bundle identifier for notarization, alter display name (NOT bundle name) to be more human readable

* Add comment explaining the unexpected directory and path structure on macOS

---------

Co-authored-by: Ryan McGrath <[email protected]>

.github/workflows/main.yml

@@ -259,7 +259,7 @@ jobs:
             artifact_name: mainline-macOS-playback
             build_config: playback
     name: "macOS ${{ matrix.build_type }}"
-    runs-on: macos-11
+    runs-on: macos-12
     steps:
       - name: "Checkout"
         uses: actions/checkout@v3
@@ -317,7 +317,7 @@ jobs:
           chmod +x Tools/load-macos-certs-ci.sh && ./Tools/load-macos-certs-ci.sh
           mkdir -p ~/private_keys/
           echo '${{ secrets.APPLE_CONNECT_API_KEY }}' > ~/private_keys/AuthKey_${{ secrets.APPLE_API_KEY_ID }}.p8
-          /usr/bin/codesign -f -s "${{ secrets.APPLE_IDENTITY_HASH }}" --deep --options runtime --entitlements Source\Core\DolphinQt\DolphinEmu.entitlements ./build/Binaries/Slippi_Dolphin.app
+          /usr/bin/codesign -f -s "${{ secrets.APPLE_IDENTITY_HASH }}" --deep --options runtime --entitlements Source/Core/DolphinQt/DolphinEmu.entitlements ./build/Binaries/Slippi_Dolphin.app
       - name: "Package DMG"
         shell: bash
         working-directory: ${{ github.workspace }}

Source/Core/Common/FileUtil.cpp

@@ -755,6 +755,17 @@ std::string GetBundleDirectory()
   return app_bundle_path;
 }
 
+// Note that this is currently using `com.project-slippi.dolphin` and *NOT* the actual app
+// bundle identifier (`com.project-slippi.dolphin-beta`). This should get resolved in the
+// future once Ishiiruka goes away, as this build should eventually get the "correct"
+// non-beta identifier after it's deemed general release/availability.
+//
+// This isn't a normal Dolphin flow, to be clear - we only use it for storing files like
+// `user.json` and direct codes payloads. Please resist relying on this further until
+// things are stabilized.
+//
+// To be clear: "fixing" this requires a coordinated Launcher release and is probably
+// something that should just be pushed off until this is about to leave beta.
 std::string GetApplicationSupportDirectory()
 {
   std::string dir =

Source/Core/DolphinQt/Info.plist.in

@@ -34,11 +34,11 @@
     <key>CFBundleName</key>
     <string>Slippi_Dolphin</string>
     <key>CFBundleDisplayName</key>
-    <string>Slippi_Dolphin</string>
+    <string>Slippi Dolphin (Beta)</string>
     <key>CFBundleIconFile</key>
     <string>Dolphin.icns</string>
     <key>CFBundleIdentifier</key>
-	  <string>com.project-slippi.dolphin</string>
+	  <string>com.project-slippi.dolphin-beta</string>
     <key>CFBundleDevelopmentRegion</key>
     <string>English</string>
     <key>CFBundlePackageType</key>

Tools/load-macos-certs-ci.sh

@@ -3,26 +3,42 @@
 KEY_CHAIN=build.keychain
 CERTIFICATE_P12=certificate.p12
 
+echo "(cert-loader) About to b64 decode cert"
+
 # Recreate the certificate from the secure environment variable
 echo $CERTIFICATE_MACOS_APPLICATION | base64 --decode > $CERTIFICATE_P12
 
+echo "(cert-loader) About to create keychain"
+
 # Create a temporary keychain
 security create-keychain -p actions $KEY_CHAIN
 
+echo "(cert-loader) About to set keychain settings"
+
 # Remove the relock timeout, which can happen if our builds take forever.
 security set-keychain-settings $KEY_CHAIN
 
+echo "(cert-loader) About to import cert"
+
 # Import certificate
 security import $CERTIFICATE_P12 -k $KEY_CHAIN -P $CERTIFICATE_MACOS_PASSWORD -T /usr/bin/codesign;
 
+echo "(cert-loader) About to allow access from tools"
+
 # Mark this as okay to be accessed from command line tools
 security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k actions $KEY_CHAIN
 
+echo "(cert-loader) About to make default keychain"
+
 # Make the keychain the default so identities are found
 security default-keychain -s $KEY_CHAIN
 
+echo "(cert-loader) About to unlock keychain"
+
 # Unlock the keychain
 security unlock-keychain -p actions $KEY_CHAIN
 
+echo "(cert-loader) Remove intermediary certs"
+
 # remove certs
 rm -fr *.p12

Tools/notarize_netplay.sh

@@ -3,74 +3,62 @@
 # Signing and notarizing only happens on builds where the CI has access
 # to the necessary secrets; this avoids builds in forks where secrets
 # shouldn't be.
+#
+# Portions of the notarization response checks are borrowed from:
+#
+# https://github.com/smittytone/scripts/blob/main/packcli.zsh
+#
+# (They've done the work of figuring out what the reponse formats are, etc)
 
 version="$(echo $GIT_TAG)"
-identifier="com.project-slippi.dolphin"
+identifier="com.project-slippi.dolphin-beta"
+filepath=${1:?"need a filepath"}
 
-requeststatus() { # $1: requestUUID
-    requestUUID=${1?:"need a request UUID"}
-    req_status=$(xcrun altool --notarization-info "$requestUUID" \
-        --apiKey "${APPLE_API_KEY}" \
-        --apiIssuer "${APPLE_ISSUER_ID}" 2>&1 \
-    | awk -F ': ' '/Status:/ { print $2; }' )
-    echo "$req_status"
-}
+echo "Attempting notarization"
 
-logstatus() { # $1: requestUUID
-    requestUUID=${1?:"need a request UUID"}
-    xcrun altool --notarization-info "$requestUUID" \
-        --apiKey "${APPLE_API_KEY}" \
-        --apiIssuer "${APPLE_ISSUER_ID}"
-    echo
-}
+# Submit the DMG for notarization and wait for the flow to finish
+s_time=$(date +%s)
+response=$(xcrun notarytool submit ${filepath} \
+    --wait \
+    --issuer ${APPLE_ISSUER_ID} \
+    --key-id ${APPLE_API_KEY} \
+    --key ~/private_keys/AuthKey_${APPLE_API_KEY}.p8)
 
-notarizefile() { # $1: path to file to notarize, $2: identifier
-    filepath=${1:?"need a filepath"}
-    identifier=${2:?"need an identifier"}
-
-    # upload file
-    echo "## uploading $filepath for notarization"
-    requestUUID=$(xcrun altool --notarize-app \
-        --primary-bundle-id "$identifier" \
-        --apiKey "${APPLE_API_KEY}" \
-        --apiIssuer "${APPLE_ISSUER_ID}" \
-        --file "$filepath" 2>&1 \
-    | awk '/RequestUUID/ { print $NF; }')
-
-    echo "Notarization RequestUUID: $requestUUID"
-
-    if [[ $requestUUID == "" ]]; then 
-        echo "could not upload for notarization"
-        exit 1
-    fi
-
-    # wait for status to be not "in progress" any more
-    # Checks for up to ~10 minutes ((20 * 30s = 600) / 60s)
-    for i ({0..20}); do
-        request_status=$(requeststatus "$requestUUID")
-        echo "Status: ${request_status}"
+# Get the notarization job ID from the response
+job_id_line=$(grep -m 1 '  id:' < <(echo -e "${response}"))
+job_id=$(echo "${job_id_line}" | cut -d ":" -s -f 2 | cut -d " " -f 2)
 
-        # Why can this report two different cases...?
-        if [ $? -ne 0 ] || [[ "${request_status}" =~ "invalid" ]] || [[ "${request_status}" =~ "Invalid" ]]; then
-            logstatus "$requestUUID"
-            echo "Error with notarization. Exiting!"
-            exit 1
-        fi
+# Log some debug timing info.
+e_time=$(date +%s)
+n_time=$((e_time - s_time))
+echo "Notarization call completed after ${n_time} seconds. Job ID: ${job_id}"
 
-        if [[ "${request_status}" =~ "success" ]]; then
-            logstatus "$requestUUID"
-            echo "Successfully notarized! Stapling notarization status to ${filepath}"
-            xcrun stapler staple "$filepath"
-            exit 0
-        fi
+# Extract the status of the notarization job.
+status_line=$(grep -m 1 '  status:' < <(echo -e "${response}"))
+status_result=$(echo "${status_line}" | cut -d ":" -s -f 2 | cut -d " " -f 2)
 
-        echo "Still in progress, will check again in 30s"
-        sleep 30
-    done
+# Fetch and echo the log *before* bailing if it's bad, so we can tell if there's
+# a deeper error we need to handle.
+log_response=$(xcrun notarytool log \
+    --issuer ${APPLE_ISSUER_ID} \
+    --key-id ${APPLE_API_KEY} \
+    --key ~/private_keys/AuthKey_${APPLE_API_KEY}.p8 \
+    ${job_id})
+echo "${log_response}"
 
-    echo "Notarization request timed out - status below; maybe it needs more time?"
-    logstatus "$requestUUID"
-}
+if [[ ${status_result} != "Accepted" ]]; then
+    echo "Notarization failed with status ${status_result}"
+    exit 1
+fi
 
-echo "Attempting notarization"
-notarizefile "$1" "$identifier"
+# Attempt to staple the notarization result to the app.
+echo "Successfully notarized! Stapling notarization status to ${filepath}"
+success=$(xcrun stapler staple "${filepath}")
+if [[ -z "${success}" ]]; then
+    echo "Could not staple notarization to app"
+    exit 1
+fi
+
+# Confirm the staple actually worked...
+echo "Checking notarization to ${filepath}"
+spctl --assess -vvv --type install "${filepath}"