From 0cd141a12b6a63e6c82f0a80966b418483265f36 Mon Sep 17 00:00:00 2001 From: Elias Steurer Date: Sun, 3 Dec 2023 11:42:51 +0100 Subject: [PATCH] WIP add macos dmg signing --- CMake/CopyRecursive.cmake | 2 +- Docs/macOSSigning.md | 22 +++++++++++++++++++++- Tools/build.py | 20 ++++++++++++++++++-- Tools/macos_sign.py | 2 +- 4 files changed, 41 insertions(+), 5 deletions(-) diff --git a/CMake/CopyRecursive.cmake b/CMake/CopyRecursive.cmake index aecf3c76..9368e4d7 100644 --- a/CMake/CopyRecursive.cmake +++ b/CMake/CopyRecursive.cmake @@ -22,7 +22,7 @@ function(copy_recursive SOURCE_PATH DESTINATION_PATH REGEX) file(RELATIVE_PATH RELATIVE_FILE_PATH ${SOURCE_PATH} ${file}) get_filename_component(FOLDER ${RELATIVE_FILE_PATH} DIRECTORY ${SOURCE_PATH}) file(MAKE_DIRECTORY ${DESTINATION_PATH}/${FOLDER} ) - message(STATUS "${file} - ${DESTINATION_PATH}/${RELATIVE_FILE_PATH}") + #message(STATUS "${file} - ${DESTINATION_PATH}/${RELATIVE_FILE_PATH}") configure_file(${file} "${DESTINATION_PATH}/${RELATIVE_FILE_PATH}" COPYONLY) endforeach() diff --git a/Docs/macOSSigning.md b/Docs/macOSSigning.md index bf38b145..6770492d 100644 --- a/Docs/macOSSigning.md +++ b/Docs/macOSSigning.md @@ -119,4 +119,24 @@ Run the follwoing if you get an signing error: Error: HTTP status code: 403. A required agreement is missing or has expired. This request requires an in-effect agreement that has not been signed or has expired. Ensure your team has signed the necessary legal agreements and that they are not expired. ``` -Go to [appstoreconnect.apple.com](https://appstoreconnect.apple.com) and accept the updated 'Apple Developer Program License Agreement'. \ No newline at end of file +Go to [appstoreconnect.apple.com](https://appstoreconnect.apple.com) and accept the updated 'Apple Developer Program License Agreement'. + +## Dmg signing +Ensure you have both a Developer ID Application certificate and a Developer ID Installer certificate in your Keychain. You can check this in the Keychain Access app. +- Developer ID Application Certificate: + - Used for code signing the application itself. This ensures that the app is from a known developer and hasn't been tampered with since it was signed. +- Developer ID Installer Certificate: + - Used specifically for signing installer packages like PKG files or disk images (DMGs). This is separate from the application certificate and is specifically for the installer. +1. Check Your Certificates at https://developer.apple.com/account/resources/certificates/list and create a new one `Mac Installer Distribution +This certificate is used to sign your app's Installer Package for submission to the Mac App Store.` +2. `Upload a Certificate Signing Request`. To manually generate a Certificate, you need a Certificate Signing Request (CSR) file from your Mac. https://developer.apple.com/help/account/create-certificates/create-a-certificate-signing-request + 1. Launch Keychain Access located in /Applications/Utilities. + 1. Choose Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority. + 1. In the Certificate Assistant dialog, enter an email address in the User Email Address field. + 1. In the Common Name field, enter a name for the key (for example, Gita Kumar Dev Key). + 1. Leave the CA Email Address field empty. + 1. Choose “Saved to disk,” call it something like `CertificateSigningRequest_Tachiom_Installer_Certificate` then click Continue. +3. Download the new certificate +4. Download your certificate to your Mac, then double click the .cer file to install in Keychain Access. IMPORTANT: Select `Keychan: Login` in the dropdown! Make sure to save a backup copy of your private and public keys somewhere secure. + - The "login" keychain is tied to your user account and unlocks when you log in, making it a convenient location for development-related certificates. The "System" keychain is more restrictive and requires admin permissions for access, while the "Local Items" keychain is specific to iCloud Keychain items. +5. This should now be displayed like `3rd Party Mac Developer Installer: Elias Steurer (V887LHYKRH)` and be valid one year. \ No newline at end of file diff --git a/Tools/build.py b/Tools/build.py index 6d603e49..d73c0d7b 100755 --- a/Tools/build.py +++ b/Tools/build.py @@ -78,10 +78,26 @@ def execute( print(f"⏱️ build_installer_duration: {build_installer_duration}s") if platform.system() == "Darwin": + # TODO FIX installer signing + return if (build_config.sign_osx): + # Base directory + base_dir = Path(build_config.build_folder) + + # Paths for the original and new filenames + original_file = base_dir / 'ScreenPlay-Installer-ScreenPlayComponent.dmg' + new_file = base_dir / 'ScreenPlay-Installer.dmg' + + # Renaming the file + try: + original_file.rename(new_file) + print(f"File renamed successfully to {new_file}") + except OSError as error: + print(f"Error: {error}") + print( - f"Sign ScreenPlay-installer.dmg at: {build_config.bin_dir}") - macos_sign.sign_dmg(build_config=build_config) + f"Sign ScreenPlay-installer.dmg at: {new_file}") + macos_sign.sign_dmg(build_config) # Create a zip file of the build if platform.system() != "Darwin": diff --git a/Tools/macos_sign.py b/Tools/macos_sign.py index 49ba8ce4..4aade6f4 100644 --- a/Tools/macos_sign.py +++ b/Tools/macos_sign.py @@ -48,7 +48,7 @@ def sign(build_config: BuildConfig): def sign_dmg(build_config: BuildConfig): # Sign the DMG - run("codesign -f -s \"Developer ID Application: Elias Steurer (V887LHYKRH)\" --timestamp --options \"runtime\" -f --deep \"ScreenPlay-Installer.dmg\"", cwd=build_config.build_folder) + run("codesign -f -s \"3rd Party Mac Developer Installer: Elias Steurer (V887LHYKRH)\" --timestamp -f --deep \"ScreenPlay-Installer.dmg\"", cwd=build_config.build_folder) # Verify the DMG's signature run("codesign --verify --verbose=4 \"ScreenPlay-Installer.dmg\"",