Merge pull request #12123 from mixxxdj/notarytool-2.4

macOS packaging: Fix signing and migrate script to `notarytool`

.github/workflows/build.yml

@@ -136,7 +136,7 @@ jobs:
       SCCACHE_VERSION: "0.3.0"
       # macOS codesigning
       APPLE_CODESIGN_IDENTITY: 2C2B5D3EDCE82BA55E22E9A67F16F8D03E390870
-      MACOS_CODESIGN_OPENSSL_PASSWORD: ${{ secrets.MACOS_CODESIGN_OPENSSL_PASSWORD }}
+      MACOS_CODESIGN_CERTIFICATE_P12_BASE64: ${{ secrets.MACOS_CODESIGN_CERTIFICATE_P12_BASE64 }}
       MACOS_CODESIGN_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CODESIGN_CERTIFICATE_PASSWORD }}
 
     runs-on: ${{ matrix.os }}
@@ -221,13 +221,10 @@ jobs:
 
       - name: "[macOS] Import Apple code signing identity"
         id: apple_codesign
-        if: runner.os == 'macOS' && env.MACOS_CODESIGN_OPENSSL_PASSWORD != null && env.MACOS_CODESIGN_CERTIFICATE_PASSWORD != null
+        if: runner.os == 'macOS' && env.MACOS_CODESIGN_CERTIFICATE_P12_BASE64 != null && env.MACOS_CODESIGN_CERTIFICATE_PASSWORD != null
         run: |
-          # Decrypt the certificate
-          openssl enc -aes-256-cbc -d -md sha512 \
-            -k "${MACOS_CODESIGN_OPENSSL_PASSWORD}" \
-            -in /Users/runner/work/mixxx/mixxx/packaging/certificates/macos_developer_id_codesign_certificate.p12.enc \
-            -out ~/certificate.p12
+          # Decode the certificate
+          echo "${{ env.MACOS_CODESIGN_CERTIFICATE_P12_BASE64 }}" | base64 -d -o ~/certificate.p12
 
           # Create a temporary keychain for the certificate and import it.
           security create-keychain -p mixxx Mixxx.keychain
@@ -377,17 +374,16 @@ jobs:
         working-directory: build
 
       - name: "[macOS] Sign, Notarize, and Staple Package"
-        if: runner.os == 'macOS' && env.MACOS_CODESIGN_OPENSSL_PASSWORD != null && env.MACOS_CODESIGN_CERTIFICATE_PASSWORD != null && env.APPLE_APP_SPECIFIC_PASSWORD != null
+        if: runner.os == 'macOS' && env.MACOS_CODESIGN_CERTIFICATE_P12_BASE64 != null && env.MACOS_CODESIGN_CERTIFICATE_PASSWORD != null && env.APPLE_APP_SPECIFIC_PASSWORD != null
         run: packaging/macos/sign_notarize_staple.sh build/*.dmg
         # TODO: This timeout may be a bit too conservative under some
         # circumstances. Feel free to increase the timeout once the
         # notarization step is fixed.
         timeout-minutes: 5
         env:
-          APPLE_ID_USERNAME: [email protected]
-          APPLE_BUNDLE_ID: org.mixxx.mixxx
+          APPLE_ID_USERNAME: [email protected]
           APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_APP_SPECIFIC_PASSWORD }}
-          ASC_PROVIDER: FLYL4D545V
+          APPLE_TEAM_ID: JBLRSP95FC
 
       - name: "[Windows] Sign Package"
         if: runner.os == 'Windows' && env.WINDOWS_CODESIGN_CERTIFICATE_PATH != null && env.WINDOWS_CODESIGN_CERTIFICATE_PASSWORD != null

cmake/modules/BundleInstall.cmake.in

@@ -26,15 +26,21 @@ if(DEFINED APPLE_CODESIGN_IDENTITY AND DEFINED APPLE_CODESIGN_ENTITLEMENTS)
           --entitlements "${APPLE_CODESIGN_ENTITLEMENTS}"
           --sign "${APPLE_CODESIGN_IDENTITY}"
           "${PATH_TO_SIGN}"
+          RESULT_VARIABLE CODESIGN_EXIT_CODE
       )
     else()
+      message(STATUS "Signing bundle with hardened runtime and identity ${APPLE_CODESIGN_IDENTITY}")
       execute_process(COMMAND
           codesign --verbose=4 --deep --force --options runtime
           --entitlements "${APPLE_CODESIGN_ENTITLEMENTS}"
           --sign "${APPLE_CODESIGN_IDENTITY}"
           "${PATH_TO_SIGN}"
+          RESULT_VARIABLE CODESIGN_EXIT_CODE
       )
     endif()
+    if(NOT CODESIGN_EXIT_CODE EQUAL 0)
+      message(FATAL_ERROR "Signing ${PATH_TO_SIGN} failed")
+    endif()
   endforeach()
 else()
   message(STATUS "Not signing bundle. Specify -DAPPLE_CODESIGN_IDENTITY and -DAPPLE_CODESIGN_ENTITLEMENTS to cmake before running cpack to sign")

packaging/macos/sign_notarize_staple.sh

@@ -1,58 +1,58 @@
 #!/bin/bash
 
+set -e
+
 DMG_FILE="${1}"
 [ -z "${DMG_FILE}" ] && echo "Pass DMG file name as first argument." >&2 && exit 1
-[ -z "${APPLE_CODESIGN_IDENTITY}" ] && echo "Please set the $APPLE_CODESIGN_IDENTITY env var." >&2 && exit 1
-[ -z "${APPLE_BUNDLE_ID}" ] && echo "Please set the $APPLE_BUNDLE_ID env var." >&2 && exit 1
-[ -z "${APPLE_ID_USERNAME}" ] && echo "Please set the $APPLE_ID_USERNAME env var." >&2 && exit 1
-[ -z "${APPLE_APP_SPECIFIC_PASSWORD}" ] && echo "Please set the $APPLE_APP_SPECIFIC_PASSWORD env var." >&2 && exit 1
-[ -z "${ASC_PROVIDER}" ] && echo "Please set the $ASC_PROVIDER env var." >&2 && exit 1
-
-echo "Signing $DMG_FILE"
-codesign --verbose=4 --options runtime \
-    --sign "${APPLE_CODESIGN_IDENTITY}" "$(dirname "$0")/Mixxx.entitlements" "${DMG_FILE}"
-
-echo "Notarizing $DMG_FILE"
-xcrun altool --notarize-app --primary-bundle-id "${APPLE_BUNDLE_ID}" --username "${APPLE_ID_USERNAME}" \
-    --password "${APPLE_APP_SPECIFIC_PASSWORD}" --asc-provider "${ASC_PROVIDER}" --file "${DMG_FILE}" \
-    --output-format xml > notarize_result.plist
-UUID="$(/usr/libexec/PlistBuddy -c 'Print notarization-upload:RequestUUID' notarize_result.plist)"
-echo "Notarization UUID: $UUID"
-rm notarize_result.plist
-
-# Wait a few seconds to avoid "Could not find the RequestUUID." error
-sleep 5
-
-# wait for confirmation that notarization finished
-while true; do
-    xcrun altool --notarization-info "$UUID" \
-    --username "${APPLE_ID_USERNAME}" --password "${APPLE_APP_SPECIFIC_PASSWORD}" \
-    --output-format xml > notarize_status.plist
-
-    # shellcheck disable=SC2181
-    if [ "$?" != "0" ]; then
-        echo "Notarization failed:"
-        cat notarize_status.plist
-        curl "$(/usr/libexec/PlistBuddy -c 'Print notarization-info:LogFileURL' notarize_status.plist)"
-        exit 1
-    fi
+[ -z "${APPLE_CODESIGN_IDENTITY}" ] && echo 'Please set the APPLE_CODESIGN_IDENTITY env var.' >&2 && exit 1
+[ -z "${APPLE_ID_USERNAME}" ] && echo 'Please set the APPLE_ID_USERNAME env var.' >&2 && exit 1
+[ -z "${APPLE_APP_SPECIFIC_PASSWORD}" ] && echo 'Please set the APPLE_APP_SPECIFIC_PASSWORD env var.' >&2 && exit 1
+[ -z "${APPLE_TEAM_ID}" ] && echo 'Please set the APPLE_TEAM_ID env var.' >&2 && exit 1
+
+tmp_dir="$(mktemp -dt mixxx_notarize)"
+# We want $tmp_dir to expand now, therefore we disable the check
+# shellcheck disable=SC2064
+trap "rm -rf '$tmp_dir'" EXIT
+
+echo "==> Signing $DMG_FILE"
+codesign --verbose=4 --sign "${APPLE_CODESIGN_IDENTITY}" "${DMG_FILE}"
+
+credentials=(
+    --apple-id "${APPLE_ID_USERNAME}"
+    --password "${APPLE_APP_SPECIFIC_PASSWORD}"
+    --team-id "${APPLE_TEAM_ID}"
+)
+
+status_plist="$tmp_dir/status.plist"
 
-    NOTARIZATION_STATUS="$(/usr/libexec/PlistBuddy -c 'Print notarization-info:Status' notarize_status.plist)"
-    if [ "${NOTARIZATION_STATUS}" == "in progress" ]; then
-        echo "Waiting another 10 seconds for notarization to complete"
-        sleep 10
-    elif [ "${NOTARIZATION_STATUS}" == "success" ]; then
+echo "==> Notarizing $DMG_FILE"
+xcrun notarytool submit "${credentials[@]}" --output-format plist --wait "${DMG_FILE}" \
+    > "$status_plist"
+
+cat "$status_plist"
+
+id="$(/usr/libexec/PlistBuddy -c 'Print id' "$status_plist")"
+status="$(/usr/libexec/PlistBuddy -c 'Print status' "$status_plist")"
+
+print_notary_log() {
+    xcrun notarytool log "${credentials[@]}" "$id"
+}
+
+case "${status}" in
+    Accepted)
         echo "Notarization succeeded"
-        break
-    elif [ "${NOTARIZATION_STATUS}" == "invalid" ]; then
-        echo "Notarization failed with status: ${NOTARIZATION_STATUS}"
+        ;;
+    Invalid|Rejected)
+        echo "Notarization failed: ${status}"
+        print_notary_log
         exit 1
-    else
-        echo "Notarization status: ${NOTARIZATION_STATUS}"
-    fi
-done
-
-rm notarize_status.plist
+        ;;
+    *)
+        echo "Unknown notarization status: ${status}"
+        print_notary_log
+        exit 1
+        ;;
+esac
 
-echo "Stapling $DMG_FILE"
+echo "==> Stapling $DMG_FILE"
 xcrun stapler staple -q "${DMG_FILE}"