Add signing for mac osx.

.github/workflows/deployment.yml

@@ -19,6 +19,7 @@ env:
   SpringerNatureAPIKey: ${{ secrets.SpringerNatureAPIKey }}
   AstrophysicsDataSystemAPIKey: ${{ secrets.AstrophysicsDataSystemAPIKey }}
   IEEEAPIKey: ${{ secrets.IEEEAPIKey }}
+  OSXCERT: ${{ secrets.OSX_SIGNING_CERT }}
 
 jobs:
   build:
@@ -36,10 +37,8 @@ jobs:
           - os: macOS-latest
             displayName: macOS
             archivePortable: brew install pigz && tar -c -C build/distribution JabRef.app | pigz --rsyncable > build/distribution/JabRef-portable_macos.tar.gz && rm -R build/distribution/JabRef.app
-
     runs-on: ${{ matrix.os }}
     name: Create installer and portable version for ${{ matrix.displayName }}
-
     steps:
       - name: Fetch all history for all tags and branches
         uses: actions/checkout@v2
@@ -48,41 +47,98 @@ jobs:
       - name: Install GitVersion
         uses: gittools/actions/gitversion/[email protected]
         with:
-          versionSpec: '5.2.x'
+          versionSpec: "5.2.x"
       - name: Run GitVersion
         id: gitversion
         uses: gittools/actions/gitversion/[email protected]
-      - name: Set up JDK
+      - name: Set up Adotptopen JDK mac
+        uses: joschi/setup-jdk@v2
+        with:
+          # reason: https://bugs.openjdk.java.net/browse/JDK-8238184
+          java-version: 15
+          release_type: ea
+        if: matrix.os == 'macos-latest'
+      - name: Set up JDK for linux and windows
         uses: actions/setup-java@v1
         with:
-          java-version: 14
+          java-version: 15-ea
+        if: matrix.os != 'macos-latest'
       - name: Restore gradle cache
         uses: actions/cache@master
         with:
           path: ~/.gradle/caches
           key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*') }}
           restore-keys: |
             ${{ runner.os }}-gradle-
+      - name: Setup OSX key chain on OSX
+        if: matrix.os == 'macos-latest'
+        uses: apple-actions/import-codesign-certs@v1
+        with:
+          p12-file-base64: ${{ secrets.OSX_SIGNING_CERT }}
+          p12-password: ${{ secrets.OSX_CERT_PWD }}
+          keychain-password: jabref
+      - name: Setup OSX key chain on OSX for app id cert
+        if: matrix.os == 'macos-latest'
+        uses: apple-actions/import-codesign-certs@v1
+        with:
+          p12-file-base64: ${{ secrets.OSX_SIGNING_CERT_APPLICATION }}
+          p12-password: ${{ secrets.OSX_CERT_PWD }}
+          create-keychain: false
+          keychain-password: jabref
       - name: Build runtime image
         run: ./gradlew -PprojVersion="${{ steps.gitversion.outputs.AssemblySemVer }}" -PprojVersionInfo="${{ steps.gitversion.outputs.InformationalVersion }}" jlinkZip
       - name: Build installer
         run: ./gradlew -i -PprojVersion="${{ steps.gitversion.outputs.AssemblySemVer }}" -PprojVersionInfo="${{ steps.gitversion.outputs.InformationalVersion }}" jpackage
         shell: bash
+      - name: Resign app image for OSX and build dmg
+        if: matrix.os == 'macos-latest'
+        shell: bash
+        run: |
+          codesign --entitlements buildres/mac/myapp.entitlements --options runtime -vvv -f --sign "Developer ID Application: Tobias Diez (W2PU6LW5U5)" build/distribution/JabRef.app/Contents/runtime/Contents/MacOS/libjli.dylib
+          codesign --entitlements buildres/mac/myapp.entitlements --options runtime -vvv -f --sign "Developer ID Application: Tobias Diez (W2PU6LW5U5)" build/distribution/JabRef.app/Contents/MacOS/JabRef
+          codesign --entitlements buildres/mac/myapp.entitlements --options runtime -vvv -f --sign "Developer ID Application: Tobias Diez (W2PU6LW5U5)" build/distribution/JabRef.app
+          jpackage --type pkg --dest build/distribution --name JabRef --app-version "${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}" --app-image build/distribution/JabRef.app --verbose --type dmg --vendor JabRef --app-version "${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}" --file-associations buildres/mac/bibtexAssociations.properties --resource-dir buildres/mac
+          codesign -s "Developer ID Application: Tobias Diez (W2PU6LW5U5)" --options runtime --entitlements buildres/mac/myapp.entitlements -vvvv --deep "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.dmg"
+          REQUEST_UUID=$(xcrun altool --verbose --notarize-app --primary-bundle-id "org.jabref" --username ${{ secrets.OSX_NOTARIZATION_APP_USERNAME }} --password ${{ secrets.OSX_NOTARIZATION_APP_PWD }} --asc-provider "W2PU6LW5U5" --file "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.dmg" | grep RequestUUID | awk '{print $3}')
+          while xcrun altool --notarization-info "$REQUEST_UUID" -u ${{ secrets.OSX_NOTARIZATION_APP_USERNAME }} -p  ${{ secrets.OSX_NOTARIZATION_APP_PWD }} | grep "Status: in progress" > /dev/null; do
+            echo "Verification in progress..."
+            sleep 30
+          done
+          xcrun stapler staple "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.dmg"
+          spctl -vvv --assess --type exec build/distribution/JabRef.app
+          codesign -vvv --deep --strict "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.dmg"
+          codesign -dvv "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.dmg"
+      - name: Build, sign and notarize pkg installer for OSX
+        if: matrix.os == 'macos-latest'
+        shell: bash
+        run: |
+          jpackage --type pkg --dest build/distribution --name JabRef --app-version "${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}" --app-image build/distribution/JabRef.app --verbose --type pkg --vendor JabRef --app-version "${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}" --file-associations buildres/mac/bibtexAssociations.properties --resource-dir buildres/mac
+          productsign --sign "Developer ID Installer: Tobias Diez (W2PU6LW5U5)" "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.pkg" "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}-signed.pkg"
+          REQUEST_UUID=$(xcrun altool --verbose --notarize-app --primary-bundle-id "org.jabref" --username ${{ secrets.OSX_NOTARIZATION_APP_USERNAME }} --password ${{ secrets.OSX_NOTARIZATION_APP_PWD }} --asc-provider "W2PU6LW5U5" --file "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}-signed.pkg" | grep RequestUUID | awk '{print $3}')
+          while xcrun altool --notarization-info "$REQUEST_UUID" -u ${{ secrets.OSX_NOTARIZATION_APP_USERNAME }} -p  ${{ secrets.OSX_NOTARIZATION_APP_PWD }} | grep "Status: in progress" > /dev/null; do
+            echo "Verification in progress..."
+            sleep 30
+          done
+          xcrun stapler staple "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}-signed.pkg"
+          rm "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.pkg"
+          mv "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}-signed.pkg" "build/distribution/JabRef-${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}.pkg"
       - name: Package application image
-        run: ${{ matrix.archivePortable }}
         shell: bash
+        run: ${{ matrix.archivePortable }}
       - name: Rename files
+        shell: pwsh
         run: |
           get-childitem -Path build/distribution/*
           get-childitem -Path build/distribution/* | rename-item -NewName {$_.name -replace "${{ steps.gitversion.outputs.AssemblySemVer }}","${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}"}
           get-childitem -Path build/distribution/* | rename-item -NewName {$_.name -replace "portable","${{ steps.gitversion.outputs.Major }}.${{ steps.gitversion.outputs.Minor }}-portable"}
-        shell: pwsh
       - name: Upload to GitHub workflow artifacts store
         uses: actions/upload-artifact@master
         with:
           name: JabRef-${{ matrix.displayName }}
           path: build/distribution
   deploy:
+    strategy:
+      fail-fast: false
     name: Deploy binaries on builds.jabref.org
     runs-on: ubuntu-latest
     needs: [build]
@@ -137,4 +193,3 @@ jobs:
           ssh_options: '-p 9922'
           src: 'build/distribution/'
           dest: [email protected]:/var/www/builds.jabref.org/www/${{ steps.gitversion.outputs.branchName }}/
-

build.gradle

@@ -685,6 +685,9 @@ jlink {
                     '--icon', "${projectDir}/src/main/resources/icons/jabref.icns",
                     '--resource-dir', "${projectDir}/buildres/mac"
             ]
+            // Due to a signing bug in jpackage we have to first resign the created app and therefore build the dmg manually
+            // See https://bugs.openjdk.java.net/browse/JDK-8251892 for details
+            skipInstaller = true
             installerOptions = [
                     '--verbose',
                     '--vendor', 'JabRef',

buildres/mac/JabRef-dmg-setup.scpt

@@ -0,0 +1,38 @@
+tell application "Finder"
+	set theDisk to a reference to (disks whose URL = "DEPLOY_VOLUME_URL")
+	open theDisk
+
+	set theWindow to a reference to (container window of disks whose URL = "DEPLOY_VOLUME_URL")
+
+	set current view of theWindow to icon view
+	set toolbar visible of theWindow to false
+	set statusbar visible of theWindow to false
+
+	-- size of window should fit the size of background
+	set the bounds of theWindow to {346, 100, 920, 500}
+
+	set theViewOptions to a reference to the icon view options of theWindow
+	set arrangement of theViewOptions to not arranged
+	set icon size of theViewOptions to 128
+
+	set background picture of theViewOptions to POSIX file "DEPLOY_BG_FILE"
+
+	-- Create alias for install location
+	make new alias file at POSIX file "DEPLOY_VOLUME_PATH" to POSIX file "DEPLOY_INSTALL_LOCATION" with properties {name:"DEPLOY_INSTALL_LOCATION"}
+
+	set allTheFiles to the name of every item of theWindow
+	repeat with theFile in allTheFiles
+		set theFilePath to POSIX path of theFile
+		if theFilePath is "DEPLOY_INSTALL_LOCATION" then
+			-- Position install location
+			set position of item theFile of theWindow to {430, 170}
+		else
+			-- Position application or runtime
+			set position of item theFile of theWindow to {140, 170}
+		end if
+	end repeat
+
+	update theDisk without registering applications
+	delay 5
+	close (get window of theDisk)
+end tell

buildres/mac/README.md

@@ -0,0 +1,12 @@
+# Mac Resources
+
+## Modifying DMG Setup scpt
+
+Rename `JabRef-dmg-setup.scpt script` to  `JabRef-dmg-setup.applescript`.
+Only modify the `JabRef-dmg-setup.applescript` in the OS X Script Editor. Afterwards copy over the file and rename it to `JabRef-dmg-setup.scpt`.
+Normally the `scpt` file is a binary compiled variant and the `.applescript` the uncompiled format but jpackage expects the sctp in uncompiled format
+
+## Generate iconsets
+
+To generate icns files use the script under `src/main/resources/icons`
+Install [svg2png](https://formulae.brew.sh/formula/svg2png) and call the script with the svg filename as first argument.

buildres/mac/myapp.entitlements

@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <dict>
+        <key>com.apple.security.app-sandbox</key>
+        <false/>
+        <key>com.apple.security.network.server</key>
+        <true/>
+        <key>com.apple.security.network.client</key>
+        <true/>
+        <key>com.apple.security.files.user-selected.read-write</key>
+        <true/>
+        <key>com.apple.security.cs.allow-jit</key>
+        <true/>
+        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+        <true/>
+        <key>com.apple.security.cs.disable-executable-page-protection</key>
+        <true/>
+        <key>com.apple.security.cs.disable-library-validation</key>
+        <true/>
+        <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+        <true/>
+    </dict>
+</plist>

buildres/windows/JabRef-post-image.wsf

@@ -23,9 +23,6 @@
         // Add registry values for JabRef Browser Extension
         contents = contents.replace("</Product>", "<DirectoryRef Id=\"TARGETDIR\"><Component Id=\"RegistryJabRefBrowserEntries\" Guid=\"b6bc55ad-905c-4258-89b1-8b37abbe559c\" Win64=\"yes\"><RegistryKey Root=\"HKMU\" Key=\"SOFTWARE\\Mozilla\\NativeMessagingHosts\\org.jabref.jabref\" Action=\"createAndRemoveOnUninstall\" ForceCreateOnInstall=\"yes\"><RegistryValue Type=\"string\" Value=\"[INSTALLDIR]jabref.json\"/></RegistryKey><RegistryKey Root=\"HKMU\" Key=\"Software\\Google\\Chrome\\NativeMessagingHosts\\org.jabref.jabref\" Action=\"createAndRemoveOnUninstall\" ForceCreateOnInstall=\"yes\"><RegistryValue Type=\"string\" Value=\"[INSTALLDIR]jabref-chrome.json\"/></RegistryKey></Component></DirectoryRef><Feature Id=\"BrowserExtension\" Level=\"1\"><ComponentRef Id=\"RegistryJabRefBrowserEntries\" /></Feature></Product>");
 
-        // Specify correct icon in Add/Remove Programs
-        contents = contents.replace("</Product>", "<Property Id=\"ARPPRODUCTICON\" Value=\"DesktopIcon.exe\" /></Product>");
-
         // Specify banner
         contents = contents.replace("</Product>", "<WixVariable Id=\"WixUIBannerBmp\" Value=\"JabRefTopBanner.bmp\" /></Product>");
         //contents = contents.replace("</Product>", "<WixVariable Id=\"WixUIDialogBmp\" Value=\"\" /></Product>");

myapp.entitlements

@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <dict>
+        <key>com.apple.security.app-sandbox</key>
+        <false/>
+        <key>com.apple.security.network.server</key>
+        <true/>
+        <key>com.apple.security.network.client</key>
+        <true/>
+        <key>com.apple.security.files.user-selected.read-write</key>
+        <true/>
+        <key>com.apple.security.cs.allow-jit</key>
+        <true/>
+        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+        <true/>
+        <key>com.apple.security.cs.disable-executable-page-protection</key>
+        <true/>
+        <key>com.apple.security.cs.disable-library-validation</key>
+        <true/>
+        <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+        <true/>
+    </dict>
+</plist>

src/main/resources/icons/svg2icns.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+
+set -e
+
+SIZES="
+16,16x16
+32,16x16@2x
+32,32x32
+64,32x32@2x
+128,128x128
+256,128x128@2x
+256,256x256åç
+512,256x256@2x
+512,512x512
+1024,512x512@2x
+"
+
+for SVG in "$@"; do
+    BASE=$(basename "$SVG" | sed 's/\.[^\.]*$//')
+    ICONSET="$BASE.iconset"
+    mkdir -p "$ICONSET"
+    for PARAMS in $SIZES; do
+        SIZE=$(echo $PARAMS | cut -d, -f1)
+        LABEL=$(echo $PARAMS | cut -d, -f2)
+        svg2png "$SVG" -w $SIZE -h $SIZE "$ICONSET"/icon_$LABEL.png
+    done
+
+    iconutil -c icns "$ICONSET"
+    rm -rf "$ICONSET"
+done