scottk/UltraGrid
1
0
Fork 0
mirror of https://github.com/outbackdingo/UltraGrid.git synced 2026-03-22 09:40:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a6ed0cbcdbaba600bf79ced2b58abd53ca39990f
UltraGrid/.github/scripts/macOS/sign.sh
Martin Pulec bea0ee1b64 CI mac: signing docu updates 
\+ do not check $apple_key_p12_b64 in sign.sh but $KEY_CHAIN and
$KEY_CHAIN_PASS presence, which are used directly
2024-02-09 17:05:28 +01:00

67 lines
2.1 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh -eu
##
## Signs given application bundle
##
## Usage:
## sign.sh <app_bundle_directory>
##
## Environment variables:
## - **KEY_CHAIN** - keychain containing the CESNET signing key
## - **KEY_CHAIN_PASS** - password to the above keychain
## - **notarytool_credentials** - developer credentials to be used with notarytool (in format user:password:team_id)
if [ $# -eq 1 ] && { [ "$1" = -h ] || [ "$1" = --help ] ||
[ "$1" = help ]; }; then
printf "Usage:\n"
printf "\t%s [--sign-only] <bundle_path>\n" "$0"
printf "\nSigns and notarizes the application bundle.\n"
printf "\nUse \"--sign-only\" to skip application notarization.\n"
exit 0
fi
sign_only=
if [ "${1-}" = --sign-only ]; then
sign_only=1
shift
fi
set -x
APP=${1?Appname must be passed as a first argument}
if [ -z "$KEY_CHAIN" ] || [ -z "$KEY_CHAIN_PASS" ] ||
{ [ -z "$notarytool_credentials" ] && [ ! $sign_only ]; }; then
echo "Could not find key to sign the application" 2>&1
if [ "$GITHUB_REPOSITORY" = "CESNET/UltraGrid" ] && ! expr "$GITHUB_REF" : refs/pull >/dev/null; then
exit 1
else
exit 0
fi
fi
security unlock-keychain -p "$KEY_CHAIN_PASS" "$KEY_CHAIN"
# Sign the application
# Libs need to be signed explicitly for some reason
for f in $(find "$APP/Contents/libs" -type f) $APP; do
codesign --force --deep -s CESNET --options runtime --entitlements data/entitlements.mac.plist -v "$f"
done
#codesign --force --deep -s CESNET --options runtime -v $APP/Contents/MacOS/uv-qt
if [ $sign_only ]; then
exit 0
fi
# Zip and send for notarization
ZIP_FILE=uv-qt.zip
ditto -c -k --keepParent "$APP" $ZIP_FILE
set +x
DEVELOPER_USERNAME=$(echo "$notarytool_credentials" | cut -d: -f1)
DEVELOPER_PASSWORD=$(echo "$notarytool_credentials" | cut -d: -f2)
DEVELOPER_TEAMID=$(echo "$notarytool_credentials" | cut -d: -f3)
xcrun notarytool submit $ZIP_FILE --apple-id "$DEVELOPER_USERNAME" --team-id "$DEVELOPER_TEAMID" --password "$DEVELOPER_PASSWORD" --wait
set -x
# If everything is ok, staple the app
xcrun stapler staple "$APP"
Reference in New Issue View Git Blame Copy Permalink