Skip to content

Commit

Permalink
Fix codesign macos for application and installer
Browse files Browse the repository at this point in the history
  • Loading branch information
hiento09 authored and jan-service-account committed Aug 2, 2024
1 parent d5b8a55 commit 63bd157
Show file tree
Hide file tree
Showing 2 changed files with 56 additions and 28 deletions.
78 changes: 52 additions & 26 deletions .github/workflows/cortex-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -110,11 +110,29 @@ jobs:
env:
CODE_SIGN_P12_BASE64: ${{ secrets.CODE_SIGN_P12_BASE64 }}

- uses: apple-actions/import-codesign-certs@v2
- name: Install the Apple certificate and provisioning profile
if: runner.os == 'macOS'
with:
p12-file-base64: ${{ secrets.CODE_SIGN_P12_BASE64 }}
p12-password: ${{ secrets.CODE_SIGN_P12_PASSWORD }}
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.CODE_SIGN_P12_BASE64 }}
P12_PASSWORD: ${{ secrets.CODE_SIGN_P12_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate and provisioning profile from secrets
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
- name: Build
run: |
Expand Down Expand Up @@ -214,7 +232,10 @@ jobs:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
working-directory: ./cortex-cpp

## cortex-cpp node binding
- name: Clean up keychain
if: ${{ always() && runner.os == 'macOS' }}
run: |
security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
build-cortex-single-binary:
runs-on: ${{ matrix.runs-on }}
Expand Down Expand Up @@ -289,20 +310,6 @@ jobs:
- run: yarn install && yarn build:binary
working-directory: ./cortex-js

- name: Get Cer for code signing
if: runner.os == 'macOS'
run: base64 -d <<< "$CODE_SIGN_P12_BASE64" > /tmp/codesign.p12
shell: bash
env:
CODE_SIGN_P12_BASE64: ${{ secrets.CODE_SIGN_P12_BASE64 }}

- uses: apple-actions/import-codesign-certs@v2
continue-on-error: true
if: runner.os == 'macOS'
with:
p12-file-base64: ${{ secrets.CODE_SIGN_P12_BASE64 }}
p12-password: ${{ secrets.CODE_SIGN_P12_PASSWORD }}

- name: update app info
run: |
cd cortex-js
Expand All @@ -321,18 +328,32 @@ jobs:
- name: Code Signing macOS
if: runner.os == 'macOS'
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.CODE_SIGN_P12_BASE64 }}
P12_PASSWORD: ${{ secrets.CODE_SIGN_P12_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
cd cortex-js
./dist/cortexso-macos --help
echo "--------"
./cortex --help
make codesign-binary CODE_SIGN=true DEVELOPER_ID="${{ secrets.DEVELOPER_ID }}"
- name: Create MacOS PKG Installer
if: runner.os == 'macOS'
run: |
cd cortex-js
echo "--------"
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate and provisioning profile from secrets
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
# make codesign-binary CODE_SIGN=true DEVELOPER_ID="${{ secrets.DEVELOPER_ID }}"
npx cpx ./cortex ./installer
./installer/cortex --help
pkgbuild --identifier ai.cortex.pkg --install-location ./usr/local/bin/ --root ./installer cortex-installer.pkg
Expand Down Expand Up @@ -433,6 +454,11 @@ jobs:
name: cortex-linux
path: ./cortex-js/cortex

- name: Clean up keychain
if: ${{ always() && runner.os == 'macOS' }}
run: |
security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
update_release_draft:
needs: [build-and-test, build-cortex-single-binary]
permissions:
Expand Down
6 changes: 4 additions & 2 deletions cortex-js/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ else ifeq ($(shell uname -s),Linux)
@echo "Skipping Code Sign for linux"
@exit 0
else
find "cortex" -type f -exec codesign --force -s "$(DEVELOPER_ID)" --options=runtime {} \;
codesign --force -s "$(DEVELOPER_ID)" --options=runtime ./cortex;
endif

codesign-installer:
Expand All @@ -45,7 +45,9 @@ else ifeq ($(shell uname -s),Linux)
@echo "Skipping Code Sign for linux"
@exit 0
else
find "cortex" -type f -exec codesign --force -s "$(DEVELOPER_ID)" --options=runtime {} \;
productsign --sign "Developer ID Installer: $(DEVELOPER_ID)" cortex-installer.pkg cortex-installer-signed.pkg;
rm cortex-installer.pkg;
mv cortex-installer-signed.pkg cortex-installer.pkg;
endif

postbundle:
Expand Down

0 comments on commit 63bd157

Please sign in to comment.