macOS code signing

Signed-off-by: Raul Metsma <raul@metsma.ee>

Author: metsma

.github/add_signing_key.sh

@@ -3,7 +3,6 @@
 set -ex -o xtrace
 
 pushd .github/
-tar xvf secrets.tar
 KEY_CHAIN=mac-build.keychain
 
 # Create the keychain with a password
@@ -21,13 +20,10 @@ curl -L https://developer.apple.com/certificationauthority/AppleWWDRCA.cer > App
 security import AppleWWDRCA.cer \
     -k ~/Library/Keychains/$KEY_CHAIN \
     -T /usr/bin/codesign -T /usr/bin/productsign
-security import DeveloperIDApplication.cer \
-    -k ~/Library/Keychains/$KEY_CHAIN \
-    -T /usr/bin/codesign -T /usr/bin/productsign
-security import DeveloperIDInstaller.cer \
-    -k ~/Library/Keychains/$KEY_CHAIN \
+security import DeveloperIDApplication.p12 \
+    -k ~/Library/Keychains/$KEY_CHAIN -P $KEY_PASSWORD \
     -T /usr/bin/codesign -T /usr/bin/productsign
-security import key.p12 \
+security import DeveloperIDInstaller.p12 \
     -k ~/Library/Keychains/$KEY_CHAIN -P $KEY_PASSWORD \
     -T /usr/bin/codesign -T /usr/bin/productsign
 security unlock-keychain -p travis $KEY_CHAIN

.github/cleanup-macos.sh

@@ -2,6 +2,6 @@
 
 set -ex -o xtrace
 
-if [ -n "$PASS_SECRETS_TAR_ENC" ]; then
+if [ -n "$KEY_PASSWORD" ]; then
     .github/remove_signing_key.sh
 fi

.github/remove_signing_key.sh

@@ -4,5 +4,5 @@ set -ex -o xtrace
 
 pushd .github/
 security delete-keychain mac-build.keychain
-rm -f DeveloperIDApplication.cer DeveloperIDInstaller.cer key.p12
+rm -f DeveloperIDApplication.p12 DeveloperIDInstaller.p12
 popd

.github/secrets.tar.gpg

@@ -11,8 +11,9 @@ fi
 export PATH="/usr/local/opt/ccache/libexec:$PATH"
 git clone https://github.com/frankmorgner/OpenSCToken.git
 
-if [ -n "$PASS_SECRETS_TAR_ENC" ]; then
-    gpg --quiet --batch --yes --decrypt --passphrase="$PASS_SECRETS_TAR_ENC" --output .github/secrets.tar .github/secrets.tar.gpg
+if [ -n "$KEY_PASSWORD" ]; then
+    echo $DEV_ID_APPLICATION | base64 --decode > .github/DeveloperIDApplication.p12
+    echo $DEV_ID_INSTALLER | base64 --decode > .github/DeveloperIDInstaller.p12
     .github/add_signing_key.sh;
 else
     unset CODE_SIGN_IDENTITY INSTALLER_SIGN_IDENTITY;

.github/setup-macos.sh

@@ -24,10 +24,6 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v5
-      - run: .github/setup-macos.sh
-        env:
-          KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
-          PASS_SECRETS_TAR_ENC: ${{ secrets.PASS_SECRETS_TAR_ENC }}
       - name: Checkout OpenSSL sources
         uses: actions/checkout@v5
         with:
@@ -44,23 +40,29 @@ jobs:
           key: ${{ matrix.os }}-OpenSSL-${{ steps.openssl_hash.outputs.hash }}
       - run: sh MacOSX/build-openssl-macos.sh
         if: steps.cache.outputs.cache-hit != 'true'
+      - run: .github/setup-macos.sh
+        env:
+          KEY_PASSWORD: ${{ secrets.DEV_ID_PASSWORD }}
+          DEV_ID_INSTALLER: ${{ secrets.DEV_ID_INSTALLER }}
+          DEV_ID_APPLICATION: ${{ secrets.DEV_ID_APPLICATION }}
       - run: .github/build.sh
         env:
           CODE_SIGN_IDENTITY: ${{ secrets.CODE_SIGN_IDENTITY }}
           DEVELOPMENT_TEAM: ${{ secrets.DEVELOPMENT_TEAM }}
           INSTALLER_SIGN_IDENTITY: ${{ secrets.INSTALLER_SIGN_IDENTITY }}
+          NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }}
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+      - run: .github/cleanup-macos.sh
+        env:
+          KEY_PASSWORD: ${{ secrets.DEV_ID_PASSWORD }}
       - name: Cache build artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: opensc-build-${{ matrix.os }}
           path:
             OpenSC*.dmg
-      - run: .github/cleanup-macos.sh
-        env:
-          KEY_PASSWORD: ${{ secrets.KEY_PASSWORD }}
-          PASS_SECRETS_TAR_ENC: ${{ secrets.PASS_SECRETS_TAR_ENC }}
       - name: Upload test logs
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         if: failure()
         with:
           name: ${{ matrix.os }}-logs

.github/workflows/macos.yml

@@ -21,7 +21,6 @@ while IFS='=' read -r key value; do
 done < $BUILDPATH/VERSION.mk
 
 export PACKAGE_VERSION=${PACKAGE_VERSION_MAJOR}.${PACKAGE_VERSION_MINOR}.${PACKAGE_VERSION_FIX}
-export SED=/usr/bin/sed
 PREFIX=/Library/OpenSC
 export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/usr/lib/pkgconfig
 
@@ -31,8 +30,9 @@ if test "$FORCE_OPENSSL_BUILD" == "1" || ! pkg-config libcrypto --atleast-versio
 		# Build OpenSSL manually, because Apple's binaries are deprecated
 		sh $BUILDPATH/MacOSX/build-openssl-macos.sh -b $BUILDPATH -p $PREFIX
 	fi
-	export OPENSSL_CFLAGS="`env PKG_CONFIG_PATH=$BUILDPATH/openssl_bin/$PREFIX/lib/pkgconfig PKG_CONFIG_SYSROOT_DIR=$BUILDPATH/openssl_bin pkg-config --static --cflags libcrypto`"
-	export OPENSSL_LIBS="`  env PKG_CONFIG_PATH=$BUILDPATH/openssl_bin/$PREFIX/lib/pkgconfig PKG_CONFIG_SYSROOT_DIR=$BUILDPATH/openssl_bin pkg-config --static --libs   libcrypto`"
+	PKGPREFIX="PKG_CONFIG_PATH=$BUILDPATH/openssl_bin/$PREFIX/lib/pkgconfig PKG_CONFIG_SYSROOT_DIR=$BUILDPATH/openssl_bin"
+	export OPENSSL_CFLAGS="`env $PKGPREFIX pkg-config --static --cflags libcrypto`"
+	export OPENSSL_LIBS="`  env $PKGPREFIX pkg-config --static --libs   libcrypto`"
 	export CRYPTO_CFLAGS="$OPENSSL_CFLAGS"
 	export CRYPTO_LIBS="$OPENSSL_LIBS"
 fi
@@ -52,8 +52,9 @@ if ! test -e $BUILDPATH/openpace_bin/$PREFIX/lib/pkgconfig; then
 	make DESTDIR=$BUILDPATH/openpace_bin install
 	cd ..
 fi
-export OPENPACE_CFLAGS="`env PKG_CONFIG_PATH=$BUILDPATH/openssl_bin/$PREFIX/lib/pkgconfig:$BUILDPATH/openpace_bin/$PREFIX/lib/pkgconfig PKG_CONFIG_SYSROOT_DIR=$BUILDPATH/openpace_bin pkg-config --static --cflags libeac` $OPENSSL_CFLAGS"
-export OPENPACE_LIBS="`  env PKG_CONFIG_PATH=$BUILDPATH/openssl_bin/$PREFIX/lib/pkgconfig:$BUILDPATH/openpace_bin/$PREFIX/lib/pkgconfig PKG_CONFIG_SYSROOT_DIR=$BUILDPATH/openpace_bin pkg-config --static --libs   libeac` $OPENSSL_LIBS"
+PKGPREFIX="PKG_CONFIG_PATH=$BUILDPATH/openssl_bin/$PREFIX/lib/pkgconfig:$BUILDPATH/openpace_bin/$PREFIX/lib/pkgconfig PKG_CONFIG_SYSROOT_DIR=$BUILDPATH/openpace_bin"
+export OPENPACE_CFLAGS="`env $PKGPREFIX pkg-config --static --cflags libeac` $OPENSSL_CFLAGS"
+export OPENPACE_LIBS="`  env $PKGPREFIX pkg-config --static --libs   libeac` $OPENSSL_LIBS"
 
 if ! test -e ${BUILDPATH}/target/$PREFIX/lib/pkgconfig; then
 	./configure --prefix=$PREFIX \
@@ -63,7 +64,7 @@ if ! test -e ${BUILDPATH}/target/$PREFIX/lib/pkgconfig; then
 		--enable-openssl-secure-malloc=65536 \
 		--disable-dependency-tracking \
 		--enable-shared \
-		--enable-static \
+		--disable-static \
 		--enable-strict \
 		--disable-assert \
 		--enable-sm # TODO: remove this (must be sensible default in master)
@@ -80,7 +81,6 @@ if ! test -e ${BUILDPATH}/target/$PREFIX/lib/pkgconfig; then
 
 	# remove garbage
 	rm -f ${BUILDPATH}/target/$PREFIX/lib/*.la
-	rm -f ${BUILDPATH}/target/$PREFIX/lib/*.a
 
 	# generate .bundle (required by Adobe Acrobat)
 	./MacOSX/libtool-bundle ${BUILDPATH}/target/$PREFIX/lib/opensc-pkcs11.so ${BUILDPATH}/target/$PREFIX/lib
@@ -189,3 +189,8 @@ do
 	fi
 done
 rm -rf ${imagedir}
+
+if test -n "${NOTARIZATION_PASSWORD}"; then
+	xcrun notarytool submit --team-id ${DEVELOPMENT_TEAM} --apple-id ${APPLE_ID} --password ${NOTARIZATION_PASSWORD} --wait OpenSC-${PACKAGE_VERSION}.dmg
+	xcrun stapler staple OpenSC-${PACKAGE_VERSION}.dmg
+fi

MacOSX/build

@@ -26,7 +26,6 @@ done
 pushd $BUILDPATH
 if ! test -e openssl; then
     git clone --depth=1 https://github.com/openssl/openssl.git -b openssl-3.5
-    sed -ie 's!my @disablables = (!my @disablables = (\n    "apps",!' openssl/Configure
 fi
 
 pushd openssl