mirror of
https://github.com/colanode/colanode.git
synced 2025-12-16 19:57:46 +01:00
Improve config for app signing for macos
This commit is contained in:
Hakan Shehu
50
.github/workflows/publish-app.yml
vendored
50
.github/workflows/publish-app.yml
vendored
@@ -8,7 +8,7 @@ on:
|
|||||||
jobs:
|
jobs:
|
||||||
build-windows:
|
build-windows:
|
||||||
runs-on: windows-latest
|
runs-on: windows-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Check out Git repository
|
- name: Check out Git repository
|
||||||
uses: actions/checkout@v3
|
uses: actions/checkout@v3
|
||||||
@@ -80,7 +80,7 @@ jobs:
|
|||||||
|
|
||||||
build-macos:
|
build-macos:
|
||||||
runs-on: macos-latest
|
runs-on: macos-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Check out Git repository
|
- name: Check out Git repository
|
||||||
uses: actions/checkout@v3
|
uses: actions/checkout@v3
|
||||||
@@ -106,6 +106,33 @@ jobs:
|
|||||||
- name: Set VERSION
|
- name: Set VERSION
|
||||||
run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_ENV
|
run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_ENV
|
||||||
|
|
||||||
|
- name: Decode and Import macOS Certificate
|
||||||
|
run: |
|
||||||
|
# Decode the base64 encoded certificate
|
||||||
|
CERTIFICATE_CONTENT=$(echo "${{ secrets.MACOS_CERTIFICATE_BASE64 }}" | base64 --decode)
|
||||||
|
|
||||||
|
# Create a temporary keychain
|
||||||
|
KEYCHAIN_PATH="${RUNNER_TEMP}/temporary.keychain"
|
||||||
|
security create-keychain -p "${{ secrets.MACOS_CERTIFICATE_PASSWORD }}" "${KEYCHAIN_PATH}"
|
||||||
|
|
||||||
|
# Import the certificate into the temporary keychain
|
||||||
|
echo "${CERTIFICATE_CONTENT}" > "${RUNNER_TEMP}/certificate.p12"
|
||||||
|
security import "${RUNNER_TEMP}/certificate.p12" -k "${KEYCHAIN_PATH}" -P "${{ secrets.MACOS_CERTIFICATE_PASSWORD }}" -T /usr/bin/codesign
|
||||||
|
|
||||||
|
# Set the temporary keychain as the default keychain
|
||||||
|
security default-keychain -s "${KEYCHAIN_PATH}"
|
||||||
|
|
||||||
|
# Unlock the keychain
|
||||||
|
security unlock-keychain -p "${{ secrets.MACOS_CERTIFICATE_PASSWORD }}" "${KEYCHAIN_PATH}"
|
||||||
|
|
||||||
|
# Optionally, list available keys to verify (for debugging)
|
||||||
|
security find-identity -v -p codesigning
|
||||||
|
|
||||||
|
# Set environment variables for codesigning
|
||||||
|
echo "KEYCHAIN_PATH=${KEYCHAIN_PATH}" >> $GITHUB_ENV
|
||||||
|
echo "KEYCHAIN_PASSWORD=${{ secrets.MACOS_CERTIFICATE_PASSWORD }}" >> $GITHUB_ENV
|
||||||
|
shell: bash
|
||||||
|
|
||||||
- name: Update package.json version
|
- name: Update package.json version
|
||||||
working-directory: apps/desktop
|
working-directory: apps/desktop
|
||||||
run: npm version $VERSION --no-git-tag-version
|
run: npm version $VERSION --no-git-tag-version
|
||||||
@@ -114,19 +141,28 @@ jobs:
|
|||||||
run: |
|
run: |
|
||||||
npm ci
|
npm ci
|
||||||
|
|
||||||
- name: Build Electron App
|
- name: Build and Notarize Electron App (macOS)
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
NODE_ENV: production
|
NODE_ENV: production
|
||||||
CSC_LINK: ${{ secrets.MACOS_CERTIFICATE }}
|
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
|
||||||
CSC_KEY_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
|
||||||
APPLE_ID: ${{ secrets.APPLE_ID }}
|
APPLE_ID: ${{ secrets.APPLE_ID }}
|
||||||
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
|
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
|
||||||
|
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
||||||
|
KEYCHAIN_PATH: ${{ env.KEYCHAIN_PATH }}
|
||||||
|
KEYCHAIN_PASSWORD: ${{ env.KEYCHAIN_PASSWORD }}
|
||||||
working-directory: apps/desktop
|
working-directory: apps/desktop
|
||||||
run: npm run make -- --mac
|
run: |
|
||||||
|
npm run make -- --mac
|
||||||
|
|
||||||
|
- name: Delete Temporary Keychain
|
||||||
|
if: always()
|
||||||
|
run: |
|
||||||
|
security delete-keychain "${{ env.KEYCHAIN_PATH }}"
|
||||||
|
shell: bash
|
||||||
|
|
||||||
- name: Publish Release
|
- name: Publish Release
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
working-directory: apps/desktop
|
working-directory: apps/desktop
|
||||||
run: npm run publish
|
run: npm run publish
|
||||||
|
|||||||
@@ -10,5 +10,7 @@
|
|||||||
<true/>
|
<true/>
|
||||||
<key>com.apple.security.app-sandbox</key>
|
<key>com.apple.security.app-sandbox</key>
|
||||||
<false/>
|
<false/>
|
||||||
|
<key>com.apple.security.cs.disable-library-validation</key>
|
||||||
|
<true/>
|
||||||
</dict>
|
</dict>
|
||||||
</plist>
|
</plist>
|
||||||
|
|||||||
@@ -50,12 +50,13 @@ const config: ForgeConfig = {
|
|||||||
},
|
},
|
||||||
extraResource: ['assets'],
|
extraResource: ['assets'],
|
||||||
osxSign: {
|
osxSign: {
|
||||||
identity: process.env.APPLE_SIGNING_IDENTITY!,
|
|
||||||
type: 'distribution',
|
type: 'distribution',
|
||||||
|
keychain: process.env.KEYCHAIN!,
|
||||||
optionsForFile: (_) => {
|
optionsForFile: (_) => {
|
||||||
return {
|
return {
|
||||||
hardenedRuntime: true,
|
hardenedRuntime: true,
|
||||||
entitlements: 'entitlements.mac.plist',
|
entitlements: 'entitlements.mac.plist',
|
||||||
|
entitlementsInherit: 'entitlements.mac.plist',
|
||||||
};
|
};
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@@ -63,6 +64,7 @@ const config: ForgeConfig = {
|
|||||||
appleId: process.env.APPLE_ID!,
|
appleId: process.env.APPLE_ID!,
|
||||||
appleIdPassword: process.env.APPLE_ID_PASSWORD!,
|
appleIdPassword: process.env.APPLE_ID_PASSWORD!,
|
||||||
teamId: process.env.APPLE_TEAM_ID!,
|
teamId: process.env.APPLE_TEAM_ID!,
|
||||||
|
keychain: process.env.KEYCHAIN!,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
rebuildConfig: {},
|
rebuildConfig: {},
|
||||||
|
|||||||
Reference in New Issue
Block a user