@@ -115,21 +115,52 @@ jobs:
115115 run : npm install
116116 - name : Build backend
117117 run : npm run build-backend
118+ - name : Install Apple certificate
119+ # https://docs.github.com/en/actions/use-cases-and-examples/deploying/installing-an-apple-certificate-on-macos-runners-for-xcode-development#add-a-step-to-your-workflow
120+ # We're not uploading to MAS, so we do not include BUILD_PROVISION_PROFILE_BASE64.
121+ env :
122+ BUILD_CERTIFICATE_BASE64 : ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
123+ P12_PASSWORD : ${{ secrets.P12_PASSWORD }}
124+ KEYCHAIN_PASSWORD : ${{ secrets.KEYCHAIN_PASSWORD }}
125+ run : |
126+ # create variables
127+ CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
128+ PP_PATH=$RUNNER_TEMP/build_pp.mobileprovision
129+ KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
130+
131+ # import certificate and provisioning profile from secrets
132+ echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
133+
134+ # create temporary keychain
135+ security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
136+ security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
137+ security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
138+
139+ # import certificate to keychain
140+ security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
141+ security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
142+ security list-keychain -d user -s $KEYCHAIN_PATH
118143name : Publish app (macOS)
119144 env :
120145 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
121- # Apps built on M1 are displayed as "damaged" if they're missing a code signature
122- # (even if they're perfectly fine).
146+ SIGNING_IDENTITY : ${{ secrets.SIGNING_IDENTITY }}
147+ NOTARIZE_EMAIL : ${{ secrets.NOTARIZE_EMAIL }}
148+ NOTARIZE_PASSWORD : ${{ secrets.NOTARIZE_PASSWORD }}
149+ TEAM_ID : ${{ secrets.TEAM_ID }}
150+ # Note to future developers:
151+ # If we ever lose the Apple dev profile,
152+ # we can return to an ad-hoc signature to get the program to work with warnings.
123153 #
124- # We aren't going to code-sign, but we can "ad-hoc code sign" (give a blank signature)
125- # to revert it back to the error that's usually seen on Intel Macs
126- # ("LC3Tools.app" cannot be opened because Apple cannot check it for malicious software.)
154+ # To do so, remove the `Install the Apple certificate and provisioning profile` step,
155+ # and replace this step with:
156+ # run: |
157+ # npm run package
158+ # codesign --force --deep -s - ./out/*/*.app
159+ # npm run publish -- --skip-package
127160 #
128- # This unfortunately complicates the command a bit since we have to apply codesign
129- # in the middle of the publishing process.
161+ # This reverts the program to the error that is usually seen on Intel Macs:
162+ # ("LC3Tools.app" cannot be opened because Apple cannot check it for malicious software.)
130163 #
131164 # https://github.com/electron-userland/electron-builder/issues/5850#issuecomment-1821648559
132165 run : |
133- npm run package
134- codesign --force --deep -s - ./out/*/*.app
135- npm run publish -- --skip-package
166+ npm run publish
0 commit comments