WIP add macos dmg signing

2024-07-05 12:29:05 +02:00 · 2023-12-03 11:42:51 +01:00 · 2023-12-03 11:42:51 +01:00 · 0cd141a12b
commit 0cd141a12b
parent 3657ebb026
4 changed files with 41 additions and 5 deletions
--- a/CMake/CopyRecursive.cmake
+++ b/CMake/CopyRecursive.cmake
@ -22,7 +22,7 @@ function(copy_recursive SOURCE_PATH DESTINATION_PATH REGEX)
        file(RELATIVE_PATH RELATIVE_FILE_PATH ${SOURCE_PATH} ${file})
        get_filename_component(FOLDER ${RELATIVE_FILE_PATH} DIRECTORY ${SOURCE_PATH})
        file(MAKE_DIRECTORY ${DESTINATION_PATH}/${FOLDER} )
-        message(STATUS "${file}   - ${DESTINATION_PATH}/${RELATIVE_FILE_PATH}")
+        #message(STATUS "${file}   - ${DESTINATION_PATH}/${RELATIVE_FILE_PATH}")
        configure_file(${file} "${DESTINATION_PATH}/${RELATIVE_FILE_PATH}" COPYONLY)
    endforeach()

--- a/Docs/macOSSigning.md
+++ b/Docs/macOSSigning.md
@ -119,4 +119,24 @@ Run the follwoing if you get an signing error:
 Error: HTTP status code: 403. A required agreement is missing or has expired. This request requires an in-effect agreement that has not been signed or has expired. Ensure your team has signed the necessary legal agreements and that they are not expired.
 ```

-Go to [appstoreconnect.apple.com](https://appstoreconnect.apple.com) and accept the updated  'Apple Developer Program License Agreement'.
+Go to [appstoreconnect.apple.com](https://appstoreconnect.apple.com) and accept the updated  'Apple Developer Program License Agreement'.
+
+## Dmg signing
+Ensure you have both a Developer ID Application certificate and a Developer ID Installer certificate in your Keychain. You can check this in the Keychain Access app.
+- Developer ID Application Certificate: 
+    - Used for code signing the application itself. This ensures that the app is from a known developer and hasn't been tampered with since it was signed.
+- Developer ID Installer Certificate: 
+    - Used specifically for signing installer packages like PKG files or disk images (DMGs). This is separate from the application certificate and is specifically for the installer.
+1. Check Your Certificates at https://developer.apple.com/account/resources/certificates/list and create a new one `Mac Installer Distribution
+This certificate is used to sign your app's Installer Package for submission to the Mac App Store.` 
+2. `Upload a Certificate Signing Request`. To manually generate a Certificate, you need a Certificate Signing Request (CSR) file from your Mac. https://developer.apple.com/help/account/create-certificates/create-a-certificate-signing-request
+    1. Launch Keychain Access located in /Applications/Utilities.
+    1. Choose Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.
+    1. In the Certificate Assistant dialog, enter an email address in the User Email Address field.
+    1. In the Common Name field, enter a name for the key (for example, Gita Kumar Dev Key). 
+    1. Leave the CA Email Address field empty.
+    1. Choose “Saved to disk,” call it something like `CertificateSigningRequest_Tachiom_Installer_Certificate` then click Continue.
+3. Download the new certificate
+4. Download your certificate to your Mac, then double click the .cer file to install in Keychain Access. IMPORTANT: Select `Keychan: Login` in the dropdown! Make sure to save a backup copy of your private and public keys somewhere secure.
+    - The "login" keychain is tied to your user account and unlocks when you log in, making it a convenient location for development-related certificates. The "System" keychain is more restrictive and requires admin permissions for access, while the "Local Items" keychain is specific to iCloud Keychain items.
+5. This should now be displayed like `3rd Party Mac Developer Installer: Elias Steurer (V887LHYKRH)` and be valid one year.
--- a/Tools/build.py
+++ b/Tools/build.py
@ -78,10 +78,26 @@ def execute(
        print(f"⏱️ build_installer_duration: {build_installer_duration}s")

        if platform.system() == "Darwin":
+            # TODO FIX installer signing
+            return
            if (build_config.sign_osx):
+                # Base directory
+                base_dir = Path(build_config.build_folder)
+
+                # Paths for the original and new filenames
+                original_file = base_dir / 'ScreenPlay-Installer-ScreenPlayComponent.dmg'
+                new_file = base_dir / 'ScreenPlay-Installer.dmg'
+
+                # Renaming the file
+                try:
+                    original_file.rename(new_file)
+                    print(f"File renamed successfully to {new_file}")
+                except OSError as error:
+                    print(f"Error: {error}")
+
                print(
-                    f"Sign ScreenPlay-installer.dmg at: {build_config.bin_dir}")
-                macos_sign.sign_dmg(build_config=build_config)
+                    f"Sign ScreenPlay-installer.dmg at: {new_file}")
+                macos_sign.sign_dmg(build_config)

    # Create a zip file of the build
    if platform.system() != "Darwin":
--- a/Tools/macos_sign.py
+++ b/Tools/macos_sign.py
@ -48,7 +48,7 @@ def sign(build_config: BuildConfig):

 def sign_dmg(build_config: BuildConfig):
    # Sign the DMG
-    run("codesign -f -s \"Developer ID Application: Elias Steurer (V887LHYKRH)\" --timestamp --options \"runtime\" -f --deep \"ScreenPlay-Installer.dmg\"", cwd=build_config.build_folder)
+    run("codesign -f -s \"3rd Party Mac Developer Installer: Elias Steurer (V887LHYKRH)\" --timestamp  -f --deep \"ScreenPlay-Installer.dmg\"", cwd=build_config.build_folder)

    # Verify the DMG's signature
    run("codesign --verify --verbose=4  \"ScreenPlay-Installer.dmg\"",