From 73ec69a3a8e2c160c178489b708fa8105e6db6e1 Mon Sep 17 00:00:00 2001
From: Martin Pulec <martin.pulec@cesnet.cz>
Date: Tue, 24 Mar 2020 13:23:09 +0100
Subject: [PATCH] GitHub Workflow: nightly - sign the macOS app

---
 .github/scripts/macOS/sign.sh | 70 +++++++++++++++++++++++++++++++++++
 .github/workflows/nightly.yml | 10 ++++-
 Makefile.in                   |  2 +-
 3 files changed, 79 insertions(+), 3 deletions(-)
 create mode 100755 .github/scripts/macOS/sign.sh

diff --git a/.github/scripts/macOS/sign.sh b/.github/scripts/macOS/sign.sh
new file mode 100755
index 000000000..177f2fe31
--- /dev/null
+++ b/.github/scripts/macOS/sign.sh
@@ -0,0 +1,70 @@
+#!/bin/sh -eux
+## Usage:
+##  sign.sh <app_bundle_directory>
+##
+## Environment variables:
+## - **apple_key_p12_b64** - tar.bz2 with $KEY_FILE (with empty password) and $CERT_FILE
+## - **$altool_pass**      - developer (see $DEVELOPER_USERNAME) app password
+
+APP=${1?Appname must be passed as a first argument}
+DEVELOPER_USERNAME=martin.pulec@cesnet.cz
+
+if [ -z "$apple_key_p12_b64" -o -z "$altool_pass" ]; then
+        echo "Could not find key to sign the application" 2>&1
+        exit 1
+fi
+
+# Import keys
+# Inspired by https://www.update.rocks/blog/osx-signing-with-travis/
+KEY_CHAIN=build.keychain
+KEY_CHAIN_PASS=build
+KEY_FILE='CESNET, z. s. p. o..p12'
+KEY_FILE_PASS=''
+CERT_FILE='developerID_application.cer'
+echo "$apple_key_p12_b64" | base64 -d > /tmp/cert.tar.bz2
+tar -C /tmp -xJf /tmp/cert.tar.bz2
+security create-keychain -p $KEY_CHAIN_PASS $KEY_CHAIN
+security default-keychain -s $KEY_CHAIN
+security unlock-keychain -p $KEY_CHAIN_PASS $KEY_CHAIN
+security import "/tmp/$CERT_FILE"
+security import "/tmp/$KEY_FILE" -A -P "$KEY_FILE_PASS"
+security set-key-partition-list -S apple-tool:,apple: -s -k $KEY_CHAIN_PASS $KEY_CHAIN
+
+# Sign appllication
+# these need to be signed explicitly
+for f in `find $APP/Contents/libs -type f`; do
+        codesign --force --deep -s CESNET --options runtime -v $f
+done
+codesign --force --deep -s CESNET --options runtime -v $APP
+#codesign --force --deep -s CESNET --options runtime -v $APP/Contents/MacOS/uv-qt
+
+# Zip and send for notarization
+ZIP_FILE=uv-qt.zip
+UPLOAD_INFO_PLIST=/tmp/uplinfo.plist
+REQUEST_INFO_PLIST=/tmp/reqinfo.plist
+ditto -c -k --keepParent $APP $ZIP_FILE
+xcrun altool --notarize-app --primary-bundle-id cz.cesnet.ultragrid.uv-qt --username $DEVELOPER_USERNAME --password "$altool_pass" --file $ZIP_FILE --output-format xml > $UPLOAD_INFO_PLIST
+
+# Wait for notarization status
+# Waiting inspired by https://nativeconnect.app/blog/mac-app-notarization-from-the-command-line/
+SLEPT=0
+TIMEOUT=7200
+while true; do
+        /usr/bin/xcrun altool --notarization-info `/usr/libexec/PlistBuddy -c "Print :notarization-upload:RequestUUID" $UPLOAD_INFO_PLIST` -u $DEVELOPER_USERNAME -p $altool_pass --output-format xml > $REQUEST_INFO_PLIST
+        STATUS=`/usr/libexec/PlistBuddy -c "Print :notarization-info:Status" $REQUEST_INFO_PLIST`
+        if [ $STATUS != "in progress" -o $SLEPT -ge $TIMEOUT ]; then
+                break
+        fi
+        sleep 60
+        SLEPT=$(($SLEPT + 60))
+done
+if [ $STATUS != success ]; then
+        UUID=`/usr/libexec/PlistBuddy -c "Print :notarization-info:RequestUUID" $REQUEST_INFO_PLIST`
+        xcrun altool --notarization-info $UUID -u $DEVELOPER_USERNAME -p $altool_pass
+        echo "Could not notarize" 2>&1
+        exit 1
+fi
+
+# If everything is ok, staple the app
+xcrun stapler staple $APP
+
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index db2a94f49..16dfd89e7 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -90,6 +90,8 @@ jobs:
     name: run macOS
     runs-on: macos-latest
     env:
+      altool_pass: ${{ secrets.altool_pass }}
+      apple_key_p12_b64: ${{ secrets.apple_key_p12_b64 }}
       sdk_pass: ${{ secrets.sdk_pass }}
 
     steps:
@@ -100,8 +102,12 @@ jobs:
       run: .github/scripts/macOS/prepare.sh
     - name: configure
       run: ./autogen.sh --enable-qt --with-live555=/usr/local
-    - name: make
-      run: make -j4 osx-gui-dmg
+    - name: make bundle
+      run: make -j4 gui-bundle
+    - name: sign+notarize
+      run: .github/scripts/macOS/sign.sh gui/QT/uv-qt.app
+    - name: make dmg
+      run: make osx-gui-dmg
     - name: make check
       run: make check
     - name: make distcheck
diff --git a/Makefile.in b/Makefile.in
index 1ed5ce674..4eb3cc8e8 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -629,7 +629,7 @@ gui-bundle: bundle gui/QT/uv-qt
 	defaults write `pwd`/$(GUI_BUNDLE)/Contents/Info.plist CFBundleIconFile icon.icns
 	plutil -convert xml1 $(GUI_BUNDLE)/Contents/Info.plist
 
-osx-gui-dmg: gui-bundle
+osx-gui-dmg:
 	[ ! -f UltraGrid.dmg ] || rm UltraGrid.dmg
 	hdiutil create -volname ULTRAGRID -srcdir $(GUI_BUNDLE) -format UDZO -imagekey zlib-level=9 -o UltraGrid.dmg