180 lines
6.9 KiB
YAML
180 lines
6.9 KiB
YAML
|
# This file incorporates work covered by the following copyright and permission notice:
|
||
|
#
|
||
|
# Copyright (c) Mikael Hermansson and Godot Jolt contributors.
|
||
|
# Copyright (c) Dragos Daian.
|
||
|
#
|
||
|
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
||
|
# this software and associated documentation files (the "Software"), to deal in
|
||
|
# the Software without restriction, including without limitation the rights to
|
||
|
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
||
|
# the Software, and to permit persons to whom the Software is furnished to do so,
|
||
|
# subject to the following conditions:
|
||
|
#
|
||
|
# The above copyright notice and this permission notice shall be included in all
|
||
|
# copies or substantial portions of the Software.
|
||
|
#
|
||
|
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||
|
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
||
|
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
||
|
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
||
|
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
||
|
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||
|
|
||
|
name: GDExtension Sign
|
||
|
description: Sign Mac GDExtension
|
||
|
|
||
|
inputs:
|
||
|
FRAMEWORK_PATH:
|
||
|
description: The path of the artifact. Eg. bin/addons/my_addon/bin/libmy_addon.macos.template_release.universal.framework
|
||
|
required: true
|
||
|
SIGN_FLAGS:
|
||
|
description: The extra flags to use. Eg. --deep
|
||
|
required: false
|
||
|
APPLE_CERT_BASE64:
|
||
|
required: true
|
||
|
description: Base64 file from p12 certificate.
|
||
|
APPLE_CERT_PASSWORD:
|
||
|
required: true
|
||
|
description: Password set when creating p12 certificate from .cer certificate.
|
||
|
APPLE_DEV_PASSWORD:
|
||
|
required: true
|
||
|
description: Apple App-Specific Password. Eg. abcd-abcd-abcd-abcd
|
||
|
APPLE_DEV_ID:
|
||
|
required: true
|
||
|
description: Email used for Apple Id. Eg. email@provider.com
|
||
|
APPLE_DEV_TEAM_ID:
|
||
|
required: true
|
||
|
description: Apple Team Id. Eg. 1ABCD23EFG
|
||
|
APPLE_DEV_APP_ID:
|
||
|
required: true
|
||
|
description: |
|
||
|
Certificate name from get info -> Common name . Eg. Developer ID Application: Common Name (1ABCD23EFG)
|
||
|
outputs:
|
||
|
zip_path:
|
||
|
value: ${{ steps.sign.outputs.path }}
|
||
|
|
||
|
|
||
|
runs:
|
||
|
using: composite
|
||
|
steps:
|
||
|
- name: Sign
|
||
|
id: sign
|
||
|
shell: pwsh
|
||
|
run: |
|
||
|
#!/usr/bin/env pwsh
|
||
|
|
||
|
# Copyright (c) Mikael Hermansson and Godot Jolt contributors.
|
||
|
|
||
|
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
||
|
# this software and associated documentation files (the "Software"), to deal in
|
||
|
# the Software without restriction, including without limitation the rights to
|
||
|
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
||
|
# the Software, and to permit persons to whom the Software is furnished to do so,
|
||
|
# subject to the following conditions:
|
||
|
|
||
|
# The above copyright notice and this permission notice shall be included in all
|
||
|
# copies or substantial portions of the Software.
|
||
|
|
||
|
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||
|
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
||
|
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
||
|
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
||
|
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
||
|
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||
|
|
||
|
# Taken from https://github.com/godot-jolt/godot-jolt/blob/master/scripts/ci_sign_macos.ps1
|
||
|
|
||
|
Set-StrictMode -Version Latest
|
||
|
$ErrorActionPreference = "Stop"
|
||
|
|
||
|
$CodesignPath = Get-Command codesign | Resolve-Path
|
||
|
|
||
|
$CertificateBase64 = "${{inputs.APPLE_CERT_BASE64}}"
|
||
|
$CertificatePassword = "${{inputs.APPLE_CERT_PASSWORD}}"
|
||
|
$CertificatePath = [IO.Path]::ChangeExtension((New-TemporaryFile), "p12")
|
||
|
|
||
|
$Keychain = "ephemeral.keychain"
|
||
|
$KeychainPassword = (New-Guid).ToString().Replace("-", "")
|
||
|
|
||
|
$DevId = "${{ inputs.APPLE_DEV_ID }}"
|
||
|
$DevTeamId = "${{ inputs.APPLE_DEV_TEAM_ID }}"
|
||
|
$DevPassword = "${{ inputs.APPLE_DEV_PASSWORD }}"
|
||
|
$DeveloperIdApplication = "${{ inputs.APPLE_DEV_APP_ID }}"
|
||
|
|
||
|
if (!$CertificateBase64) { throw "No certificate provided" }
|
||
|
if (!$CertificatePassword) { throw "No certificate password provided" }
|
||
|
if (!$DevId) { throw "No Apple Developer ID provided" }
|
||
|
if (!$DeveloperIdApplication) { throw "No Apple Developer ID Application provided" }
|
||
|
if (!$DevTeamId) { throw "No Apple Team ID provided" }
|
||
|
if (!$DevPassword) { throw "No Apple Developer password provided" }
|
||
|
|
||
|
Write-Output "Decoding certificate..."
|
||
|
|
||
|
$Certificate = [Convert]::FromBase64String($CertificateBase64)
|
||
|
|
||
|
Write-Output "Writing certificate to disk..."
|
||
|
|
||
|
[IO.File]::WriteAllBytes($CertificatePath, $Certificate)
|
||
|
|
||
|
Write-Output "Creating keychain..."
|
||
|
|
||
|
security create-keychain -p $KeychainPassword $Keychain
|
||
|
|
||
|
Write-Output "Setting keychain as default..."
|
||
|
|
||
|
security default-keychain -s $Keychain
|
||
|
|
||
|
Write-Output "Importing certificate into keychain..."
|
||
|
security import $CertificatePath `
|
||
|
-k ~/Library/Keychains/$Keychain `
|
||
|
-P $CertificatePassword `
|
||
|
-T $CodesignPath
|
||
|
Write-Output "Check identities..."
|
||
|
|
||
|
security find-identity
|
||
|
|
||
|
Write-Output "Granting access to keychain..."
|
||
|
|
||
|
security set-key-partition-list -S "apple-tool:,apple:" -s -k $KeychainPassword $Keychain
|
||
|
|
||
|
$Framework = "${{ inputs.FRAMEWORK_PATH }}"
|
||
|
$SignFlags = "${{ inputs.SIGN_FLAGS }}"
|
||
|
$Archive = [IO.Path]::ChangeExtension((New-TemporaryFile), "zip")
|
||
|
|
||
|
Write-Output "Signing '$Framework'..."
|
||
|
|
||
|
& $CodesignPath --verify --timestamp --verbose "$SignFlags" --sign $DeveloperIdApplication "$Framework"
|
||
|
|
||
|
Write-Output "Verifying signing..."
|
||
|
|
||
|
& $CodesignPath --verify -dvvv "$Framework"
|
||
|
|
||
|
Get-ChildItem -Force -Recurse -Path "$Framework"
|
||
|
|
||
|
Write-Output "Archiving framework to '$Archive'..."
|
||
|
|
||
|
ditto -ck -rsrc --sequesterRsrc --keepParent "$Framework" "$Archive"
|
||
|
|
||
|
Write-Output "Submitting archive for notarization..."
|
||
|
|
||
|
$output = xcrun notarytool submit "$Archive" `
|
||
|
--apple-id $DevId `
|
||
|
--team-id $DevTeamId `
|
||
|
--password $DevPassword `
|
||
|
--wait
|
||
|
echo $output
|
||
|
$matches = $output -match '((\d|[a-z])+-(\d|[a-z])+-(\d|[a-z])+-(\d|[a-z])+-(\d|[a-z])+)'
|
||
|
if ($output) {
|
||
|
$id_res = $matches[0].Substring(6)
|
||
|
}
|
||
|
xcrun notarytool log $id_res `
|
||
|
--apple-id $DevId `
|
||
|
--team-id $DevTeamId `
|
||
|
--password $DevPassword `
|
||
|
developer_log.json
|
||
|
get-content developer_log.json
|
||
|
|
||
|
echo "path=$Archive" >> $env:GITHUB_OUTPUT
|
||
|
|
||
|
|