diff --git a/.github/workflows/insiders-build.yaml b/.github/workflows/insiders-build.yaml index 9a10aac..cdadc5f 100644 --- a/.github/workflows/insiders-build.yaml +++ b/.github/workflows/insiders-build.yaml @@ -211,20 +211,40 @@ jobs: # Turn our base64-encoded certificate back to a regular .p12 file echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 + + # Set env variable KEYCHAIN_NAME + export KEYCHAIN_NAME="build.keychain" + # ------------------- # We need to create a new keychain, otherwise using the certificate will prompt # with a UI dialog asking for the certificate password, which we can't # use in a headless CI environment - security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain - security list-keychains -d user -s build.keychain - security default-keychain -d user -s build.keychain - security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain - security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain + # + # Might need to review this: https://stackoverflow.com/questions/20205162/user-interaction-is-not-allowed-trying-to-sign-an-osx-app-using-codesign + # Create a new keychain + security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" "${KEYCHAIN_NAME}" + + # Get the current keychain list and add our new continue-on-error: + OLD_KEYCHAIN_NAMES=$(security list-keychains -d user | sed -e 's/"//g') + security list-keychains -d user -s "${KEYCHAIN_NAME}" ${OLD_KEYCHAIN_NAMES} + # security list-keychains -d user -s "${KEYCHAIN_NAME}" + + # Set the new keychain as default REMOVED + # security default-keychain -d user -s "${KEYCHAIN_NAME}" + + # Unlock the keychain + security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" "${KEYCHAIN_NAME}" + + # Import certificate + security import certificate.p12 -k "${KEYCHAIN_NAME}" -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign + + # Set partition list for the keychain + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" "${KEYCHAIN_NAME}" + + # Sign the binary codesign --force -s "$MACOS_CERTIFICATE_NAME" -v "./${DIST_FILE_NAME}" --deep --strict --options=runtime --timestamp --entitlements ./release-config/${DIST_FILE_NAME}.entitlements - # ------------------- # Notarize # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI diff --git a/release-config/butler-sos.entitlements b/release-config/butler-sos.entitlements index c5acc74..c571a6c 100644 --- a/release-config/butler-sos.entitlements +++ b/release-config/butler-sos.entitlements @@ -2,17 +2,11 @@ - com.apple.security.cs.allow-jit - - com.apple.security.cs.allow-unsigned-executable-memory - - com.apple.security.cs.disable-executable-page-protection - - com.apple.security.cs.allow-dyld-environment-variables - - com.apple.security.cs.disable-library-validation - - com.apple.security.get-task-allow - + com.apple.security.cs.allow-jit + com.apple.security.cs.allow-unsigned-executable-memory + com.apple.security.cs.disable-executable-page-protection + com.apple.security.cs.allow-dyld-environment-variables + com.apple.security.cs.disable-library-validation + com.apple.security.get-task-allow \ No newline at end of file