codesign macOS package built with CPack

.travis.yml

@@ -24,6 +24,12 @@ env:
     - QT_QPA_PLATFORM=offscreen
     # DOWNLOADS_HOSTGATOR_DOT_MIXXX_DOT_ORG_KEY_PASSWORD for deploys.
     - secure: aS40s8gx1mM01oRj2pskFqR+rBID1nnTY7hwSqkT1bgJT+JF0tMZt/SkMjR08bp+3soNbBtqJgZKAhQ6Tts2DtkWQGbUiXgU5QpowUcecTxge/jqxZeWdJWThpB+qWs70Fm0QhzZXIyBPM8EGljWbLum5ncR7AUBEasRboNZ0P8=
+    # Code signing secrets:
+    - MACOS_CODESIGN_CERTIFICATE=cmake/macos_developer_id_codesign_certificate.p12
+    # MACOS_CODESIGN_CERTIFICATE_PASSWORD:
+    - secure: MnQzTJBkeHsRkNov7yoNIlEM5Exo6JvdmRS+z6OPQFuJn+yc8WyeUrW2JhVtVsGFO/fCqcIyymIOSFIEz78eoRj1PL0w2tj3ptBqUAJWupP2mmobKcPY3NYTOhOmOsv8rqlJbPdLxop1pyLaLBFWyGKOgI2xJz8LPHGN5ZINfCY=
+    # MACOS_CODESIGN_OPENSSL_PASSWORD:
+    - secure: NJegC0Dag0V8hotFB7u3rSPGnGQzp0JQpRTH1qL8bveUmrTOL26viPeX4vLXwn/RJKZkuUsDBxDSFy/sfVvfaLdAgd5USOV9QLF7lc3z1+t4BWbZ4xDBXCYOWuaQlgqE1k5W7s9wl1DgDFNxBSc46X04h9BZNonz1z0A9IAhn+k=
 
 jobs:
   include:
@@ -160,19 +166,35 @@ jobs:
         - find "${MIXXX_ENVPATH}" -name "*.pc" -or -path "*/bin/taglib-config" -exec sed -i".orig" -e "s|/Users/mixxx/bs-2.3-mac/amd64/environment/${MIXXX_ENVNAME}|${MIXXX_ENVPATH}|g" {} \;
         - export QT_DIR="$(find "${MIXXX_ENVPATH}" -type d -path "*/cmake/Qt5")"
         - export QT_QPA_PLATFORM_PLUGIN_PATH="$(find "${MIXXX_ENVPATH}" -type d -path "*/plugins")"
+        - |
+          if [ "$TRAVIS_REPO_SLUG" = "mixxxdj/mixxx" ] && [ "$TRAVIS_PULL_REQUEST" = "false" ]; then
+            # Create a temporary keychain for the certificate and import it.
+            openssl enc -aes-256-cbc -d -md sha512 -k ${MACOS_CODESIGN_OPENSSL_PASSWORD} -in ${MACOS_CODESIGN_CERTIFICATE}.enc -out ${MACOS_CODESIGN_CERTIFICATE};
+            security create-keychain -p mixxx Mixxx.keychain;
+            security unlock-keychain -p mixxx Mixxx.keychain;
+            security import ${MACOS_CODESIGN_CERTIFICATE} -k Mixxx.keychain -P ${MACOS_CODESIGN_CERTIFICATE_PASSWORD} -T /usr/bin/codesign;
+            security set-key-partition-list -S apple-tool:,apple: -k mixxx Mixxx.keychain
+            # Add keychain to search list
+            security list-keychains -s Mixxx.keychain;
+            export APPLE_CODESIGN_IDENTITY=2C2B5D3EDCE82BA55E22E9A67F16F8D03E390870;
+          fi
+
       install:
         - mkdir cmake_build
         - cd cmake_build
-        - cmake -L $CMAKEFLAGS $CMAKEFLAGS_EXTRA -DCMAKE_PREFIX_PATH=${MIXXX_ENVPATH} -DQt5_DIR=${QT_DIR} ..
+        - cmake -L $CMAKEFLAGS $CMAKEFLAGS_EXTRA -DCMAKE_PREFIX_PATH=${MIXXX_ENVPATH} -DQt5_DIR=${QT_DIR} -DAPPLE_CODESIGN_IDENTITY=${APPLE_CODESIGN_IDENTITY} ..
         - cmake --build .
-        - cpack -G DragNDrop
+        - cpack -G DragNDrop -V
+        # cpack codesigns the Mixxx.app inside the DMG package, but the DMG package also needs to be signed
+        - |
+          if ! [ -z $APPLE_CODESIGN_IDENTITY ]; then
+            codesign --verbose=4 --deep --force --options runtime --sign $APPLE_CODESIGN_IDENTITY --entitlements ../build/osx/entitlements.plist *.dmg;
+          fi
       script:
         # Run tests and benchmarks
         - ctest --timeout 45
         - cmake --build . --target benchmark
       before_cache:
-        # Avoid indefinite cache growth
-        - brew cleanup
         # Cache only .git files under "/usr/local/Homebrew" so "brew update"
         # does not take 5min every build
         # Source: https://discourse.brew.sh/t/best-practice-for-homebrew-on-travis-brew-update-is-5min-to-build-time/5215/12

CMakeLists.txt

@@ -1065,7 +1065,6 @@ if (APPLE)
     set_target_properties(mixxx PROPERTIES
         MACOSX_BUNDLE true
         MACOSX_BUNDLE_INFO_PLIST "${CMAKE_CURRENT_SOURCE_DIR}/cmake/macos_bundle.plist.in"
-        OUTPUT_NAME ${MACOS_BUNDLE_NAME}
     )
 else()
     include(InstallRequiredSystemLibraries)
@@ -2405,7 +2404,7 @@ set(CPACK_PACKAGE_VENDOR "Mixxx Project")
 set(CPACK_PACKAGE_CONTACT "RJ Skerry-Ryan <rryan@mixxx.org>")
 set(CPACK_PACKAGE_DESCRIPTION_FILE "${CMAKE_CURRENT_SOURCE_DIR}/cmake/cpack_package_description.txt")
 set(CPACK_PACKAGE_INSTALL_DIRECTORY "Mixxx")
-set(CPACK_PACKAGE_EXECUTABLES "mixxx" "Mixxx")
+set(CPACK_PACKAGE_EXECUTABLES "mixxx")
 set(CPACK_PACKAGE_ICON "${CMAKE_SOURCE_DIR}/res/images/mixxx_install_logo.bmp")
 set(CPACK_PACKAGE_HOMEPAGE_URL "https://www.mixxx.org/")
 set(CPACK_PACKAGE_FILE_NAME "Mixxx-${GIT_BRANCH}-r${GIT_COMMIT_COUNT}-${GIT_COMMIT_HASH}")
@@ -2448,26 +2447,19 @@ if(APPLE)
         endif()
     endmacro()
 
-    install_qt5_plugin(Qt5::QCocoaIntegrationPlugin QT_PLUGINS "${MIXXX_INSTALL_PREFIX}")
-    install_qt5_plugin(Qt5::QSQLiteDriverPlugin QT_PLUGINS "${MIXXX_INSTALL_PREFIX}")
-    install_qt5_plugin(Qt5::QMacStylePlugin QT_PLUGINS "${MIXXX_INSTALL_PREFIX}")
-    install_qt5_plugin(Qt5::QSvgPlugin QT_PLUGINS "${MIXXX_INSTALL_PREFIX}")
-    install_qt5_plugin(Qt5::QSvgIconPlugin QT_PLUGINS "${MIXXX_INSTALL_PREFIX}")
-    install_qt5_plugin(Qt5::QJpegPlugin QT_PLUGINS "${MIXXX_INSTALL_PREFIX}")
-    install_qt5_plugin(Qt5::QGifPlugin QT_PLUGINS "${MIXXX_INSTALL_PREFIX}")
-
-    set(LIB_DIRS "${CMAKE_PREFIX_PATH}/lib")
-    list(APPEND LIB_DIRS "${Qt5Widgets_DIR}/../..")
-
-    install(CODE "
-        include(BundleUtilities)
-          #fixup_bundle tries to copy system libraries without this. Wtf?
-          function(gp_resolved_file_type_override file type)
-            if(file MATCHES \"^(/usr/lib)\")
-              set(type \"system\" PARENT_SCOPE)
-            endif()
-          endfunction()
-        set(BU_CHMOD_BUNDLE_ITEMS ON)
-        fixup_bundle(\"\${CMAKE_INSTALL_PREFIX}/${MIXXX_INSTALL_PREFIX}\" \"${QT_PLUGINS}\" \"${LIB_DIRS}\")
-    ")
+
+    install_qt5_plugin(Qt5::QCocoaIntegrationPlugin BUNDLE_LIBS "${MIXXX_INSTALL_PREFIX}")
+    install_qt5_plugin(Qt5::QSQLiteDriverPlugin BUNDLE_LIBS "${MIXXX_INSTALL_PREFIX}")
+    install_qt5_plugin(Qt5::QMacStylePlugin BUNDLE_LIBS "${MIXXX_INSTALL_PREFIX}")
+    install_qt5_plugin(Qt5::QSvgPlugin BUNDLE_LIBS "${MIXXX_INSTALL_PREFIX}")
+    install_qt5_plugin(Qt5::QSvgIconPlugin BUNDLE_LIBS "${MIXXX_INSTALL_PREFIX}")
+    install_qt5_plugin(Qt5::QJpegPlugin BUNDLE_LIBS "${MIXXX_INSTALL_PREFIX}")
+    install_qt5_plugin(Qt5::QGifPlugin BUNDLE_LIBS "${MIXXX_INSTALL_PREFIX}")
+
+    set(BUNDLE_NAME "${MIXXX_INSTALL_PREFIX}")
+    set(BUNDLE_DIRS "${CMAKE_PREFIX_PATH}/lib;${Qt5Widgets_DIR}/../..")
+    set(APPLE_CODESIGN_ENTITLEMENTS "${CMAKE_CURRENT_SOURCE_DIR}/build/osx/entitlements.plist")
+
+    configure_file(cmake/modules/BundleInstall.cmake.in "${CMAKE_CURRENT_BINARY_DIR}/BundleInstall.cmake" @ONLY)
+    install(SCRIPT "${CMAKE_CURRENT_BINARY_DIR}/BundleInstall.cmake")
 endif()

cmake/modules/BundleInstall.cmake.in

@@ -0,0 +1,31 @@
+set(BUNDLE_NAME @BUNDLE_NAME@)
+set(BUNDLE_PATH "${CMAKE_INSTALL_PREFIX}/${BUNDLE_NAME}")
+set(BUNDLE_LIBS @BUNDLE_LIBS@)
+set(BUNDLE_DIRS @BUNDLE_DIRS@)
+set(APPLE_CODESIGN_IDENTITY @APPLE_CODESIGN_IDENTITY@)
+set(APPLE_CODESIGN_ENTITLEMENTS @APPLE_CODESIGN_ENTITLEMENTS@)
+
+include(BundleUtilities)
+
+#fixup_bundle tries to copy system libraries without this. Wtf?
+function(gp_resolved_file_type_override file type)
+  if(file MATCHES "^(/usr/lib)")
+    set(type "system" PARENT_SCOPE)
+  endif()
+endfunction()
+
+set(BU_CHMOD_BUNDLE_ITEMS ON)
+fixup_bundle("${BUNDLE_PATH}" "${BUNDLE_LIBS}" "${BUNDLE_DIRS}")
+
+if(DEFINED APPLE_CODESIGN_IDENTITY AND DEFINED APPLE_CODESIGN_ENTITLEMENTS)
+  foreach(PATH_TO_SIGN IN LISTS BUNDLE_LIBS BUNDLE_PATH)
+    execute_process(COMMAND
+        codesign --verbose=4 --deep --force --options runtime
+        --entitlements "${APPLE_CODESIGN_ENTITLEMENTS}"
+        --sign "${APPLE_CODESIGN_IDENTITY}"
+        "${PATH_TO_SIGN}"
+    )
+  endforeach()
+else()
+  message(STATUS "Not signing bundle. Specify -DAPPLE_CODESIGN_IDENTITY and -DAPPLE_CODESIGN_ENTITLEMENTS to cmake before running cpack to sign")
+endif()