Mac: Enable signing with self signed cert

Co-authored-by: Christian Hoffmann <christian@hoffie.info>
emlynmac · Oct 29, 2022 · e411028 · e411028
1 parent 6a8875c
commit e411028
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 6 deletions.
diff --git a/.github/autobuild/mac.sh b/.github/autobuild/mac.sh
@@ -41,14 +41,27 @@ prepare_signing() {
     [[ -n "${MACOS_CERTIFICATE:-}" ]] || return 1
     [[ -n "${MACOS_CERTIFICATE_ID:-}" ]] || return 1
     [[ -n "${MACOS_CERTIFICATE_PWD:-}" ]] || return 1
-    [[ -n "${NOTARIZATION_PASSWORD:-}" ]] || return 1
     [[ -n "${KEYCHAIN_PASSWORD:-}" ]] || return 1
 
+    # Check for notarization (not wanted on self signed build)
+    if [[ -z "${NOTARIZATION_PASSWORD}" ]]; then
+        echo "Notarization password not found or empty. This suggests we might run a self signed build."
+        if [[ -z "${MACOS_CA_PUBLICKEY}" ]]; then
+            echo "Warning: The CA public key wasn't set or is empty. Skipping signing."
+            return 1
+        fi
+    fi
+
     echo "Signing was requested and all dependencies are satisfied"
 
     # Put the cert to a file
     echo "${MACOS_CERTIFICATE}" | base64 --decode > certificate.p12
 
+    # If set, put the CA public key into a file
+    if [[ -n "${MACOS_CA_PUBLICKEY}" ]]; then
+        echo "${MACOS_CA_PUBLICKEY}" | base64 --decode > CA.cer
+    fi
+
     # Set up a keychain for the build:
     security create-keychain -p "${KEYCHAIN_PASSWORD}" build.keychain
     security default-keychain -s build.keychain
@@ -58,8 +71,24 @@ prepare_signing() {
     security import certificate.p12 -k build.keychain -P "${MACOS_CERTIFICATE_PWD}" -T /usr/bin/codesign
     security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${KEYCHAIN_PASSWORD}" build.keychain
 
-    # Tell Github Workflow that we need notarization & stapling:
-    echo "::set-output name=macos_signed::true"
+    # Tell Github Workflow that we want signing
+    echo "macos_signed=true" >> "$GITHUB_OUTPUT"
+
+    # If set, import CA key to allow self signed key
+    if [[ -n "${MACOS_CA_PUBLICKEY}" ]]; then
+        # bypass any GUI related trusting prompt (https://developer.apple.com/forums/thread/671582)
+        echo "Importing development only CA"
+        # shellcheck disable=SC2024
+        sudo security authorizationdb read com.apple.trust-settings.admin > rights
+        sudo security authorizationdb write com.apple.trust-settings.admin allow
+        sudo security add-trusted-cert -d -r trustRoot -k "build.keychain" CA.cer
+        # shellcheck disable=SC2024
+        sudo security authorizationdb write com.apple.trust-settings.admin < rights
+    else
+        # Tell Github Workflow that we need notarization & stapling (non self signed build)
+        echo "macos_notarize=true" >> "$GITHUB_OUTPUT"
+    fi
+
     return 0
 }
 

diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml
@@ -356,7 +356,7 @@ jobs:
           MACOS_CERTIFICATE_ID:     ${{ secrets.MACOS_CERT_ID }}
           NOTARIZATION_PASSWORD:    ${{ secrets.NOTARIZATION_PASSWORD }}
           KEYCHAIN_PASSWORD:        ${{ secrets.KEYCHAIN_PASSWORD }}
-
+          MACOS_CA_PUBLICKEY:       ${{ secrets.MACOS_CA_PUBKEY }}
       - name:                       Post-Build for ${{ matrix.config.config_name }}
         id:                         get-artifacts
         run:                        ${{ matrix.config.base_command }} get-artifacts
@@ -385,7 +385,8 @@ jobs:
       - name:                       Notarize macOS Release Build
         if:                         >-
                                     steps.build.outputs.macos_signed == 'true' &&
-                                    needs.create_release.outputs.publish_to_release == 'true'
+                                    needs.create_release.outputs.publish_to_release == 'true' &&
+                                    steps.build.outputs.macos_notarize == 'true'
         id:                         notarize-macOS-app
         uses:                       devbotsxyz/xcode-notarize@d7219e1c390b47db8bab0f6b4fc1e3b7943e4b3b
         with:
@@ -397,7 +398,8 @@ jobs:
       - name:                       Staple macOS Release Build
         if:                         >-
                                     steps.build.outputs.macos_signed == 'true' &&
-                                    needs.create_release.outputs.publish_to_release == 'true'
+                                    needs.create_release.outputs.publish_to_release == 'true' &&
+                                    steps.build.outputs.macos_notarize == 'true'
         id:                         staple-macOS-app
         uses:                       devbotsxyz/xcode-staple@ae68b22ca35d15864b7f7923e1a166533b2944bf
         with: