Signs and notarizes a sample app #9
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Signs and notarizes a sample app | |
| on: | |
| workflow_dispatch: | |
| jobs: | |
| sign_and_notarize: | |
| runs-on: macos-latest | |
| env: | |
| IS_RELEASE_BUILD: ${{ github.ref == 'refs/heads/main' && 'true' || false }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Build | |
| run: | | |
| xcodebuild clean build \ | |
| -project sample/sample.xcodeproj \ | |
| -scheme sample \ | |
| -destination platform=macOS \ | |
| -derivedDataPath /Users/runner/work/demo-macos/demo-macos/build \ | |
| -configuration Release \ | |
| CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO | |
| mv ./build/Build/Products/Release/sample.app ./build/sample.app | |
| - name: Install SignPath MacOSCryptoTokenKit | |
| run: | | |
| # TODO: replace with real download URL once available | |
| curl -o SignPathCryptoTokenKit.dmg https://download.signpath.io/cryptoproviders/macos-cryptotokenkit/2.0.0/SignPathCryptoTokenKit.dmg | |
| codesign -dv --verbose SignPathCryptoTokenKit.dmg | |
| hdiutil attach ./SignPathCryptoTokenKit.dmg -mountroot ./tools | |
| - name: Sign .app file | |
| env: | |
| SIGNPATH_API_TOKEN: ${{ secrets.SIGNPATH_API_TOKEN }} | |
| SIGNPATH_SIGNING_POLICY_SLUG: "${{ env.IS_RELEASE_BUILD == 'true' && 'release-signing' || 'test-signing' }}" | |
| run: | | |
| open "./tools/SignPathCryptoTokenKit/SignPathCryptoTokenKit.app" --args \ | |
| --organization-id ${{ vars.SIGNPATH_ORGANIZATION_ID }} \ | |
| --project-slug ${{ vars.SIGNPATH_PROJECT_SLUG }} \ | |
| --signing-policy-slug ${{ env.SIGNPATH_SIGNING_POLICY_SLUG }} | |
| sleep 20 # wait for token to be registered | |
| # sign | |
| codesign -f --timestamp --options=runtime \ | |
| -s "${{ vars.CERTIFICATE_SUBJECT_NAME }}" \ | |
| --entitlements sample/sample/sample.entitlements \ | |
| ./build/sample.app | |
| # check signature | |
| codesign -dv --verbose ./build/sample.app | |
| - name: Create .dmg file | |
| run: | | |
| hdiutil create -format UDZO -srcfolder ./build/sample.app ./build/sample.dmg | |
| - name: Sign .dmg file | |
| run: | | |
| # sign | |
| codesign -f --timestamp --options=runtime \ | |
| -s "${{ vars.CERTIFICATE_SUBJECT_NAME }}" \ | |
| --entitlements sample/sample/sample.entitlements \ | |
| ./build/sample.dmg | |
| # check signature | |
| codesign -dv --verbose ./build/sample.dmg | |
| - name: Notarize .dmg file | |
| if: ${{ env.IS_RELEASE_BUILD == 'true' }} | |
| run: | | |
| # submit the software to Apple | |
| xcrun notarytool submit ./build/sample.dmg \ | |
| --apple-id ${{ vars.APPLE_ID }} \ | |
| --team-id ${{ vars.APPLE_TEAM_ID }} \ | |
| --password ${{ secrets.APPLE_NOTARIZATION_APP_SPECIFIC_PASSWORD }} \ | |
| --wait \ | |
| --timeout 15m | |
| # staple the notarization result | |
| xcrun stapler staple ./build/sample.dmg | |
| - name: Upload .dmg file as build artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sample | |
| path: ./build/sample.dmg |