diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index 05e3352583..6df037f176 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -141,15 +141,15 @@ jobs: echo "not release, skipping code signing" exit 0; } - mkdir CodeSignTool - cd .\CodeSignTool - if (!(Test-Path ".\CodeSignTool\CodeSignTool.bat" -PathType Leaf)) { + if (!(Test-Path ".\CodeSignTool\CodeSignTool.bat" -PathType Leaf)) { + mkdir CodeSignTool + cd .\CodeSignTool Invoke-WebRequest -Uri https://www.ssl.com/download/codesigntool-for-windows/ -UseBasicParsing -OutFile ".\CodeSignTool.zip" 7z x CodeSignTool.zip Remove-Item CodeSignTool.zip } ./CodeSignTool.bat sign -credential_id="${{ secrets.ES_CREDENTIAL_ID }}" -username="${{ secrets.ES_USERNAME }}" -password="${{ secrets.ES_PASSWORD }}" -totp_secret="${{ secrets.ES_TOTP_SECRET }}" -input_file_path="${{ github.workspace }}\Binary\x64\Slippi Dolphin.exe" -override="true" - - name: "Package ${{ matrix.build_type}} Dolphin" + - name: "Package ${{ matrix.build_type }} Dolphin" working-directory: ${{ github.workspace }} run: | $FILE_NAME="${{ env.CURR_DATE }}-${{ env.GIT_HASH }}-${{ env.GIT_TAG }}-${{ matrix.artifact_name }}.zip" diff --git a/Externals/SlippiRustExtensions b/Externals/SlippiRustExtensions index 6d8737c515..1e9fbf1147 160000 --- a/Externals/SlippiRustExtensions +++ b/Externals/SlippiRustExtensions @@ -1 +1 @@ -Subproject commit 6d8737c515feecf9f4cd09f9d893e374d47ddb24 +Subproject commit 1e9fbf11479e20cd07a75f67888c138c7893bc24 diff --git a/Source/Core/Common/Version.cpp b/Source/Core/Common/Version.cpp index e394750e04..d8e3f5a5cc 100644 --- a/Source/Core/Common/Version.cpp +++ b/Source/Core/Common/Version.cpp @@ -24,7 +24,7 @@ //" " BUILD_TYPE_STR " " SCM_DESC_STR; //#endif #ifndef IS_PLAYBACK -#define SLIPPI_REV_STR "3.3.1" // netplay version +#define SLIPPI_REV_STR "3.4.0" // netplay version #else #define SLIPPI_REV_STR "3.4.1" // playback version #endif diff --git a/Tools/notarize_netplay.sh b/Tools/notarize_netplay.sh index fe1cc11831..9dd0e1680e 100644 --- a/Tools/notarize_netplay.sh +++ b/Tools/notarize_netplay.sh @@ -3,74 +3,62 @@ # Signing and notarizing only happens on builds where the CI has access # to the necessary secrets; this avoids builds in forks where secrets # shouldn't be. +# +# Portions of the notarization response checks are borrowed from: +# +# https://github.com/smittytone/scripts/blob/main/packcli.zsh +# +# (They've done the work of figuring out what the reponse formats are, etc) version="$(echo $GIT_TAG)" identifier="com.project-slippi.dolphin" +filepath=${1:?"need a filepath"} -requeststatus() { # $1: requestUUID - requestUUID=${1?:"need a request UUID"} - req_status=$(xcrun altool --notarization-info "$requestUUID" \ - --apiKey "${APPLE_API_KEY}" \ - --apiIssuer "${APPLE_ISSUER_ID}" 2>&1 \ - | awk -F ': ' '/Status:/ { print $2; }' ) - echo "$req_status" -} +echo "Attempting notarization" -logstatus() { # $1: requestUUID - requestUUID=${1?:"need a request UUID"} - xcrun altool --notarization-info "$requestUUID" \ - --apiKey "${APPLE_API_KEY}" \ - --apiIssuer "${APPLE_ISSUER_ID}" - echo -} +# Submit the DMG for notarization and wait for the flow to finish +s_time=$(date +%s) +response=$(xcrun notarytool submit ${filepath} \ + --wait \ + --issuer ${APPLE_ISSUER_ID} \ + --key-id ${APPLE_API_KEY} \ + --key ~/private_keys/AuthKey_${APPLE_API_KEY}.p8) -notarizefile() { # $1: path to file to notarize, $2: identifier - filepath=${1:?"need a filepath"} - identifier=${2:?"need an identifier"} - - # upload file - echo "## uploading $filepath for notarization" - requestUUID=$(xcrun altool --notarize-app \ - --primary-bundle-id "$identifier" \ - --apiKey "${APPLE_API_KEY}" \ - --apiIssuer "${APPLE_ISSUER_ID}" \ - --file "$filepath" 2>&1 \ - | awk '/RequestUUID/ { print $NF; }') - - echo "Notarization RequestUUID: $requestUUID" - - if [[ $requestUUID == "" ]]; then - echo "could not upload for notarization" - exit 1 - fi - - # wait for status to be not "in progress" any more - # Checks for up to ~10 minutes ((20 * 30s = 600) / 60s) - for i ({0..20}); do - request_status=$(requeststatus "$requestUUID") - echo "Status: ${request_status}" +# Get the notarization job ID from the response +job_id_line=$(grep -m 1 ' id:' < <(echo -e "${response}")) +job_id=$(echo "${job_id_line}" | cut -d ":" -s -f 2 | cut -d " " -f 2) - # Why can this report two different cases...? - if [ $? -ne 0 ] || [[ "${request_status}" =~ "invalid" ]] || [[ "${request_status}" =~ "Invalid" ]]; then - logstatus "$requestUUID" - echo "Error with notarization. Exiting!" - exit 1 - fi +# Log some debug timing info. +e_time=$(date +%s) +n_time=$((e_time - s_time)) +echo "Notarization call completed after ${n_time} seconds. Job ID: ${job_id}" - if [[ "${request_status}" =~ "success" ]]; then - logstatus "$requestUUID" - echo "Successfully notarized! Stapling notarization status to ${filepath}" - xcrun stapler staple "$filepath" - exit 0 - fi +# Extract the status of the notarization job. +status_line=$(grep -m 1 ' status:' < <(echo -e "${response}")) +status_result=$(echo "${status_line}" | cut -d ":" -s -f 2 | cut -d " " -f 2) - echo "Still in progress, will check again in 30s" - sleep 30 - done +# Fetch and echo the log *before* bailing if it's bad, so we can tell if there's +# a deeper error we need to handle. +log_response=$(xcrun notarytool log \ + --issuer ${APPLE_ISSUER_ID} \ + --key-id ${APPLE_API_KEY} \ + --key ~/private_keys/AuthKey_${APPLE_API_KEY}.p8 \ + ${job_id}) +echo "${log_response}" - echo "Notarization request timed out - status below; maybe it needs more time?" - logstatus "$requestUUID" -} +if [[ ${status_result} != "Accepted" ]]; then + echo "Notarization failed with status ${status_result}" + exit 1 +fi -echo "Attempting notarization" -notarizefile "$1" "$identifier" +# Attempt to staple the notarization result to the app. +echo "Successfully notarized! Stapling notarization status to ${filepath}" +success=$(xcrun stapler staple "${filepath}") +if [[ -z "${success}" ]]; then + echo "Could not staple notarization to app" + exit 1 +fi + +# Confirm the staple actually worked... +echo "Checking notarization to ${filepath}" +spctl --assess -vvv --type install "${filepath}"