Fix notarization in actions

kevinrpb · Aug 5, 2024 · d851233 · d851233
1 parent f8117b5
commit d851233
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 35 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -18,7 +18,7 @@ jobs:
       matrix:
         # TODO: enable other platforms once I verify the app/build works
         # runs-on: [windows-latest, ubuntu-latest]
-        runs-on: [macos-14]
+        runs-on: [macos-14, windows-latest]
         python-version: ["3.11"]
         poetry-version: ["1.8.3"]
     runs-on: ${{ matrix.runs-on }}
@@ -55,26 +55,30 @@ jobs:
           echo "app_version=$app_version"
           echo "app_version=$app_version" >> "$GITHUB_OUTPUT"
       - name: Set up keychain
-        if: startsWith(github.ref, 'refs/tags/') && startsWith(${{ matrix.runs-on }}, 'macos-')
+        if: |
+          startsWith(matrix.runs-on, 'macos-')
         run: ./scripts/setup_keychain.sh
         env:
-          DEVELOPER_ID_INSTALLER_CER: ${{ secrets.DEVELOPER_ID_INSTALLER_CER }}
-          DEVELOPER_ID_INSTALLER_KEY: ${{ secrets.DEVELOPER_ID_INSTALLER_KEY }}
-          DEVELOPER_ID_APPLICATION_CER: ${{ secrets.DEVELOPER_ID_APPLICATION_CER }}
-          DEVELOPER_ID_APPLICATION_KEY: ${{ secrets.DEVELOPER_ID_APPLICATION_KEY }}
-          KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
+          DEVELOPER_ID_INSTALLER: ${{ secrets.DEVELOPER_ID_INSTALLER }}
+          DEVELOPER_ID_APPLICATION: ${{ secrets.DEVELOPER_ID_APPLICATION }}
           P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
           KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
       - name: Build executable
-        if: startsWith(github.ref, 'refs/tags/')
         run: ./scripts/build_executable.sh
         env:
           CODESIGN_IDENTITY: ${{ secrets.CODESIGN_IDENTITY }}
       - name: Notarize app
-        if: startsWith(github.ref, 'refs/tags/') && startsWith(${{ matrix.runs-on }}, 'macos-')
+        if: |
+          startsWith(matrix.runs-on, 'macos-')
         run: ./scripts/notarize_app.sh
+        env:
+          KEYCHAIN_PROFILE: ${{ secrets.KEYCHAIN_PROFILE }}
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          TEAM_ID: ${{ secrets.TEAM_ID }}
+          NOTARYTOOL_PASSWORD: ${{ secrets.NOTARYTOOL_PASSWORD }}
       - name: Cleanup keychain
-        if: startsWith(github.ref, 'refs/tags/') && startsWith(${{ matrix.runs-on }}, 'macos-')
+        if: |
+          startsWith(matrix.runs-on, 'macos-')
         run: security delete-keychain $RUNNER_TEMP/notarization.keychain-db
       - name: Prepare artifacts
         if: startsWith(github.ref, 'refs/tags/')

diff --git a/scripts/setup_keychain.sh b/scripts/setup_keychain.sh
@@ -1,42 +1,29 @@
 #!/usr/bin/env bash
 
 if [[ -z $RUNNER_TEMP ]]; then
-	echo This script must only be run on GitHub Actions.
+	echo This script must be run on GitHub Actions.
 	exit -1
 fi
 
 KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
 
-# ----- Create certificate files from secrets base64 -----
-echo $DEVELOPER_ID_INSTALLER_CER | base64 --decode >certificate_installer.cer
-echo $DEVELOPER_ID_INSTALLER_KEY | base64 --decode >certificate_installer.key
-echo $DEVELOPER_ID_APPLICATION_CER | base64 --decode >certificate_application.cer
-echo $DEVELOPER_ID_APPLICATION_KEY | base64 --decode >certificate_application.key
+# Get certificates
+echo $DEVELOPER_ID_INSTALLER | base64 --decode >certificate_installer.p12
+echo $DEVELOPER_ID_APPLICATION | base64 --decode >certificate_application.p12
 
-# ----- Create p12 file -----
-openssl pkcs12 -export -name zup \
-	-in certificate_installer.cer \
-	-inkey certificate_installer.key \
-	-passin pass:$KEY_PASSWORD \
-	-out certificate_installer.p12 \
-	-passout pass:$P12_PASSWORD
-openssl pkcs12 -export -name zup \
-	-in certificate_application.cer \
-	-inkey certificate_application.key \
-	-passin pass:$KEY_PASSWORD \
-	-out certificate_application.p12 \
-	-passout pass:$P12_PASSWORD
-
-# ----- Configure Keychain -----
+# Configure Keychain
 security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
 security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
 security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
 
-# ----- Import certificates on Keychain -----
+# Import certificates
 security import certificate_installer.p12 \
 	-P "$P12_PASSWORD" \
-	-A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+	-k "$KEYCHAIN_PATH" \
+	-A -t cert -f pkcs12
 security import certificate_application.p12 \
 	-P "$P12_PASSWORD" \
-	-A -t cert -f pkcs12 -k $KEYCHAIN_PATH
-security list-keychain -d user -s $KEYCHAIN_PATH
+	-k "$KEYCHAIN_PATH" \
+	-A -t cert -f pkcs12 -k
+
+security list-keychain -d user -s "$KEYCHAIN_PATH"