From c3c2fb3d6f92bb63d483c06ddde8dfaa09dadc59 Mon Sep 17 00:00:00 2001 From: Roman Telezhynskyi Date: Wed, 13 Sep 2023 14:27:14 +0300 Subject: [PATCH] Automatic Code-signing and Notarization for macOS. --- .cirrus.yml | 60 ++++++++++++++++- appveyor.yml | 137 ++++++++++++++++++++++++++++++++++++++- scripts/cirrus-deploy.sh | 29 +++------ scripts/deploy.py | 9 +-- 4 files changed, 206 insertions(+), 29 deletions(-) diff --git a/.cirrus.yml b/.cirrus.yml index 8b17dad91..c6916ad5c 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -161,6 +161,20 @@ macos_task_template: &MACOS_TASK_TEMPLATE timeout_in: 120m env: ACCESS_TOKEN: ENCRYPTED[81e0b2381ffb628b73f5c94f834010e6631191e0ad03cdd0850d440fb2737a74b68131d842030f010c1bf73ab4cdc1ae] + # Should contain the base64 of the certificate + MACOS_CERTIFICATE: ENCRYPTED[6600e8c131eaa3ca1d8e4d61a266bfbbf072d557ba89d34e5fb044f8d07af857ea163543824a4a664636a50c1d6d9456] + # Should contain the full certificate name, such as Developer ID Application: Your Name (K1234567) + MACOS_CERTIFICATE_NAME: ENCRYPTED[9b9e4b0b596a19690a97abfaa8ec90176d8c9567c0c807757ee5dda02672a7426cd25fea3bb7652958abc970912b2138] + # Should contain the password you chose when exported the certificate from the Keychain Access app + MACOS_CERTIFICATE_PWD: ENCRYPTED[ad78a1c7b5b17ef56c833664cd6a71563b7ea4157ad2daa8e89d88988bdc3f7a669b9d2ee3e47b911707c37f6d84153e] + # Should contain apple developer email, the same used the Apple Developer subscription + MACOS_NOTARIZATION_APPLE_ID: ENCRYPTED[38dc4848b24abb90c25a0a1156de39af8c88aea6267e934e59cc5fb17dc528e3c1a93d8a9695fe937f4894d10eac707e] + # Should contain the app-specific password + MACOS_NOTARIZATION_PWD: ENCRYPTED[1df7f3455fb6837adf9ccf2913b5609c0a5125dca3147ece0a51001cf322234c5382977f28a783222f974525a1794cf4] + # Should contain the Team ID + MACOS_NOTARIZATION_TEAM_ID: ENCRYPTED[8499d687ffd7f6eacda48bd3692bfb22ea6a25eb4a59637b9ff10caa3c8a2df681a790e99b976e7a419d8e5fad2ad35c] + # Should contain a strong, randomly generated password + MACOS_CI_KEYCHAIN_PWD: ENCRYPTED[7f08698aea44fb7c900267c439c1dfe54e218082e5d6b2354cecc00e21bc640058a55036fd027a1fb5a3d72356abb9ea] QTDIR: "/opt/homebrew/opt/qt6" PATH: $QTDIR/bin:${PATH} # ^ add user paths @@ -179,6 +193,35 @@ macos_task_template: &MACOS_TASK_TEMPLATE - clang --version - find /Applications -maxdepth 1 -type d -name 'Xcode*.app' - sudo xcode-select -p + # Decode the environment variable into a regular .p12 file + - echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 + # We need to create a new keychain, otherwise using the certificate will prompt + # with a UI dialog asking for the certificate password, which we can't + # use in a headless CI environment + # Create the keychain with a password ($MACOS_CI_KEYCHAIN_PWD) + - security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain + # Make the custom keychain default, so xcodebuild will use it for signing + - security default-keychain -s build.keychain + # Unlock the keychain + - security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain + # Add certificates to keychain and allow codesign to access them + # 1) Apple Worldwide Developer Relations Certification Authority + - curl https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer --output $HOME/AppleWWDRCAG3.cer --silent + - security import $HOME/AppleWWDRCAG3.cer -k ~/Library/Keychains/build.keychain -T /usr/bin/codesign + # 2) Developer Authentication Certification Authority + - curl https://www.apple.com/certificateauthority/DeveloperIDG2CA.cer --output $HOME/DeveloperIDG2CA.cer --silent + - security import $HOME/DeveloperIDG2CA.cer -k ~/Library/Keychains/build.keychain -T /usr/bin/codesign + # 3) Developer ID + - security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign + # Delete the files, we no longer need them + - rm $HOME/AppleWWDRCAG3.cer + - rm $HOME/DeveloperIDG2CA.cer + - rm certificate.p12 + # Set the partition list (sort of like an access control list) + - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain + # Echo the identity, just so that we know it worked. + # This won't display anything secret. + - security find-identity -v -p codesigning - brew update > /dev/null - brew outdated - brew install --force qt6 coreutils ccache qbs cmake git openssl@1.1 pkg-config @@ -214,7 +257,22 @@ macos_task_template: &MACOS_TASK_TEMPLATE - qbs setup-qt /opt/homebrew/opt/qt6/bin/qmake qt6 - qbs-config defaultProfile qt6 - qbs config profiles.qt6.baseProfile clang - - qbs build -f valentina.qbs -d $CIRRUS_WORKING_DIR/build --command-echo-mode command-line --jobs $(nproc) config:release modules.buildconfig.enableUnitTests:false modules.buildconfig.enableMultiBundle:${MULTI_BUNDLE} qbs.installRoot:$CIRRUS_WORKING_DIR/build/install-root profile:qt6 project.enableConan:true project.minimumMacosVersion:${MACOS_DEPLOYMENT_TARGET} modules.buildconfig.enableCcache:${ENABLE_CCACHE} project.conanProfiles:valentina moduleProviders.qbspkgconfig.extraPaths:$(brew --prefix qt6)/lib/pkgconfig,$(brew --prefix openssl@1.1)/lib/pkgconfig + - qbs build -f valentina.qbs -d $CIRRUS_WORKING_DIR/build --command-echo-mode command-line --jobs $(nproc) config:release modules.buildconfig.enableUnitTests:false modules.buildconfig.enableMultiBundle:${MULTI_BUNDLE} qbs.installRoot:$CIRRUS_WORKING_DIR/build/install-root profile:qt6 project.enableConan:true project.minimumMacosVersion:${MACOS_DEPLOYMENT_TARGET} modules.buildconfig.enableCcache:${ENABLE_CCACHE} project.conanProfiles:valentina moduleProviders.qbspkgconfig.extraPaths:$(brew --prefix qt6)/lib/pkgconfig,$(brew --prefix openssl@1.1)/lib/pkgconfig 'modules.buildconfig.signingIdentity:$MACOS_CERTIFICATE_NAME' + - qbs build -f valentina.qbs -d $CIRRUS_WORKING_DIR/build -p 'Valentina DMG' --jobs $(nproc) config:release modules.buildconfig.enableUnitTests:false modules.buildconfig.enableMultiBundle:${MULTI_BUNDLE} qbs.installRoot:$CIRRUS_WORKING_DIR/build/install-root profile:qt6 project.enableConan:true project.minimumMacosVersion:${MACOS_DEPLOYMENT_TARGET} modules.buildconfig.enableCcache:${ENABLE_CCACHE} project.conanProfiles:valentina moduleProviders.qbspkgconfig.extraPaths:$(brew --prefix qt6)/lib/pkgconfig,$(brew --prefix openssl@1.1)/lib/pkgconfig 'modules.buildconfig.signingIdentity:$MACOS_CERTIFICATE_NAME' + # Store the notarization credentials so that we can prevent a UI password dialog + # from blocking the CI + - echo "Create keychain profile" + - xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" + # Here we send the notarization request to the Apple's Notarization service, waiting for the result. + # This typically takes a few seconds inside a CI environment, but it might take more depending on the App + # characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if + # you're curious + - echo "Notarize app" + - xcrun notarytool submit "$CIRRUS_WORKING_DIR/build/install-root/share/valentina.dmg" --keychain-profile "notarytool-profile" --wait --timeout 5m + # Finally, we need to "attach the staple" to our executable, which will allow our app to be + # validated by macOS even when an internet connection is not available. + - echo "Attach staple" + - xcrun stapler staple $CIRRUS_WORKING_DIR/build/install-root/share/valentina.dmg || true - ccache -s deploy_script: - pwd diff --git a/appveyor.yml b/appveyor.yml index 8cb5223b7..31836fef6 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -585,6 +585,27 @@ for: environment: CONAN_USER_HOME: /Users/appveyor/.conan HOMEBREW_NO_INSTALL_CLEANUP: 1 + # Should contain the base64 of the certificate + MACOS_CERTIFICATE: + secure: 9y7jdtpQsjn/2NnNQd7Il6YeRiHVoMEXma3wDcOX3hcKXc6i7TggoWt5ZlvX7WgnLEa1G89rJiNR3H+expso/QH3IMXtzKSqqVnjti1zKaGBdFl1Rzo0nmADRpSivpZ0LgQMCUB7O3e5JecVDkzr0H38HVEs8jWvp9rry2OoQofvwo9NbzZXx1iBYB8a/JQ9TypbXwrFXmXoiY6/0n73TYcKntZCREF6cqgmtcEzdgeoSa3loo7u0ZGAXzGQq9AWc+kQP5hmmktYOjyzuaHUn3eZusTcq12jS62Y14yrzRjtAR3IL525e+2e99gpjC3pwcUeQO8jaujEoWzZhU6GedDP2TCoJ2rOCLvO0aziTaTw+feGgPtoh6hlxKzk9U/68rJeQAH5pCDmah3ZD80rYIKMzEcofpmOvih0EOnil6hIOJTZ77dAFdi32hTNmqKxMRE0QAbTXJliOD9ij04KOE52JLXQKb9yxnIwCd6SkxunEVozkb6HnsveNpdEDMeqdbwBIc/4YGFpkvpkEjnY7b+E34x2sp9VQazyfbvx7sE42nhMXThebPD7teXkTKkkH8O9CCN6DclrG+Aq5k2GrAHTwDOnnjIiOi2tUUwfS0Hz/G2SBsp5DsLSV+tbQtf8nsgcvj2CjwTjwKGok8YgVo8hb8ADULRTfsQaZQk/uqmjLJ+Jck5trxywhl5kjiC10PpmsmDLclT0nNpZ8U//pO8EEIQYCdhdB7CiA07WRZ5St6xx5TtaoMSRZECbViSDWSOYrlzp+ubPvoEG66nBQYteXVIq5dtOJ+8iefPUT6rfj/KGapL0jpkXieEAH6jyCHDQeua+MtsEigj2uzRvyeiKc6W5nzm+Jq2UpGNmoq0FAkGf+/KfFaA5UJpNiHcNaQ9IQGtQ4VJCs3/Xx7z6ZVHKZfP0rI59enT/cJO76VZ1JEkygzdmZ3FyC3avTsbjACVEKgIi5kdPuhbZjxdlW7TPKobt14qC+WQE1Qcs4T3K/BnDMv7xtId8+qClELwMFl7bTorvtGLwN2E971bLn5//olahI+U79Iu8ck6v4W6bJFAI+P13DDWeaCo8ObGSw8NY5mKvxnzsb8h1FEo+mV4VX+Xf4+V2grPB0vFWX5ckmQmJu0lb3rYnCzCzyIjLPUrzYqBJHX/kFVJVcTyynvgqDDVvye9OkPuFi8YGPTe/6JiPkrMTq5CpeBGSBoO3IKbc4g7FlAmUo792kuqIM0f0mgtOTbCHN9yASP5FuZKa6b2Rudd2vOjAYAP6Av0A36gwNtKZ427t7bvVJUtg4PwB93alCIr1nZmctGG7M7Z+J3+l39jT0Gx3ToCrpC8/yl9WeISPNVfda/kFmNFBy7SDn4QGlV3VKSTVWpR9jiIopvAf93YwVYcmIKQ7ZSpLzmoeQQSQiFV4zbQT8jsYLtqycYGILGrbDoPqB/dDWieMapX+t/hgzumXCP5poLDfmoQ0D23QkNDV1t6quVVRGpBp6Amr4NwQhi5vjdykNsWu4+6MmHOFv7U4dN8nmJC77ZmO0aJX9k4NOevZr8sB8MTPpOYcvqTmwtGb2PEYd9WDn1FKQqxT26qof/OwspencV1jk1HqeUzdx6dFrLvKDXyMDskD/wbmLeFIycaG1vc+UvZk8pfBpcyOVWhHnJtMwXUwEjQ0cMQWAzMy/V5YEW+XKOxSPo5GBaD6BSbMW+sR/0xaXe+9mILdVvCZ7y536MPxbIgPQf7OtRTpvg0F3tWFWA59EDuTRlw+doI+SqcQp9/6497ebHLlP9pFbrhXF9DLR/5qT1Bu2Dh9RW3qAY8ARyKi7i7AZFGYtP1sGxCosS/JU9MxznGYJWvrGMDQxmkYGh2hNgOTJRXViVkTWU+JQCoTM+jxlS0hmUN51EKSZMUnJTEwPowmSfmmmKixOTl3uaDu63VxfQHPHHp4/OWYK6qxuz/cRx7nzyGTV05GpXPATR3PLNe2jTCjvMtr4VlJljoc92UvvqsV/XJBOwT55PmmmySCeHyq77lpQEqRHl9KOq6tscYj397revvb6cu7fty7ZS/ww7TDqSIytYfSQ0rQaiuYvBB7llWG4Xr/APw92PnZK8DU1Tw7esO54/WN0kb6n49pEX6mQyUczAeozeH9mHAFEpvoj9L8JsfLdI1KgRyNkigqHBtWrGOCFzkP8v0LyBw5EinbMahsc5d5bLW3QqGMLYLAdqvJCxhM/ERF6LEzyRGr4oGrxLpOuC2Sup03PSsnB46lFY7rVESZxZ7jQKpvnQ3LTBzEuDibLDp19J67c6IPpGTrcaNTZg1ud7aawoVsHuNk5kUsI/4XXTD9zIitt3ZYskZAPVHcLzk7s6R7OfML515AJ9xWDBGho5TbWCn6GO1UueK9o9k03WBqU7loZb1mTHztC/8Lt10rZUMfXxCrFcqzHnEXeqlY2IKycauVBAI+NOiykmWdYRXCpVSMElgZ4+SeS7Go+gNfbZ2eHdA0XdvKh/97zoEMeuaNvbWK0svVpi9ms50I66QeN57sUQFAKysyJsLjKgWWTbUZDAB0vIkuvf8EGSqoxUlIBx46OXsIURIXHD/LehNIBaoU9PgW4ZP96auRQ409V2y4UNrRDnWW3Wlquj5+DPZPlVos6sJfkS9vGyZS8vJh2ChMFXHINQPkfLgjurVvE909TePE+/UCm2YPyhNrIXVbQnInBOmczOIG4ifdb1/ZINVXaCt0ZH+GGDv5vPwCGghI6j0t1/MMFuX5X/yp+xMTR8yDjbV9+ZgyyKduxkvwciHXF/mzpgs6HX1ZHAHcKjOrS2nX9L2mUavtlUnLigEYsv4VkVQ9JJyETzo5TJXwBn58b8zOgI8UhfHmcP33G/zgqeiymt3e6P2Bawfus7lZ+UoW3KawAqJReYyy2cmWcdc0ULxGCiQVjTMZLxCx7xxK6f6UbyE/Fbx0+uGj1FAUshH0W7x2W5sM/rR6YQx/Ybe0K0MAMh8iLLlMEaO++mwTJZDZCJDnZ0P6E3S2+JB1lIveZO5hZcEZOiQUY1xargxJh07wDUKDdM064LseMjaX8ecVO582wnt2FDGC4wDbDXMfRY6yteBH1gKwZXfa9Aj0bV5nEEhwvVwLbSPBaBdb+qn2hZZdn8svLenEEjlEfR2u/+g5o6ceYy33UGihtBJC67CEEg1FV8ljBS3ySbithM0nA6uL3niQpp0f9Swjl9Z4yOvhTMJuV1qQ5+FDHbWo3/mNOdoKIiABYgfKwkKoP19qPBFXJBehq2mrd5eVBEMQwbWDdGEZNIsCooYhcILzkhSjp7QuYiReZKMEK69yyt453ZlRUkRv9FgWAPVYGN4kU9+qE9sqmjTafy629+U09D7hyugNqwvMThGceUnDe50PtVcXxvXSejM29X25YMMUpZXh2QYZ6xlIdvEQG9oDjRhEuW+ihy/fgcw3IimpbI9fjlqfNRdfX5BN0nZgnQyKeQXYNXDhzIHRDevW1JjIWRlJ1dThkAaBC5GL8/AZqSRVIbgt21Ia8HyQgj06y3ZBcsjcBXFs5hkaVnhpX8dHHLM9YbD5rWm/1VLn0oiQaVMlYYCwSo+ZI/q4R5RK6DTus5f4eZdcPF3xvygPlQFiVt6rJo9r1aEFDmn8CYfhzmt5Gwe6ma9DFa/ZpvXuuWjXEDXp1f28HZIJAH6RLtqXF+EfrhtPkbut8ryGbzhwVOPj6nIERHVUQWfOsT3+7QzvsiQnD4hgWpS5pdqoQwByVGHX4IOxa8jCarUmrskK3sKo0R/N8psFx/8NA9GcJ1ydeG4qW+ltL4FZKGUC7eJQAwjr81nrfCeSrMmJVGab2RmhjlrMucupDNh8CEp35wzAKnv8n4Ey/lJEOeG4384E2PZIQn+ZiLYkMBfBaujqHjTu7xH+qPA1vRzbBanEWOw59w04hkwbw2UPgtJBgiMCb9hTCfDXfOYt2birQ17C/OGLP4+xf92ZYPP089ceaofRRrZhSMxpVFQa8MFJTaV5tmD/qNwaVcLazL+E41JrYXVmRftT8bWd5puA4D9ZAORFvTDTmCyr2m1sBgxrLxFF/qLKcN8ddkyKwfjkzKBwYnEdIRx8KarsPPcnyxVZKtD5o9qBZrNVAy8kzOAHNdR5vHTes6PPpTIG9Mhyjk/XQ39PhwSJcs+GyXGnWQcnXo7gTraf6sRwpQMUh0JrjhXj5GlMrnibgqYdAaHWmxsEBD76rD59qcc9iEBJkpBM9oDux7vXhLbxdxSLhuJ5sKm7KGmnhp/PWp+YBnNESnuPZZW0H88z6nrUhjJYiJLp4NvX1jL9WF/zvde1NOB8wm8jqqOfRJxYTgcGcTuX4qe++Ywveah0BlPKBTgv0Ms5RleKiHBJxqMC3E79U/T7XhlDnEL7ZYuF/fCmXccIffdeiZEJ0E+98KP3ISsRd1a7rvq5bhWkaFLH1SQdvGPb4K9s7IuGUwHKDQm9oROzFAxIl6pcyz015lEndTSCy0mXcXL9nN+591qYfMF3/foFEEWqzDN3IP7uXYetSRgTzCV4ZxAzC32ppZermUXm4VtBYhQ0DufdjG09mUs779CzDyhS+bw2n85cyv9nhItO6+qG58NY4+su2DV04vweE5Ckqs1+SXkhcakpa+B1fgZ/0K0bsdFZIur6P+0vnT1SY+DXHC5m/LR3359HH+sW4xBlCb1YFDMpeUXvcvYCgAZyzhwdtB9+FwpByghJcBnI3qVGhFabbW2ZInr/YNqzUJwNKgoTdUX//sbtVF8/US2g6hpnDbJvBKg2mu+ur1ogPGX+jr3OrJLCPtWLYsP1rdW/UL5yaB3TSyJvyYb93k+AWyB4pfqm7PYK2wi39wSrmXPVsOFKKNN2iutRJH1hPwctyn7+McY0EszrtNjj55gjmfJlrFmMmt57JWXaAZrJNLEvAvh+PsPkR0v4AOA6iQHG2C4sAyUEY0rkKDEq3MOpXrQFUiIdhyNRJDVH5KYfvcsZdM5A+wapSaRbBSulMWJTTN5j2BHnSaLdEObXpTjS65/UaOS8wa9b5RiOptRzdLls28z8quR7AK+UPCiFFZZ55x3Pe7jFlBKTC5UNEzPKcf9hp5T3R6cjBqPRFrKLcWDS3tOStt7ESb4WINwZJlmdS77bjfD/deeFJRa/W77+eLvwDtzGkanv4yH9JhbIj5rC5Ut3PvXB6/PKU9cXEVB6mjjCt5whNW/nMmINxHg/O0G80tZNcXosYrVWaepO9zTp2kyEnwGr3iI7CC/yf0nvgFF4gE4Dd3jJMTs0djbHiiRNbqhb+pGoov4EN/6w4OdETZsu20FhDn7htkWqcIAqP0ZiFDCeVXgVtFnIj+XPJn16ke6TDXiDun+ao7+k7E+mFSY9P4KeYfQyFbo67RwNhRLSnEVgCt+7r+rABdl6dx5VGReFYu4qnkWImalTU9mUyoojDjAjjddPQERnho19czbntCAtSajCSrYWq8L8YorK96mXP3vLoZW2If1rbw03kiHBZOuyB4wO7VBrP/tvUEmaiJYOsLBM4gkIF4ZtpCUfFw3kYNCRRNKOih3rI0P4X1bn4RNqIcRmfRu1ax4rWRcC5mSFz6+Ls60VNglhbxLRO/XfJUQgguhDjK0xkGUT/9PUNPdTfsY0HlA7n0R065ItNCyC5F6hkL3wxz/jOUYGfmBdKSdfFI7AYEEiA12TFGPyiliiJTjJT9vAiGMBVuilUUXnnWwHYhNQdhW2kHhVlb8+INncUUNM0PuxUTdz8yVP8AxS5uyBIEhexVElcF+eZpO66QIzUPDZYLtK3B/nceNwR/LStvhhC1wL2YUh/8ddPARrhkpdqh9+2zvPkz/RKxIKjZOauw== + # Should contain the full certificate name, such as Developer ID Application: Your Name (K1234567) + MACOS_CERTIFICATE_NAME: + secure: DfLnepaG+LQMo+w1UvxfgoXI+pb4XtCZSh0rX+f9ZqANcrRNNlI9V7nBzQmNUv7BV+E+NC/s0vtrfcKBx2IEKw== + # Should contain the password you chose when exported the certificate from the Keychain Access app + MACOS_CERTIFICATE_PWD: + secure: ynsawEOq1ysFzKZDR5JMYe5KatOCYHYtnJnJDzsH+20= + # Should contain apple developer email, the same used the Apple Developer subscription + MACOS_NOTARIZATION_APPLE_ID: + secure: JC/QySMcz7ojpEHJEKaxDqTnXgM4zAet7/C6PgIL6GA= + # Should contain the app-specific password + MACOS_NOTARIZATION_PWD: + secure: 5LQu42RbJMmWXmknUs+dcJFuA/7KsqeIbeDBa1L0Qw0= + # Should contain the Team ID + MACOS_NOTARIZATION_TEAM_ID: + secure: Pl/pYbFyfpJOK1O8R94RTQ== + # Should contain a strong, randomly generated password + MACOS_CI_KEYCHAIN_PWD: + secure: B8yHPBym+BTDPK5ZCg7WlSnUCHLbcim8WqLTC6/PSNs= cache: - /Users/appveyor/.conan/data -> conan-cache @@ -595,6 +616,35 @@ for: - sudo xcode-select -p - sudo xcode-select -s /Applications/Xcode-$XCODE_VERSION.app - sudo xcode-select -p + # Decode the environment variable into a regular .p12 file + - echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 + # We need to create a new keychain, otherwise using the certificate will prompt + # with a UI dialog asking for the certificate password, which we can't + # use in a headless CI environment + # Create the keychain with a password ($MACOS_CI_KEYCHAIN_PWD) + - security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain + # Make the custom keychain default, so xcodebuild will use it for signing + - security default-keychain -s build.keychain + # Unlock the keychain + - security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain + # Add certificates to keychain and allow codesign to access them + # 1) Apple Worldwide Developer Relations Certification Authority + - curl https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer --output $HOME/AppleWWDRCAG3.cer --silent + - security import $HOME/AppleWWDRCAG3.cer -k ~/Library/Keychains/build.keychain -T /usr/bin/codesign + # 2) Developer Authentication Certification Authority + - curl https://www.apple.com/certificateauthority/DeveloperIDG2CA.cer --output $HOME/DeveloperIDG2CA.cer --silent + - security import $HOME/DeveloperIDG2CA.cer -k ~/Library/Keychains/build.keychain -T /usr/bin/codesign + # 3) Developer ID + - security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign + # Delete the files, we no longer need them + - rm $HOME/AppleWWDRCAG3.cer + - rm $HOME/DeveloperIDG2CA.cer + - rm certificate.p12 + # Set the partition list (sort of like an access control list) + - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain + # Echo the identity, just so that we know it worked. + # This won't display anything secret. + - security find-identity -v -p codesigning before_build: - ls ${HOME}/Qt @@ -675,7 +725,22 @@ for: - qbs setup-qt ${QTDIR}/bin/qmake qt6 - qbs config defaultProfile qt6 - qbs config profiles.qt6.baseProfile clang - - qbs build -f valentina.qbs -d ${APPVEYOR_BUILD_FOLDER}/build --jobs $(nproc) config:release modules.buildconfig.enableUnitTests:false modules.buildconfig.enableMultiBundle:${MULTI_BUNDLE} qbs.installRoot:${APPVEYOR_BUILD_FOLDER}/build/install-root profile:qt6 project.enableConan:true project.minimumMacosVersion:${MACOS_DEPLOYMENT_TARGET} modules.buildconfig.enableCcache:false moduleProviders.qbspkgconfig.extraPaths:$(brew --prefix openssl@1.1)/lib/pkgconfig + - qbs build -f valentina.qbs -d ${APPVEYOR_BUILD_FOLDER}/build --jobs $(nproc) config:release modules.buildconfig.enableUnitTests:false modules.buildconfig.enableMultiBundle:${MULTI_BUNDLE} qbs.installRoot:${APPVEYOR_BUILD_FOLDER}/build/install-root profile:qt6 project.enableConan:true project.minimumMacosVersion:${MACOS_DEPLOYMENT_TARGET} modules.buildconfig.enableCcache:false moduleProviders.qbspkgconfig.extraPaths:$(brew --prefix openssl@1.1)/lib/pkgconfig 'modules.buildconfig.signingIdentity:$MACOS_CERTIFICATE_NAME' + - qbs build -f valentina.qbs -d ${APPVEYOR_BUILD_FOLDER}/build -p 'Valentina DMG' --jobs $(nproc) config:release modules.buildconfig.enableUnitTests:false modules.buildconfig.enableMultiBundle:${MULTI_BUNDLE} qbs.installRoot:${APPVEYOR_BUILD_FOLDER}/build/install-root profile:qt6 project.enableConan:true project.minimumMacosVersion:${MACOS_DEPLOYMENT_TARGET} modules.buildconfig.enableCcache:false moduleProviders.qbspkgconfig.extraPaths:$(brew --prefix openssl@1.1)/lib/pkgconfig 'modules.buildconfig.signingIdentity:$MACOS_CERTIFICATE_NAME' + # Store the notarization credentials so that we can prevent a UI password dialog + # from blocking the CI + - echo "Create keychain profile" + - xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" + # Here we send the notarization request to the Apple's Notarization service, waiting for the result. + # This typically takes a few seconds inside a CI environment, but it might take more depending on the App + # characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if + # you're curious + - echo "Notarize app" + - xcrun notarytool submit "${APPVEYOR_BUILD_FOLDER}/build/install-root/share/valentina.dmg" --keychain-profile "notarytool-profile" --wait --timeout 5m + # Finally, we need to "attach the staple" to our executable, which will allow our app to be + # validated by macOS even when an internet connection is not available. + - echo "Attach staple" + - xcrun stapler staple ${APPVEYOR_BUILD_FOLDER}/build/install-root/share/valentina.dmg || true deploy_script: - CIRRUS_WORKING_DIR=${APPVEYOR_BUILD_FOLDER} CIRRUS_CHANGE_IN_REPO=${APPVEYOR_REPO_COMMIT} CIRRUS_BRANCH=${APPVEYOR_REPO_BRANCH} ${APPVEYOR_BUILD_FOLDER}/scripts/cirrus-deploy.sh @@ -689,6 +754,27 @@ for: environment: CONAN_USER_HOME: /Users/appveyor/.conan HOMEBREW_NO_INSTALL_CLEANUP: 1 + # Should contain the base64 of the certificate + MACOS_CERTIFICATE: + secure: 9y7jdtpQsjn/2NnNQd7Il6YeRiHVoMEXma3wDcOX3hcKXc6i7TggoWt5ZlvX7WgnLEa1G89rJiNR3H+expso/QH3IMXtzKSqqVnjti1zKaGBdFl1Rzo0nmADRpSivpZ0LgQMCUB7O3e5JecVDkzr0H38HVEs8jWvp9rry2OoQofvwo9NbzZXx1iBYB8a/JQ9TypbXwrFXmXoiY6/0n73TYcKntZCREF6cqgmtcEzdgeoSa3loo7u0ZGAXzGQq9AWc+kQP5hmmktYOjyzuaHUn3eZusTcq12jS62Y14yrzRjtAR3IL525e+2e99gpjC3pwcUeQO8jaujEoWzZhU6GedDP2TCoJ2rOCLvO0aziTaTw+feGgPtoh6hlxKzk9U/68rJeQAH5pCDmah3ZD80rYIKMzEcofpmOvih0EOnil6hIOJTZ77dAFdi32hTNmqKxMRE0QAbTXJliOD9ij04KOE52JLXQKb9yxnIwCd6SkxunEVozkb6HnsveNpdEDMeqdbwBIc/4YGFpkvpkEjnY7b+E34x2sp9VQazyfbvx7sE42nhMXThebPD7teXkTKkkH8O9CCN6DclrG+Aq5k2GrAHTwDOnnjIiOi2tUUwfS0Hz/G2SBsp5DsLSV+tbQtf8nsgcvj2CjwTjwKGok8YgVo8hb8ADULRTfsQaZQk/uqmjLJ+Jck5trxywhl5kjiC10PpmsmDLclT0nNpZ8U//pO8EEIQYCdhdB7CiA07WRZ5St6xx5TtaoMSRZECbViSDWSOYrlzp+ubPvoEG66nBQYteXVIq5dtOJ+8iefPUT6rfj/KGapL0jpkXieEAH6jyCHDQeua+MtsEigj2uzRvyeiKc6W5nzm+Jq2UpGNmoq0FAkGf+/KfFaA5UJpNiHcNaQ9IQGtQ4VJCs3/Xx7z6ZVHKZfP0rI59enT/cJO76VZ1JEkygzdmZ3FyC3avTsbjACVEKgIi5kdPuhbZjxdlW7TPKobt14qC+WQE1Qcs4T3K/BnDMv7xtId8+qClELwMFl7bTorvtGLwN2E971bLn5//olahI+U79Iu8ck6v4W6bJFAI+P13DDWeaCo8ObGSw8NY5mKvxnzsb8h1FEo+mV4VX+Xf4+V2grPB0vFWX5ckmQmJu0lb3rYnCzCzyIjLPUrzYqBJHX/kFVJVcTyynvgqDDVvye9OkPuFi8YGPTe/6JiPkrMTq5CpeBGSBoO3IKbc4g7FlAmUo792kuqIM0f0mgtOTbCHN9yASP5FuZKa6b2Rudd2vOjAYAP6Av0A36gwNtKZ427t7bvVJUtg4PwB93alCIr1nZmctGG7M7Z+J3+l39jT0Gx3ToCrpC8/yl9WeISPNVfda/kFmNFBy7SDn4QGlV3VKSTVWpR9jiIopvAf93YwVYcmIKQ7ZSpLzmoeQQSQiFV4zbQT8jsYLtqycYGILGrbDoPqB/dDWieMapX+t/hgzumXCP5poLDfmoQ0D23QkNDV1t6quVVRGpBp6Amr4NwQhi5vjdykNsWu4+6MmHOFv7U4dN8nmJC77ZmO0aJX9k4NOevZr8sB8MTPpOYcvqTmwtGb2PEYd9WDn1FKQqxT26qof/OwspencV1jk1HqeUzdx6dFrLvKDXyMDskD/wbmLeFIycaG1vc+UvZk8pfBpcyOVWhHnJtMwXUwEjQ0cMQWAzMy/V5YEW+XKOxSPo5GBaD6BSbMW+sR/0xaXe+9mILdVvCZ7y536MPxbIgPQf7OtRTpvg0F3tWFWA59EDuTRlw+doI+SqcQp9/6497ebHLlP9pFbrhXF9DLR/5qT1Bu2Dh9RW3qAY8ARyKi7i7AZFGYtP1sGxCosS/JU9MxznGYJWvrGMDQxmkYGh2hNgOTJRXViVkTWU+JQCoTM+jxlS0hmUN51EKSZMUnJTEwPowmSfmmmKixOTl3uaDu63VxfQHPHHp4/OWYK6qxuz/cRx7nzyGTV05GpXPATR3PLNe2jTCjvMtr4VlJljoc92UvvqsV/XJBOwT55PmmmySCeHyq77lpQEqRHl9KOq6tscYj397revvb6cu7fty7ZS/ww7TDqSIytYfSQ0rQaiuYvBB7llWG4Xr/APw92PnZK8DU1Tw7esO54/WN0kb6n49pEX6mQyUczAeozeH9mHAFEpvoj9L8JsfLdI1KgRyNkigqHBtWrGOCFzkP8v0LyBw5EinbMahsc5d5bLW3QqGMLYLAdqvJCxhM/ERF6LEzyRGr4oGrxLpOuC2Sup03PSsnB46lFY7rVESZxZ7jQKpvnQ3LTBzEuDibLDp19J67c6IPpGTrcaNTZg1ud7aawoVsHuNk5kUsI/4XXTD9zIitt3ZYskZAPVHcLzk7s6R7OfML515AJ9xWDBGho5TbWCn6GO1UueK9o9k03WBqU7loZb1mTHztC/8Lt10rZUMfXxCrFcqzHnEXeqlY2IKycauVBAI+NOiykmWdYRXCpVSMElgZ4+SeS7Go+gNfbZ2eHdA0XdvKh/97zoEMeuaNvbWK0svVpi9ms50I66QeN57sUQFAKysyJsLjKgWWTbUZDAB0vIkuvf8EGSqoxUlIBx46OXsIURIXHD/LehNIBaoU9PgW4ZP96auRQ409V2y4UNrRDnWW3Wlquj5+DPZPlVos6sJfkS9vGyZS8vJh2ChMFXHINQPkfLgjurVvE909TePE+/UCm2YPyhNrIXVbQnInBOmczOIG4ifdb1/ZINVXaCt0ZH+GGDv5vPwCGghI6j0t1/MMFuX5X/yp+xMTR8yDjbV9+ZgyyKduxkvwciHXF/mzpgs6HX1ZHAHcKjOrS2nX9L2mUavtlUnLigEYsv4VkVQ9JJyETzo5TJXwBn58b8zOgI8UhfHmcP33G/zgqeiymt3e6P2Bawfus7lZ+UoW3KawAqJReYyy2cmWcdc0ULxGCiQVjTMZLxCx7xxK6f6UbyE/Fbx0+uGj1FAUshH0W7x2W5sM/rR6YQx/Ybe0K0MAMh8iLLlMEaO++mwTJZDZCJDnZ0P6E3S2+JB1lIveZO5hZcEZOiQUY1xargxJh07wDUKDdM064LseMjaX8ecVO582wnt2FDGC4wDbDXMfRY6yteBH1gKwZXfa9Aj0bV5nEEhwvVwLbSPBaBdb+qn2hZZdn8svLenEEjlEfR2u/+g5o6ceYy33UGihtBJC67CEEg1FV8ljBS3ySbithM0nA6uL3niQpp0f9Swjl9Z4yOvhTMJuV1qQ5+FDHbWo3/mNOdoKIiABYgfKwkKoP19qPBFXJBehq2mrd5eVBEMQwbWDdGEZNIsCooYhcILzkhSjp7QuYiReZKMEK69yyt453ZlRUkRv9FgWAPVYGN4kU9+qE9sqmjTafy629+U09D7hyugNqwvMThGceUnDe50PtVcXxvXSejM29X25YMMUpZXh2QYZ6xlIdvEQG9oDjRhEuW+ihy/fgcw3IimpbI9fjlqfNRdfX5BN0nZgnQyKeQXYNXDhzIHRDevW1JjIWRlJ1dThkAaBC5GL8/AZqSRVIbgt21Ia8HyQgj06y3ZBcsjcBXFs5hkaVnhpX8dHHLM9YbD5rWm/1VLn0oiQaVMlYYCwSo+ZI/q4R5RK6DTus5f4eZdcPF3xvygPlQFiVt6rJo9r1aEFDmn8CYfhzmt5Gwe6ma9DFa/ZpvXuuWjXEDXp1f28HZIJAH6RLtqXF+EfrhtPkbut8ryGbzhwVOPj6nIERHVUQWfOsT3+7QzvsiQnD4hgWpS5pdqoQwByVGHX4IOxa8jCarUmrskK3sKo0R/N8psFx/8NA9GcJ1ydeG4qW+ltL4FZKGUC7eJQAwjr81nrfCeSrMmJVGab2RmhjlrMucupDNh8CEp35wzAKnv8n4Ey/lJEOeG4384E2PZIQn+ZiLYkMBfBaujqHjTu7xH+qPA1vRzbBanEWOw59w04hkwbw2UPgtJBgiMCb9hTCfDXfOYt2birQ17C/OGLP4+xf92ZYPP089ceaofRRrZhSMxpVFQa8MFJTaV5tmD/qNwaVcLazL+E41JrYXVmRftT8bWd5puA4D9ZAORFvTDTmCyr2m1sBgxrLxFF/qLKcN8ddkyKwfjkzKBwYnEdIRx8KarsPPcnyxVZKtD5o9qBZrNVAy8kzOAHNdR5vHTes6PPpTIG9Mhyjk/XQ39PhwSJcs+GyXGnWQcnXo7gTraf6sRwpQMUh0JrjhXj5GlMrnibgqYdAaHWmxsEBD76rD59qcc9iEBJkpBM9oDux7vXhLbxdxSLhuJ5sKm7KGmnhp/PWp+YBnNESnuPZZW0H88z6nrUhjJYiJLp4NvX1jL9WF/zvde1NOB8wm8jqqOfRJxYTgcGcTuX4qe++Ywveah0BlPKBTgv0Ms5RleKiHBJxqMC3E79U/T7XhlDnEL7ZYuF/fCmXccIffdeiZEJ0E+98KP3ISsRd1a7rvq5bhWkaFLH1SQdvGPb4K9s7IuGUwHKDQm9oROzFAxIl6pcyz015lEndTSCy0mXcXL9nN+591qYfMF3/foFEEWqzDN3IP7uXYetSRgTzCV4ZxAzC32ppZermUXm4VtBYhQ0DufdjG09mUs779CzDyhS+bw2n85cyv9nhItO6+qG58NY4+su2DV04vweE5Ckqs1+SXkhcakpa+B1fgZ/0K0bsdFZIur6P+0vnT1SY+DXHC5m/LR3359HH+sW4xBlCb1YFDMpeUXvcvYCgAZyzhwdtB9+FwpByghJcBnI3qVGhFabbW2ZInr/YNqzUJwNKgoTdUX//sbtVF8/US2g6hpnDbJvBKg2mu+ur1ogPGX+jr3OrJLCPtWLYsP1rdW/UL5yaB3TSyJvyYb93k+AWyB4pfqm7PYK2wi39wSrmXPVsOFKKNN2iutRJH1hPwctyn7+McY0EszrtNjj55gjmfJlrFmMmt57JWXaAZrJNLEvAvh+PsPkR0v4AOA6iQHG2C4sAyUEY0rkKDEq3MOpXrQFUiIdhyNRJDVH5KYfvcsZdM5A+wapSaRbBSulMWJTTN5j2BHnSaLdEObXpTjS65/UaOS8wa9b5RiOptRzdLls28z8quR7AK+UPCiFFZZ55x3Pe7jFlBKTC5UNEzPKcf9hp5T3R6cjBqPRFrKLcWDS3tOStt7ESb4WINwZJlmdS77bjfD/deeFJRa/W77+eLvwDtzGkanv4yH9JhbIj5rC5Ut3PvXB6/PKU9cXEVB6mjjCt5whNW/nMmINxHg/O0G80tZNcXosYrVWaepO9zTp2kyEnwGr3iI7CC/yf0nvgFF4gE4Dd3jJMTs0djbHiiRNbqhb+pGoov4EN/6w4OdETZsu20FhDn7htkWqcIAqP0ZiFDCeVXgVtFnIj+XPJn16ke6TDXiDun+ao7+k7E+mFSY9P4KeYfQyFbo67RwNhRLSnEVgCt+7r+rABdl6dx5VGReFYu4qnkWImalTU9mUyoojDjAjjddPQERnho19czbntCAtSajCSrYWq8L8YorK96mXP3vLoZW2If1rbw03kiHBZOuyB4wO7VBrP/tvUEmaiJYOsLBM4gkIF4ZtpCUfFw3kYNCRRNKOih3rI0P4X1bn4RNqIcRmfRu1ax4rWRcC5mSFz6+Ls60VNglhbxLRO/XfJUQgguhDjK0xkGUT/9PUNPdTfsY0HlA7n0R065ItNCyC5F6hkL3wxz/jOUYGfmBdKSdfFI7AYEEiA12TFGPyiliiJTjJT9vAiGMBVuilUUXnnWwHYhNQdhW2kHhVlb8+INncUUNM0PuxUTdz8yVP8AxS5uyBIEhexVElcF+eZpO66QIzUPDZYLtK3B/nceNwR/LStvhhC1wL2YUh/8ddPARrhkpdqh9+2zvPkz/RKxIKjZOauw== + # Should contain the full certificate name, such as Developer ID Application: Your Name (K1234567) + MACOS_CERTIFICATE_NAME: + secure: DfLnepaG+LQMo+w1UvxfgoXI+pb4XtCZSh0rX+f9ZqANcrRNNlI9V7nBzQmNUv7BV+E+NC/s0vtrfcKBx2IEKw== + # Should contain the password you chose when exported the certificate from the Keychain Access app + MACOS_CERTIFICATE_PWD: + secure: ynsawEOq1ysFzKZDR5JMYe5KatOCYHYtnJnJDzsH+20= + # Should contain apple developer email, the same used the Apple Developer subscription + MACOS_NOTARIZATION_APPLE_ID: + secure: JC/QySMcz7ojpEHJEKaxDqTnXgM4zAet7/C6PgIL6GA= + # Should contain the app-specific password + MACOS_NOTARIZATION_PWD: + secure: 5LQu42RbJMmWXmknUs+dcJFuA/7KsqeIbeDBa1L0Qw0= + # Should contain the Team ID + MACOS_NOTARIZATION_TEAM_ID: + secure: Pl/pYbFyfpJOK1O8R94RTQ== + # Should contain a strong, randomly generated password + MACOS_CI_KEYCHAIN_PWD: + secure: B8yHPBym+BTDPK5ZCg7WlSnUCHLbcim8WqLTC6/PSNs= cache: - /Users/appveyor/.conan/data -> conan-cache @@ -698,6 +784,35 @@ for: - sudo xcode-select -p - sudo xcode-select -s /Applications/Xcode-$XCODE_VERSION.app - sudo xcode-select -p + # Decode the environment variable into a regular .p12 file + - echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 + # We need to create a new keychain, otherwise using the certificate will prompt + # with a UI dialog asking for the certificate password, which we can't + # use in a headless CI environment + # Create the keychain with a password ($MACOS_CI_KEYCHAIN_PWD) + - security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain + # Make the custom keychain default, so xcodebuild will use it for signing + - security default-keychain -s build.keychain + # Unlock the keychain + - security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain + # Add certificates to keychain and allow codesign to access them + # 1) Apple Worldwide Developer Relations Certification Authority + - curl https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer --output $HOME/AppleWWDRCAG3.cer --silent + - security import $HOME/AppleWWDRCAG3.cer -k ~/Library/Keychains/build.keychain -T /usr/bin/codesign + # 2) Developer Authentication Certification Authority + - curl https://www.apple.com/certificateauthority/DeveloperIDG2CA.cer --output $HOME/DeveloperIDG2CA.cer --silent + - security import $HOME/DeveloperIDG2CA.cer -k ~/Library/Keychains/build.keychain -T /usr/bin/codesign + # 3) Developer ID + - security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign + # Delete the files, we no longer need them + - rm $HOME/AppleWWDRCAG3.cer + - rm $HOME/DeveloperIDG2CA.cer + - rm certificate.p12 + # Set the partition list (sort of like an access control list) + - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain + # Echo the identity, just so that we know it worked. + # This won't display anything secret. + - security find-identity -v -p codesigning before_build: - ls ${HOME}/Qt @@ -722,7 +837,25 @@ for: - qbs setup-qt ${QTDIR}/bin/qmake qt6 - qbs config defaultProfile qt6 - qbs config profiles.qt6.baseProfile clang - - qbs build -f valentina.qbs -d ${APPVEYOR_BUILD_FOLDER}/build --jobs $(nproc) config:release modules.buildconfig.enableUnitTests:false modules.buildconfig.enableMultiBundle:${MULTI_BUNDLE} qbs.installRoot:${APPVEYOR_BUILD_FOLDER}/build/install-root profile:qt6 project.enableConan:true project.minimumMacosVersion:${MACOS_DEPLOYMENT_TARGET} modules.buildconfig.enableCcache:false + - qbs build -f valentina.qbs -d ${APPVEYOR_BUILD_FOLDER}/build --jobs $(nproc) config:release modules.buildconfig.enableUnitTests:false modules.buildconfig.enableMultiBundle:${MULTI_BUNDLE} qbs.installRoot:${APPVEYOR_BUILD_FOLDER}/build/install-root profile:qt6 project.enableConan:true project.minimumMacosVersion:${MACOS_DEPLOYMENT_TARGET} modules.buildconfig.enableCcache:false 'modules.buildconfig.signingIdentity:$MACOS_CERTIFICATE_NAME' + - qbs build -f valentina.qbs -d ${APPVEYOR_BUILD_FOLDER}/build -p 'Valentina DMG' --jobs $(nproc) config:release modules.buildconfig.enableUnitTests:false modules.buildconfig.enableMultiBundle:${MULTI_BUNDLE} qbs.installRoot:${APPVEYOR_BUILD_FOLDER}/build/install-root profile:qt6 project.enableConan:true project.minimumMacosVersion:${MACOS_DEPLOYMENT_TARGET} modules.buildconfig.enableCcache:false moduleProviders.qbspkgconfig.extraPaths:$(brew --prefix openssl@1.1)/lib/pkgconfig 'modules.buildconfig.signingIdentity:$MACOS_CERTIFICATE_NAME' + # notarytool supported since XCode 13. First we need to backport it. + - curl https://bitbucket.org/valentinaproject/valentinaproject.bitbucket.io/downloads/notarytool.tar.xz --output $HOME/notarytool.tar.xz --silent + - tar -xf $HOME/notarytool.tar.xz + # Store the notarization credentials so that we can prevent a UI password dialog + # from blocking the CI + - echo "Create keychain profile" + - $HOME/notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" + # Here we send the notarization request to the Apple's Notarization service, waiting for the result. + # This typically takes a few seconds inside a CI environment, but it might take more depending on the App + # characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if + # you're curious + - echo "Notarize app" + - $HOME/notarytool submit "${APPVEYOR_BUILD_FOLDER}/build/install-root/share/valentina.dmg" --keychain-profile "notarytool-profile" --wait --timeout 5m + # Finally, we need to "attach the staple" to our executable, which will allow our app to be + # validated by macOS even when an internet connection is not available. + - echo "Attach staple" + - xcrun stapler staple ${APPVEYOR_BUILD_FOLDER}/build/install-root/share/valentina.dmg || true deploy_script: - CIRRUS_WORKING_DIR=${APPVEYOR_BUILD_FOLDER} CIRRUS_CHANGE_IN_REPO=${APPVEYOR_REPO_COMMIT} CIRRUS_BRANCH=${APPVEYOR_REPO_BRANCH} ${APPVEYOR_BUILD_FOLDER}/scripts/cirrus-deploy.sh diff --git a/scripts/cirrus-deploy.sh b/scripts/cirrus-deploy.sh index 8341e10aa..fac4e4bb9 100755 --- a/scripts/cirrus-deploy.sh +++ b/scripts/cirrus-deploy.sh @@ -20,17 +20,13 @@ check_failure() { } if [[ "$DEPLOY" == "true" ]]; then - print_info "Start compressing."; - tar -C $CIRRUS_WORKING_DIR/build/install-root/usr/local/Applications --exclude "*.DS_Store" -cvJf valentina-${PLATFORM}-${QT_VERSION}-${ARCH}-${CIRRUS_BRANCH}-${CIRRUS_CHANGE_IN_REPO}.tar.xz Valentina.app/; - check_failure "Unable to create an archive for Valentina bundle."; - - if [[ "$MULTI_BUNDLE" == "true" ]]; then - tar -C $CIRRUS_WORKING_DIR/build/install-root/usr/local/Applications --exclude "*.DS_Store" -cvJf tape-${PLATFORM}-${QT_VERSION}-${ARCH}-${CIRRUS_BRANCH}-${CIRRUS_CHANGE_IN_REPO}.tar.xz Tape.app/; - check_failure "Unable to create an archive for Tape bundle."; - - tar -C $CIRRUS_WORKING_DIR/build/install-root/usr/local/Applications --exclude "*.DS_Store" -cvJf puzzle-${PLATFORM}-${QT_VERSION}-${ARCH}-${CIRRUS_BRANCH}-${CIRRUS_CHANGE_IN_REPO}.tar.xz Puzzle.app/; - check_failure "Unable to create an archive for Puzzle bundle."; + print_info "Start labeling."; + if [[ "$MULTI_BUNDLE" == "false" ]]; then + mv $CIRRUS_WORKING_DIR/build/install-root/share/valentina.dmg $CIRRUS_WORKING_DIR/build/install-root/share/valentina-${PLATFORM}-${QT_VERSION}-${ARCH}-${CIRRUS_BRANCH}-${CIRRUS_CHANGE_IN_REPO}.dmg; + else + mv $CIRRUS_WORKING_DIR/build/install-root/share/valentina.dmg $CIRRUS_WORKING_DIR/build/install-root/share/valentina-${PLATFORM}-${QT_VERSION}-${ARCH}-${CIRRUS_BRANCH}-multibundle-${CIRRUS_CHANGE_IN_REPO}.dmg; fi + check_failure "Unable to label Valentina DMG."; print_info "Start cleaning."; python3 $CIRRUS_WORKING_DIR/scripts/deploy.py clean $ACCESS_TOKEN; @@ -38,18 +34,11 @@ if [[ "$DEPLOY" == "true" ]]; then print_info "Start uploading."; if [[ "$MULTI_BUNDLE" == "false" ]]; then - python3 $CIRRUS_WORKING_DIR/scripts/deploy.py upload $ACCESS_TOKEN $CIRRUS_WORKING_DIR/valentina-${PLATFORM}-${QT_VERSION}-${ARCH}-${CIRRUS_BRANCH}-${CIRRUS_CHANGE_IN_REPO}.tar.xz "/0.7.x/Mac OS X/valentina-${PLATFORM}-${QT_VERSION}-${ARCH}-${CIRRUS_BRANCH}-${CIRRUS_CHANGE_IN_REPO}.tar.xz"; - check_failure "Unable to upload Valentina bundle."; + python3 $CIRRUS_WORKING_DIR/scripts/deploy.py upload $ACCESS_TOKEN $CIRRUS_WORKING_DIR/build/install-root/share/valentina-${PLATFORM}-${QT_VERSION}-${ARCH}-${CIRRUS_BRANCH}-${CIRRUS_CHANGE_IN_REPO}.dmg "/0.7.x/Mac OS X/valentina-${PLATFORM}-${QT_VERSION}-${ARCH}-${CIRRUS_BRANCH}-${CIRRUS_CHANGE_IN_REPO}.dmg"; else - python3 $CIRRUS_WORKING_DIR/scripts/deploy.py upload $ACCESS_TOKEN $CIRRUS_WORKING_DIR/valentina-${PLATFORM}-${QT_VERSION}-${ARCH}-${CIRRUS_BRANCH}-${CIRRUS_CHANGE_IN_REPO}.tar.xz "/0.7.x/Mac OS X/valentina-${PLATFORM}-${QT_VERSION}-${ARCH}-${CIRRUS_BRANCH}-multibundle-${CIRRUS_CHANGE_IN_REPO}/valentina-${PLATFORM}-${QT_VERSION}-${ARCH}-${CIRRUS_BRANCH}-${CIRRUS_CHANGE_IN_REPO}.tar.xz"; - check_failure "Unable to upload Valentina bundle."; - - python3 $CIRRUS_WORKING_DIR/scripts/deploy.py upload $ACCESS_TOKEN $CIRRUS_WORKING_DIR/tape-${PLATFORM}-${QT_VERSION}-${ARCH}-${CIRRUS_BRANCH}-${CIRRUS_CHANGE_IN_REPO}.tar.xz "/0.7.x/Mac OS X/valentina-${PLATFORM}-${QT_VERSION}-${ARCH}-${CIRRUS_BRANCH}-multibundle-${CIRRUS_CHANGE_IN_REPO}/tape-${PLATFORM}-${QT_VERSION}-${ARCH}-${CIRRUS_BRANCH}-${CIRRUS_CHANGE_IN_REPO}.tar.xz"; - check_failure "Unable to upload Tape bundle."; - - python3 $CIRRUS_WORKING_DIR/scripts/deploy.py upload $ACCESS_TOKEN $CIRRUS_WORKING_DIR/puzzle-${PLATFORM}-${QT_VERSION}-${ARCH}-${CIRRUS_BRANCH}-${CIRRUS_CHANGE_IN_REPO}.tar.xz "/0.7.x/Mac OS X/valentina-${PLATFORM}-${QT_VERSION}-${ARCH}-${CIRRUS_BRANCH}-multibundle-${CIRRUS_CHANGE_IN_REPO}/puzzle-${PLATFORM}-${QT_VERSION}-${ARCH}-${CIRRUS_BRANCH}-${CIRRUS_CHANGE_IN_REPO}.tar.xz"; - check_failure "Unable to upload Tape bundle."; + python3 $CIRRUS_WORKING_DIR/scripts/deploy.py upload $ACCESS_TOKEN $CIRRUS_WORKING_DIR/build/install-root/share/valentina-${PLATFORM}-${QT_VERSION}-${ARCH}-${CIRRUS_BRANCH}-multibundle-${CIRRUS_CHANGE_IN_REPO}.dmg "/0.7.x/Mac OS X/valentina-${PLATFORM}-${QT_VERSION}-${ARCH}-${CIRRUS_BRANCH}-multibundle-${CIRRUS_CHANGE_IN_REPO}.dmg"; fi + check_failure "Unable to upload Valentina DMG."; print_info "Successfully uploaded."; else diff --git a/scripts/deploy.py b/scripts/deploy.py index 1e94adff9..f4d1aa943 100644 --- a/scripts/deploy.py +++ b/scripts/deploy.py @@ -135,12 +135,9 @@ def run_clean(refresh_token): arhive_types = [r'^valentina-Windows10\+-mingw-x64-Qt.*-develop-[a-f0-9]{40}\.tar\.xz$', r'^valentina-Windows7\+-mingw-x86-Qt.*-develop-[a-f0-9]{40}\.tar\.xz$', r'^valentina-WindowsXP\+-mingw-x86-Qt.*-develop-[a-f0-9]{40}\.tar\.xz$', - r'^valentina-macOS_11\+-Qt.*-x64-develop-[a-f0-9]{40}\.tar\.xz$', - r'^valentina-macOS_11\+-Qt.*-x64-develop-multibundle-[a-f0-9]{40}$', - r'^valentina-macOS_10.13\+-Qt.*-x64-develop-[a-f0-9]{40}\.tar\.xz$', - r'^valentina-macOS_10.13\+-Qt.*-x64-develop-multibundle-[a-f0-9]{40}$', - r'^valentina-macOS.*\+-Qt.*-arm.*-develop-[a-f0-9]{40}\.tar\.xz$', - r'^valentina-macOS.*\+-Qt.*-arm.*-develop-multibundle-[a-f0-9]{40}$'] + r'^valentina-macOS_11\+-Qt.*-x64-develop-[a-f0-9]{40}\.dmg$', + r'^valentina-macOS_10.13\+-Qt.*-x64-develop-[a-f0-9]{40}\.dmg$', + r'^valentina-macOS.*\+-Qt.*-arm.*-develop-[a-f0-9]{40}\.dmg$'] item_types = {}