Merge branch 'slippi' into testing/playback-debug-fast

.github/workflows/pr-build.yml

@@ -141,15 +141,15 @@ jobs:
             echo "not release, skipping code signing"
             exit 0;
           }
-          mkdir CodeSignTool
-          cd .\CodeSignTool
-          if (!(Test-Path ".\CodeSignTool\CodeSignTool.bat" -PathType Leaf)) { 
+          if (!(Test-Path ".\CodeSignTool\CodeSignTool.bat" -PathType Leaf)) {
+            mkdir CodeSignTool
+            cd .\CodeSignTool
             Invoke-WebRequest -Uri https://www.ssl.com/download/codesigntool-for-windows/ -UseBasicParsing -OutFile ".\CodeSignTool.zip"
             7z x CodeSignTool.zip
             Remove-Item CodeSignTool.zip
           }
           ./CodeSignTool.bat sign -credential_id="${{ secrets.ES_CREDENTIAL_ID }}" -username="${{ secrets.ES_USERNAME }}" -password="${{ secrets.ES_PASSWORD }}" -totp_secret="${{ secrets.ES_TOTP_SECRET }}" -input_file_path="${{ github.workspace }}\Binary\x64\Slippi Dolphin.exe" -override="true"
-      - name: "Package ${{ matrix.build_type}} Dolphin"
+      - name: "Package ${{ matrix.build_type }} Dolphin"
         working-directory: ${{ github.workspace }}
         run: |
           $FILE_NAME="${{ env.CURR_DATE }}-${{ env.GIT_HASH }}-${{ env.GIT_TAG }}-${{ matrix.artifact_name }}.zip"

Source/Core/Common/Version.cpp

@@ -24,7 +24,7 @@
 //" " BUILD_TYPE_STR " " SCM_DESC_STR;
 //#endif
 #ifndef IS_PLAYBACK
-#define SLIPPI_REV_STR "3.3.1" // netplay version
+#define SLIPPI_REV_STR "3.4.0" // netplay version
 #else
 #define SLIPPI_REV_STR "3.4.1" // playback version
 #endif

Tools/notarize_netplay.sh

@@ -3,74 +3,62 @@
 # Signing and notarizing only happens on builds where the CI has access
 # to the necessary secrets; this avoids builds in forks where secrets
 # shouldn't be.
+#
+# Portions of the notarization response checks are borrowed from:
+#
+# https://github.com/smittytone/scripts/blob/main/packcli.zsh
+#
+# (They've done the work of figuring out what the reponse formats are, etc)
 
 version="$(echo $GIT_TAG)"
 identifier="com.project-slippi.dolphin"
+filepath=${1:?"need a filepath"}
 
-requeststatus() { # $1: requestUUID
-    requestUUID=${1?:"need a request UUID"}
-    req_status=$(xcrun altool --notarization-info "$requestUUID" \
-        --apiKey "${APPLE_API_KEY}" \
-        --apiIssuer "${APPLE_ISSUER_ID}" 2>&1 \
-    | awk -F ': ' '/Status:/ { print $2; }' )
-    echo "$req_status"
-}
+echo "Attempting notarization"
 
-logstatus() { # $1: requestUUID
-    requestUUID=${1?:"need a request UUID"}
-    xcrun altool --notarization-info "$requestUUID" \
-        --apiKey "${APPLE_API_KEY}" \
-        --apiIssuer "${APPLE_ISSUER_ID}"
-    echo
-}
+# Submit the DMG for notarization and wait for the flow to finish
+s_time=$(date +%s)
+response=$(xcrun notarytool submit ${filepath} \
+    --wait \
+    --issuer ${APPLE_ISSUER_ID} \
+    --key-id ${APPLE_API_KEY} \
+    --key ~/private_keys/AuthKey_${APPLE_API_KEY}.p8)
 
-notarizefile() { # $1: path to file to notarize, $2: identifier
-    filepath=${1:?"need a filepath"}
-    identifier=${2:?"need an identifier"}
-
-    # upload file
-    echo "## uploading $filepath for notarization"
-    requestUUID=$(xcrun altool --notarize-app \
-        --primary-bundle-id "$identifier" \
-        --apiKey "${APPLE_API_KEY}" \
-        --apiIssuer "${APPLE_ISSUER_ID}" \
-        --file "$filepath" 2>&1 \
-    | awk '/RequestUUID/ { print $NF; }')
-
-    echo "Notarization RequestUUID: $requestUUID"
-
-    if [[ $requestUUID == "" ]]; then 
-        echo "could not upload for notarization"
-        exit 1
-    fi
-
-    # wait for status to be not "in progress" any more
-    # Checks for up to ~10 minutes ((20 * 30s = 600) / 60s)
-    for i ({0..20}); do
-        request_status=$(requeststatus "$requestUUID")
-        echo "Status: ${request_status}"
+# Get the notarization job ID from the response
+job_id_line=$(grep -m 1 '  id:' < <(echo -e "${response}"))
+job_id=$(echo "${job_id_line}" | cut -d ":" -s -f 2 | cut -d " " -f 2)
 
-        # Why can this report two different cases...?
-        if [ $? -ne 0 ] || [[ "${request_status}" =~ "invalid" ]] || [[ "${request_status}" =~ "Invalid" ]]; then
-            logstatus "$requestUUID"
-            echo "Error with notarization. Exiting!"
-            exit 1
-        fi
+# Log some debug timing info.
+e_time=$(date +%s)
+n_time=$((e_time - s_time))
+echo "Notarization call completed after ${n_time} seconds. Job ID: ${job_id}"
 
-        if [[ "${request_status}" =~ "success" ]]; then
-            logstatus "$requestUUID"
-            echo "Successfully notarized! Stapling notarization status to ${filepath}"
-            xcrun stapler staple "$filepath"
-            exit 0
-        fi
+# Extract the status of the notarization job.
+status_line=$(grep -m 1 '  status:' < <(echo -e "${response}"))
+status_result=$(echo "${status_line}" | cut -d ":" -s -f 2 | cut -d " " -f 2)
 
-        echo "Still in progress, will check again in 30s"
-        sleep 30
-    done
+# Fetch and echo the log *before* bailing if it's bad, so we can tell if there's
+# a deeper error we need to handle.
+log_response=$(xcrun notarytool log \
+    --issuer ${APPLE_ISSUER_ID} \
+    --key-id ${APPLE_API_KEY} \
+    --key ~/private_keys/AuthKey_${APPLE_API_KEY}.p8 \
+    ${job_id})
+echo "${log_response}"
 
-    echo "Notarization request timed out - status below; maybe it needs more time?"
-    logstatus "$requestUUID"
-}
+if [[ ${status_result} != "Accepted" ]]; then
+    echo "Notarization failed with status ${status_result}"
+    exit 1
+fi
 
-echo "Attempting notarization"
-notarizefile "$1" "$identifier"
+# Attempt to staple the notarization result to the app.
+echo "Successfully notarized! Stapling notarization status to ${filepath}"
+success=$(xcrun stapler staple "${filepath}")
+if [[ -z "${success}" ]]; then
+    echo "Could not staple notarization to app"
+    exit 1
+fi
+
+# Confirm the staple actually worked...
+echo "Checking notarization to ${filepath}"
+spctl --assess -vvv --type install "${filepath}"