Skip to content

Commit

Permalink
Merge pull request #748 from byrnHDF/master-dmg-sign
Browse files Browse the repository at this point in the history
Add signing of dmgs
  • Loading branch information
byrnHDF authored Aug 19, 2024
2 parents ad66917 + 4497354 commit c7667db
Show file tree
Hide file tree
Showing 2 changed files with 57 additions and 0 deletions.
54 changes: 54 additions & 0 deletions .github/workflows/cmake-ctest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,12 @@ on:
required: true
default: snapshots
secrets:
APPLE_CERTS_BASE64:
required: true
APPLE_CERTS_BASE64_PASSWD:
required: true
KEYCHAIN_PASSWD:
required: true
AZURE_TENANT_ID:
required: true
AZURE_CLIENT_ID:
Expand Down Expand Up @@ -320,6 +326,28 @@ jobs:
with:
version: "1.10.0"

- name: Install the Apple certificate and provisioning profile
shell: bash
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTS_BASE64 }}
P12_PASSWORD: ${{ secrets.APPLE_CERTS_BASE64_PASSWD }}
KEYCHAIN_PASSWD: ${{ secrets.KEYCHAIN_PASSWD }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
KEYCHAIN_FILE=${{ vars.KEYCHAIN_NAME }}.keychain
# import certificate from secrets
echo $BUILD_CERTIFICATE_BASE64 | base64 --decode > $CERTIFICATE_PATH
security -v create-keychain -p $KEYCHAIN_PASSWD $KEYCHAIN_FILE
security -v list-keychain -d user -s $KEYCHAIN_FILE
security -v list-keychains
security -v set-keychain-settings -lut 21600 $KEYCHAIN_FILE
security -v unlock-keychain -p $KEYCHAIN_PASSWD $KEYCHAIN_FILE
# import certificate to keychain
security -v import $CERTIFICATE_PATH -P $P12_PASSWORD -A -t cert -f pkcs12 -k $KEYCHAIN_FILE
security -v set-key-partition-list -S apple-tool:,codesign:,apple: -k $KEYCHAIN_PASSWD $KEYCHAIN_FILE
if: ${{ needs.check-secret.outputs.sign-state == 'exists' }}

- name: Set up JDK 19
uses: actions/setup-java@v4
with:
Expand Down Expand Up @@ -369,6 +397,32 @@ jobs:
cmake --workflow --preset=${{ inputs.preset_name }}-MACOS-Clang --fresh
shell: bash

- name: Sign dmg (MacOS_latest)
id: sign-dmg
env:
KEYCHAIN_PASSWD: ${{ secrets.KEYCHAIN_PASSWD }}
KEYCHAIN_NAME: ${{ vars.KEYCHAIN_NAME }}
SIGNER: ${{ vars.SIGNER }}
NOTARY_USER: ${{ vars.NOTARY_USER }}
NOTARY_KEY: ${{ vars.NOTARY_KEY }}
run: |
/usr/bin/codesign --force --timestamp --options runtime --verbose=4 --strict --sign ${{ env.SIGNER }} --deep ${{ runner.workspace }}/hdf4/build/${{ inputs.preset_name }}-Clang/*.dmg
if: ${{ needs.check-secret.outputs.sign-state == 'exists' }}
shell: bash

- name: Notarize dmg (MacOS_latest)
id: notarize-dmg
env:
KEYCHAIN_PASSWD: ${{ secrets.KEYCHAIN_PASSWD }}
KEYCHAIN_NAME: ${{ vars.KEYCHAIN_NAME }}
SIGNER: ${{ vars.SIGNER }}
NOTARY_USER: ${{ vars.NOTARY_USER }}
NOTARY_KEY: ${{ vars.NOTARY_KEY }}
run: |
/usr/bin/xcrun notarytool submit --wait --output-format json --apple-id" ${{ env.NOTARY_USER }} --password ${{ env.NOTARY_KEY }} --team-id ${{ env.SIGNER }} ${{ runner.workspace }}/hdf4/build/${{ inputs.preset_name }}-Clang/*.dmg
if: ${{ needs.check-secret.outputs.sign-state == 'exists' }}
shell: bash

- name: Publish binary (MacOS_latest)
id: publish-ctest-binary
run: |
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/daily-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,9 @@ jobs:
# use_tag: snapshot
use_environ: snapshots
secrets:
APPLE_CERTS_BASE64: ${{ secrets.APPLE_CERTS_BASE64 }}
APPLE_CERTS_BASE64_PASSWD: ${{ secrets.APPLE_CERTS_BASE64_PASSWD }}
KEYCHAIN_PASSWD: ${{ secrets.KEYCHAIN_PASSWD }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
Expand Down

0 comments on commit c7667db

Please sign in to comment.