Skip to content

Commit

Permalink
Code sign and notarize macOS app
Browse files Browse the repository at this point in the history
* Fix private key location
* base64 encode API key
* Add developer ID application certificate
* Use example travis password
* Require identity be found before continuing
* Skip first stage for now
* Only show valid identities
* Set keychain unlock timeout
* Try setting key partition
* Add message for failed script
* Allow security binary to view certs
* Only print failure on error
* Try removing specific binaries
* Print more
* Use the default keychain
* Add back codesign binary check
* Print more identity info
* Disable other builds for now
* Add priv key
* Use secure variable in .travis.yml instead
* Use bullet points for secure vars
* Fix file path
* Fix keys
* Fix keys
* Remove tee
* Add Travis waiting script to release-mac
* Add debug info for osx-sign
* Set key partition list
* Add retries to packaging mac app
* Move API key to encrypted file
* Fix key file name
* Use global keys directory
* Print stuff in appstoreconnect dir
* Remove find and poke-travis
* Enable Linux/Windows/binary builds again
* Remove poke-travis in favor of travis_wait script
* Move docker service into stages
* Try adding travis tag default to fix combined releases
* No need to upgrade Go, since it is in .travis.yml
* Remove intermediate make task
* Remove TTY requirement from Docker build
* Remove unused TRAVIS_TAG setting
* Restore disabled travis jobs
* Split out each app release into separate targets
* Fix missing prerequisites
* Fix condition for linux test release
* Build linux app in docker again, reduce file copies for app builds
* Fix missing docker service for linux test release
* Add back poke-travis so logs work again
* Try forcibly removing node_modules
* Fix dependency target issue in travis
* Fix option -t position
* Only run release jobs on tags and master
* Re-add tty for color output
* Simplify Windows app file management
  • Loading branch information
JohnStarich committed Feb 23, 2020
1 parent 811bd4c commit 195491e
Show file tree
Hide file tree
Showing 11 changed files with 892 additions and 353 deletions.
23 changes: 23 additions & 0 deletions .github/ci/utils.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
#!/usr/bin/env bash

function retry() {
local attempts=$1
if [[ "$attempts" =~ ^-?[0-9]+$ ]]; then
shift
else
attempts=3
fi
local rc
for (( trial = 1; trial == 1 || trial <= attempts + 1; trial += 1 )); do
if "$@"; then
return 0
else
rc=$?
echo "Trial $trial exited [$rc]."
if (( trial != attempts + 1 )); then
echo "Retrying... $*"
fi
fi
done
return $rc
}
2 changes: 2 additions & 0 deletions .github/encrypt/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
*
!*.enc
Binary file added .github/encrypt/AuthKey_5X4Z73338X.p8.enc
Binary file not shown.
Binary file added .github/encrypt/developerID_application.cer.enc
Binary file not shown.
Binary file added .github/encrypt/developerID_key.p12.enc
Binary file not shown.
58 changes: 47 additions & 11 deletions .travis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,6 @@ language: go
go:
- 1.12.x

services:
- docker

before_install:
- npm i -g npm@^6

Expand All @@ -16,8 +13,19 @@ jobs:
script: make test
- name: Build Docker image
script: make docker
- stage: GitHub Release
script: make release
services:
- docker
- name: Linux test release
if: NOT (branch = master) AND tag IS blank
services:
- docker
script: make poke-travis release-linux
- name: Linux app, Windows app, and server binaries
stage: GitHub Release
if: branch = master OR tag IS present
services:
- docker
script: make poke-travis release-servers release-linux release-windows
deploy:
# generated with `travis setup releases --com`
- provider: releases
Expand All @@ -27,12 +35,40 @@ jobs:
file_glob: true
skip_cleanup: true
draft: true
on:
repo: JohnStarich/sage
tags: true
condition: "$TRAVIS_TAG != untagged-*"
- name: macOS app
stage: GitHub Release
if: branch = master OR tag IS present
os: osx
osx_image: xcode11.3
env:
- secure: "AOxV9qSPVSHVZIhUEwmBAKe3FjELl8E3004WmPD5ETkfsZZh1ZLH118MO5wlLqIe9sCZQFKmXmPuSBmzQAPNBsJzlwUG8qkBIzZjC/+4gPXIcvlwuWxDLd+LhC2pLFLjo/CiLWpud1/4rdaHAMJviL1X5lVEwdbnRk6cxBsXCejbFWCBs49hBy4OHjnijHaXJY/Asr1hEHVH+R+cWqgoQjz0uTn0KfFoVnd8ABLFbrPFPLofqHl2skfznYl0UTxVDhn4b4RLGiT3AdQdGjNe/Kq630wmv0nfphjKHLXu27dKfaWcKT5xafl15gi14+prunMI4XggJP3JifZfZ3sKdXhnPQMKAoMp06iaMak/lx9rDXZdkNVjB6f4707IdEUF2T0P1gjroOJqSM2/FmNTimpS/6d4oxU25BdoQG7Zfoks1W+JqgW5fnSEmnL4kThr4ykvY+2GlgHp1UCl+SmQSmksIn6sfuBPK0Ehy1/gs3OoE7DedHOa1yggSBUYJk2UMSwp7cczrh3e2cYyH4AcymEWo10W/itykdUvsN44/D/YcJRZyV/U0O4ijJzov9Z2wqK9Eo49kN8iZZkBojhT1pBzbxmh1UW50LDN/oNagzDx/N0DxprjKoMOOju3haCkX9Avhjpd5wM1XjTJH2MF2hAb8Y6zcSrJKDnRrxM912o="
script:
- |
set -ev
trap 'echo Failed code signing cert setup, exiting...' ERR
# Install API key
mkdir -p ~/.appstoreconnect/private_keys && openssl aes-256-cbc -K $encrypted_3a283303e5ea_key -iv $encrypted_3a283303e5ea_iv -d \
-in .github/encrypt/AuthKey_5X4Z73338X.p8.enc \
-out ~/.appstoreconnect/private_keys/AuthKey_5X4Z73338X.p8
# Install code signing cert and key
security create-keychain -p travis build.keychain
security default-keychain -s build.keychain
security set-keychain-settings -t 3600 -u
security unlock-keychain -p travis
openssl aes-256-cbc -K $encrypted_3a283303e5ea_key -iv $encrypted_3a283303e5ea_iv -d \
-in .github/encrypt/developerID_application.cer.enc \
-out .github/encrypt/developerID_application.cer
security add-certificates .github/encrypt/developerID_application.cer
openssl aes-256-cbc -K $encrypted_3a283303e5ea_key -iv $encrypted_3a283303e5ea_iv -d \
-in .github/encrypt/developerID_key.p12.enc \
-out .github/encrypt/developerID_key.p12
security import .github/encrypt/developerID_key.p12 -P "$MACOS_DEVID_KEY" -T /usr/bin/codesign
security find-identity | grep '1 valid identities found' # require identity
rm -rf .github/encrypt
security set-key-partition-list -S 'apple-tool:,apple:' -s -k travis
- make poke-travis release-mac
deploy:
- provider: releases
script: make release
api_key:
secure: Tp7rwUVjuH0hdt776QIE1YhBIXxWsHGpm0OJ/duQIfw0u9AZpiASW8RZPLggnxpCn6J2nhly+KB/y5evbPxv/61MPd/DZApodRatvipWO45DUQZ+6zhdWlboI6uo+lKAoSZ13CRJDSq1rjEsARrJAI2eGXFfqjde8xy2gtImEBI2v79DcJ87D0A3FU8EhSsFZQNQsum7aHfmANmeaExA2XbBs4PRlt9S2b/0j2z+ZRujig0jcY/7zt2FAgYKCjNBXCvW8fXQ098fB4370Ls8Hh0J0IbsidsUS1dqYg54qEeRwMBiTTXSl+qj35SR7BkDknH3ePIADxTKgTRhCqa3gtDtlmGNS2a3btP9ldsHl1cLp8I+SN+NVmxKWCK2gf5jzDK4fSacx6bvxlS12MLn9fNMd3mHHMiEyckfrble/lGSmyqqgQ/XYC+mPixruR5wokHu3MoHHC/u6SI143op9di05MF/rtWc4ErRsPCEEoWYuX2eSGEN+9QbH7NZ5Oe8+kI2YqD1IK64hmATpn7dZOm6Oddtb9eYA900oqmUIe95eh2L7cUp1JqEmu4BUWR/GzGwpnaek7Vb8IpfKBRXy30a+EKF4TBiJDERtOlvaKUP/lr3Qmc5kG70GCMPaA0KXlxphW0m77ISOfdZb/QyPTQAia3rJZXzRhCcO8wVPn0=
file: "out/*"
Expand All @@ -41,4 +77,4 @@ jobs:
draft: true
on:
repo: JohnStarich/sage
branch: master
tags: true
76 changes: 52 additions & 24 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ docker:

.PHONY: clean
clean: cache out
rm -rf cache/ out/
rm -rf cache/ out/ web/out/

cache:
mkdir cache
Expand All @@ -78,11 +78,6 @@ cache/ofxhome.xml: cache
touch cache/ofxhome.xml; \
fi

.PHONY: release
release: clean
$(MAKE) -j4 dist
$(MAKE) apps

# Try to create easily-scripted file names for download
$(SUPPORTED_ARCH): GOOS = $(@D)
$(SUPPORTED_ARCH): GOARCH = $(@F)
Expand Down Expand Up @@ -129,24 +124,41 @@ start-pass:
npm --prefix=web run start-api-pass & \
npm --prefix=web start

.PHONY: apps
apps: out
.PHONY: poke-travis
poke-travis:
# Print something out every minute for an hour to keep Travis from terminating the build early.
(for i in {1..60}; do sleep 60; echo "Keeping Travis CI happy $$i"; done &)

.PHONY: release-servers
release-servers: clean
$(MAKE) -j4 dist

.PHONY: release-mac
release-mac:
@if [[ $$(uname) != Darwin ]]; then \
echo '"release-mac" can only be run on macOS'; \
exit 1; \
fi
$(MAKE) darwin/amd64
F=web/node_modules/electron-packager/src/mac.js && \
NEW_F=$$(sed '/if (!notarizeOpts.appleId) {/ { N;N;N;N;N;N;N;N;N; d; }' "$$F") && \
cat <<<"$$NEW_F" > "$$F" # Temporary hack to enable API key notarization
source .github/ci/utils.sh && \
retry npm run --prefix=web mac
mv -f web/out/make/Sage-1.0.0.dmg out/Sage-for-Mac.dmg

.PHONY: release-windows
release-windows: out windows/amd64
docker run \
--name sage-apps-builder \
--name sage-windows-builder \
--rm -it \
--env DEBUG='electron-windows-installer:*' \
--env-file <(env | grep -iE 'DEBUG|NODE_|ELECTRON_|YARN_|NPM_|CI') \
-v "${PWD}:/project:delegated" \
electronuserland/builder:wine-mono make docker-apps && \
ls -Rlh out/ && \
find out -type f -mindepth 2 | xargs -I{} mv -f {} out/ && \
rm -f out/RELEASES out/*.nupkg && \
mv -f "out/Sage-1.0.0 Setup.exe" out/Sage-for-Windows.exe && \
mv -f out/Sage-darwin-x64-1.0.0.zip out/Sage-for-Mac.zip && \
mv -f out/sage_1.0.0_amd64.deb out/Sage-for-Linux.deb

.PHONY: docker-apps
docker-apps:
electronuserland/builder:wine-mono make docker-windows

.PHONY: docker-windows
docker-windows:
apt update
apt install -y --no-install-recommends \
fakeroot \
Expand All @@ -160,8 +172,24 @@ docker-apps:
cp /tmp/7z-files/7za.dll ./web/node_modules/electron-winstaller/vendor/7z.dll
cp /tmp/7z-files/7za.exe ./web/node_modules/electron-winstaller/vendor/7z.exe
npm config set loglevel verbose
(for i in {1..60}; do sleep 60; echo "Keeping Travis CI happy $$i"; done &) && \
npm run --prefix=web windows && cp -fr web/out/make/* out/ && \
npm run --prefix=web mac && cp -fr web/out/make/* out/ && \
npm run --prefix=web linux && cp -fr web/out/make/* out/ && \
chmod -R 777 out/
npm run --prefix=web windows
chmod -R 777 web/out/make
mv -f "web/out/make/squirrel.windows/x64/Sage-1.0.0 Setup.exe" out/Sage-for-Windows.exe

.PHONY: release-linux
release-linux: out linux/amd64
docker run \
--name sage-linux-builder \
--rm -it \
-v "${PWD}:/project:delegated" \
--workdir /project \
node:lts-buster make docker-linux

.PHONY: docker-linux
docker-linux:
apt update
apt install -y --no-install-recommends \
fakeroot
fakeroot $(MAKE) static-deps
npm run --prefix=web linux
mv web/out/make/deb/x64/sage_1.0.0_amd64.deb out/Sage-for-Linux.deb
10 changes: 10 additions & 0 deletions web/entitlements.plist
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
</dict>
</plist>
Loading

0 comments on commit 195491e

Please sign in to comment.