macOS code signing

metsma · metsma · commit 647421d9e5b2 · 2025-12-19T19:59:12.000+02:00
Signed-off-by: Raul Metsma &lt;raul@metsma.ee&gt;
diff --git a/.github/add_signing_key.sh b/.github/add_signing_key.sh
@@ -3,7 +3,6 @@
 set -ex -o xtrace
 
 pushd .github/
-tar xvf secrets.tar
 KEY_CHAIN=mac-build.keychain
 
 # Create the keychain with a password
@@ -21,13 +20,10 @@ curl -L https://developer.apple.com/certificationauthority/AppleWWDRCA.cer > App
 security import AppleWWDRCA.cer \
     -k ~/Library/Keychains/$KEY_CHAIN \
     -T /usr/bin/codesign -T /usr/bin/productsign
-security import DeveloperIDApplication.cer \
-    -k ~/Library/Keychains/$KEY_CHAIN \
-    -T /usr/bin/codesign -T /usr/bin/productsign
-security import DeveloperIDInstaller.cer \
-    -k ~/Library/Keychains/$KEY_CHAIN \
+security import DeveloperIDApplication.p12 \
+    -k ~/Library/Keychains/$KEY_CHAIN -P $KEY_PASSWORD \
     -T /usr/bin/codesign -T /usr/bin/productsign
-security import key.p12 \
+security import DeveloperIDInstaller.p12 \
     -k ~/Library/Keychains/$KEY_CHAIN -P $KEY_PASSWORD \
     -T /usr/bin/codesign -T /usr/bin/productsign
 security unlock-keychain -p travis $KEY_CHAIN
diff --git a/.github/cleanup-macos.sh b/.github/cleanup-macos.sh
@@ -2,6 +2,6 @@
 
 set -ex -o xtrace
 
-if [ -n "$PASS_SECRETS_TAR_ENC" ]; then
+if [ -n "$KEY_PASSWORD" ]; then
     .github/remove_signing_key.sh
 fi
diff --git a/.github/remove_signing_key.sh b/.github/remove_signing_key.sh
@@ -4,5 +4,5 @@ set -ex -o xtrace
 
 pushd .github/
 security delete-keychain mac-build.keychain
-rm -f DeveloperIDApplication.cer DeveloperIDInstaller.cer key.p12
+rm -f DeveloperIDApplication.p12 DeveloperIDInstaller.p12
 popd
diff --git a/.github/secrets.tar.gpg b/.github/secrets.tar.gpg
diff --git a/.github/setup-macos.sh b/.github/setup-macos.sh
@@ -11,8 +11,9 @@ fi
 export PATH="/usr/local/opt/ccache/libexec:$PATH"
 git clone https://github.com/frankmorgner/OpenSCToken.git
 
-if [ -n "$PASS_SECRETS_TAR_ENC" ]; then
-    gpg --quiet --batch --yes --decrypt --passphrase="$PASS_SECRETS_TAR_ENC" --output .github/secrets.tar .github/secrets.tar.gpg
+if [ -n "$KEY_PASSWORD" ]; then
+    echo $DEV_ID_APPLICATION | base64 --decode > .github/DeveloperIDApplication.p12
+    echo $DEV_ID_INSTALLER | base64 --decode > .github/DeveloperIDInstaller.p12
     .github/add_signing_key.sh;
 else
     unset CODE_SIGN_IDENTITY INSTALLER_SIGN_IDENTITY;
diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
@@ -24,10 +24,6 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v5
-      - run: .github/setup-macos.sh
-        env:
-          KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
-          PASS_SECRETS_TAR_ENC: ${{ secrets.PASS_SECRETS_TAR_ENC }}
       - name: Checkout OpenSSL sources
         uses: actions/checkout@v5
         with:
@@ -44,23 +40,29 @@ jobs:
           key: ${{ matrix.os }}-OpenSSL-${{ steps.openssl_hash.outputs.hash }}
       - run: sh MacOSX/build-openssl-macos.sh
         if: steps.cache.outputs.cache-hit != 'true'
+      - run: .github/setup-macos.sh
+        env:
+          KEY_PASSWORD: ${{ secrets.DEV_ID_PASSWORD }}
+          DEV_ID_INSTALLER: ${{ secrets.DEV_ID_INSTALLER }}
+          DEV_ID_APPLICATION: ${{ secrets.DEV_ID_APPLICATION }}
       - run: .github/build.sh
         env:
           CODE_SIGN_IDENTITY: ${{ secrets.CODE_SIGN_IDENTITY }}
           DEVELOPMENT_TEAM: ${{ secrets.DEVELOPMENT_TEAM }}
           INSTALLER_SIGN_IDENTITY: ${{ secrets.INSTALLER_SIGN_IDENTITY }}
+          NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }}
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+      - run: .github/cleanup-macos.sh
+        env:
+          KEY_PASSWORD: ${{ secrets.DEV_ID_PASSWORD }}
       - name: Cache build artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: opensc-build-${{ matrix.os }}
           path:
             OpenSC*.dmg
-      - run: .github/cleanup-macos.sh
-        env:
-          KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
-          PASS_SECRETS_TAR_ENC: ${{ secrets.PASS_SECRETS_TAR_ENC }}
       - name: Upload test logs
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         if: failure()
         with:
           name: ${{ matrix.os }}-logs
diff --git a/MacOSX/build b/MacOSX/build
@@ -189,3 +189,8 @@ do
 	fi
 done
 rm -rf ${imagedir}
+
+if test -n "${NOTARIZATION_PASSWORD}"; then
+	xcrun notarytool submit --team-id ${DEVELOPMENT_TEAM} --apple-id ${APPLE_ID} --password ${NOTARIZATION_PASSWORD} --wait OpenSC-${PACKAGE_VERSION}.dmg
+	xcrun stapler staple OpenSC-${PACKAGE_VERSION}.dmg
+fi
