build(mac): add notarize flow for release artifacts
This commit is contained in:
Peter Steinberger
@@ -3,6 +3,7 @@ set -euo pipefail
|
||||
|
||||
APP_BUNDLE="${1:-dist/Clawdis.app}"
|
||||
IDENTITY="${SIGN_IDENTITY:-}"
|
||||
TIMESTAMP_MODE="${CODESIGN_TIMESTAMP:-auto}"
|
||||
ENT_TMP_BASE=$(mktemp -t clawdis-entitlements-base)
|
||||
ENT_TMP_APP=$(mktemp -t clawdis-entitlements-app)
|
||||
ENT_TMP_APP_BASE=$(mktemp -t clawdis-entitlements-app-base)
|
||||
@@ -47,6 +48,25 @@ fi
|
||||
|
||||
echo "Using signing identity: $IDENTITY"
|
||||
|
||||
timestamp_arg="--timestamp=none"
|
||||
case "$TIMESTAMP_MODE" in
|
||||
1|on|yes|true)
|
||||
timestamp_arg="--timestamp"
|
||||
;;
|
||||
0|off|no|false)
|
||||
timestamp_arg="--timestamp=none"
|
||||
;;
|
||||
auto)
|
||||
if [[ "$IDENTITY" == *"Developer ID Application"* ]]; then
|
||||
timestamp_arg="--timestamp"
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
echo "ERROR: Unknown CODESIGN_TIMESTAMP value: $TIMESTAMP_MODE (use auto|on|off)" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
cat > "$ENT_TMP_BASE" <<'PLIST'
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
@@ -118,12 +138,12 @@ xattr -cr "$APP_BUNDLE" 2>/dev/null || true
|
||||
sign_item() {
|
||||
local target="$1"
|
||||
local entitlements="$2"
|
||||
codesign --force --options runtime --timestamp=none --entitlements "$entitlements" --sign "$IDENTITY" "$target"
|
||||
codesign --force --options runtime "$timestamp_arg" --entitlements "$entitlements" --sign "$IDENTITY" "$target"
|
||||
}
|
||||
|
||||
sign_plain_item() {
|
||||
local target="$1"
|
||||
codesign --force --options runtime --timestamp=none --sign "$IDENTITY" "$target"
|
||||
codesign --force --options runtime "$timestamp_arg" --sign "$IDENTITY" "$target"
|
||||
}
|
||||
|
||||
# Sign main binary
|
||||
|
||||
65
scripts/notarize-mac-artifact.sh
Executable file
65
scripts/notarize-mac-artifact.sh
Executable file
@@ -0,0 +1,65 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
# Notarize a macOS artifact (zip/dmg/pkg) and optionally staple the app bundle.
|
||||
#
|
||||
# Usage:
|
||||
# STAPLE_APP_PATH=dist/Clawdis.app scripts/notarize-mac-artifact.sh <artifact>
|
||||
#
|
||||
# Auth (pick one):
|
||||
# NOTARYTOOL_PROFILE keychain profile created via `xcrun notarytool store-credentials`
|
||||
# NOTARYTOOL_KEY path to App Store Connect API key (.p8)
|
||||
# NOTARYTOOL_KEY_ID API key ID
|
||||
# NOTARYTOOL_ISSUER API issuer ID
|
||||
|
||||
ARTIFACT="${1:-}"
|
||||
STAPLE_APP_PATH="${STAPLE_APP_PATH:-}"
|
||||
|
||||
if [[ -z "$ARTIFACT" ]]; then
|
||||
echo "Usage: $0 <artifact>" >&2
|
||||
exit 1
|
||||
fi
|
||||
if [[ ! -e "$ARTIFACT" ]]; then
|
||||
echo "Error: artifact not found: $ARTIFACT" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! command -v xcrun >/dev/null 2>&1; then
|
||||
echo "Error: xcrun not found; install Xcode command line tools." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
auth_args=()
|
||||
if [[ -n "${NOTARYTOOL_PROFILE:-}" ]]; then
|
||||
auth_args+=(--keychain-profile "$NOTARYTOOL_PROFILE")
|
||||
elif [[ -n "${NOTARYTOOL_KEY:-}" && -n "${NOTARYTOOL_KEY_ID:-}" && -n "${NOTARYTOOL_ISSUER:-}" ]]; then
|
||||
auth_args+=(--key "$NOTARYTOOL_KEY" --key-id "$NOTARYTOOL_KEY_ID" --issuer "$NOTARYTOOL_ISSUER")
|
||||
else
|
||||
echo "Error: Notary auth missing. Set NOTARYTOOL_PROFILE or NOTARYTOOL_KEY/NOTARYTOOL_KEY_ID/NOTARYTOOL_ISSUER." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "🧾 Notarizing: $ARTIFACT"
|
||||
xcrun notarytool submit "$ARTIFACT" "${auth_args[@]}" --wait
|
||||
|
||||
case "$ARTIFACT" in
|
||||
*.dmg|*.pkg)
|
||||
echo "📌 Stapling artifact: $ARTIFACT"
|
||||
xcrun stapler staple "$ARTIFACT"
|
||||
xcrun stapler validate "$ARTIFACT"
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
|
||||
if [[ -n "$STAPLE_APP_PATH" ]]; then
|
||||
if [[ -d "$STAPLE_APP_PATH" ]]; then
|
||||
echo "📌 Stapling app: $STAPLE_APP_PATH"
|
||||
xcrun stapler staple "$STAPLE_APP_PATH"
|
||||
xcrun stapler validate "$STAPLE_APP_PATH"
|
||||
else
|
||||
echo "Warn: STAPLE_APP_PATH not found: $STAPLE_APP_PATH" >&2
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "✅ Notarization complete"
|
||||
@@ -21,6 +21,16 @@ fi
|
||||
VERSION=$(/usr/libexec/PlistBuddy -c "Print CFBundleShortVersionString" "$APP/Contents/Info.plist" 2>/dev/null || echo "0.0.0")
|
||||
ZIP="$ROOT_DIR/dist/Clawdis-$VERSION.zip"
|
||||
DMG="$ROOT_DIR/dist/Clawdis-$VERSION.dmg"
|
||||
NOTARY_ZIP="$ROOT_DIR/dist/Clawdis-$VERSION.notary.zip"
|
||||
NOTARIZE="${NOTARIZE:-0}"
|
||||
|
||||
if [[ "$NOTARIZE" == "1" ]]; then
|
||||
echo "📦 Notary zip: $NOTARY_ZIP"
|
||||
rm -f "$NOTARY_ZIP"
|
||||
ditto -c -k --sequesterRsrc --keepParent "$APP" "$NOTARY_ZIP"
|
||||
STAPLE_APP_PATH="$APP" "$ROOT_DIR/scripts/notarize-mac-artifact.sh" "$NOTARY_ZIP"
|
||||
rm -f "$NOTARY_ZIP"
|
||||
fi
|
||||
|
||||
echo "📦 Zip: $ZIP"
|
||||
rm -f "$ZIP"
|
||||
@@ -29,3 +39,6 @@ ditto -c -k --sequesterRsrc --keepParent "$APP" "$ZIP"
|
||||
echo "💿 DMG: $DMG"
|
||||
"$ROOT_DIR/scripts/create-dmg.sh" "$APP" "$DMG"
|
||||
|
||||
if [[ "$NOTARIZE" == "1" ]]; then
|
||||
"$ROOT_DIR/scripts/notarize-mac-artifact.sh" "$DMG"
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user