From 6f597c9ee9bc93e3018217dffd93cae4c7a089f8 Mon Sep 17 00:00:00 2001 From: Simon Hausmann Date: Thu, 4 Jan 2024 12:05:49 +0100 Subject: [PATCH] WIP: add codesigning --- .github/actions/codesign/action.yaml | 43 ++++++++++++++++++++++++ .github/workflows/slint_tool_binary.yaml | 7 ++++ 2 files changed, 50 insertions(+) create mode 100644 .github/actions/codesign/action.yaml diff --git a/.github/actions/codesign/action.yaml b/.github/actions/codesign/action.yaml new file mode 100644 index 00000000000..aed718e7238 --- /dev/null +++ b/.github/actions/codesign/action.yaml @@ -0,0 +1,43 @@ +# Copyright © SixtyFPS GmbH +# SPDX-License-Identifier: GPL-3.0-only OR LicenseRef-Slint-Royalty-free-1.1 OR LicenseRef-Slint-commercial + +--- +name: Apple Codesign Binary +description: Sign the given binary with the developer certificate + +inputs: + binary: + description: 'Path to binary' + required: true + default: "" + certificate: + description: "certificate secret" + required: true + certificate_password: + description: "certificate password" + required: true + keychain_password: + description: "keychain password to use" + required: true + developer_id: + description: "developer id to use" + required: true + +runs: + using: composite + steps: + - name: Codesign binary + shell: bash + env: + CERT: ${{ inputs.certificate }} + CERT_PW: ${{ inputs.certificate_password }} + KEYCHAIN_PW: ${{ inputs.keychain_password }} + DEV_ID: ${{ inputs.developer_id }} + run: | + echo -n "$CERT" | base64 —-decode -o certificate.p12 + security create-keychain -p $KEYCHAIN_PW build.keychain + security default-keychain -s build.keychain + security unlock-keychain -p $KEYCHAIN_PW build.keychain + security import certificate.p12 -k build.keychain -P $CERT_PW -T /usr/bin/codesign + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PW build.keychain + /usr/bin/codesign --force -s $DEV_ID ${{ inputs.binary }} -v diff --git a/.github/workflows/slint_tool_binary.yaml b/.github/workflows/slint_tool_binary.yaml index f78a4b3500d..e29a65671d2 100644 --- a/.github/workflows/slint_tool_binary.yaml +++ b/.github/workflows/slint_tool_binary.yaml @@ -126,6 +126,13 @@ jobs: cd .. cd tools/${{ github.event.inputs.program || inputs.program }} ../../scripts/prepare_binary_package.sh ../../slint-${{ github.event.inputs.program || inputs.program }} + - uses: ./.github/actions/codesign + with: + binary: slint-${{ github.event.inputs.program || inputs.program }}/slint-${{ github.event.inputs.program || inputs.program }} + certificate: ${{ secrets.APPLE_CERTIFICATE_P12 }} + certificate_password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }} + keychain_password: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} + developer_id: ${{ secrets.APPLE_DEV_ID }} - name: Tar artifacts to preserve permissions run: tar czvf slint-${{ github.event.inputs.program || inputs.program }}-macos.tar.gz slint-${{ github.event.inputs.program || inputs.program }} - name: Upload artifact