source: josm/trunk/native/macosx/macos-jpackage.sh@ 18809

Last change on this file since 18809 was 18809, checked in by taylor.smock, 2 years ago

See #23125: Prefer notarytool if it is available; fall back to altool if it is not

The altool notarization process will stop working in the next few months, so we
need to switch to notarytool.

For now, we will try to use notarytool, and if I messed up the command line,
it should fall back to altool.
  • Property svn:executable set to *
File size: 4.7 KB
Line 
1#!/bin/bash
2
3## Expected environment, passed from GitHub secrets:
4# https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets
5# APPLE_ID_PW Password for the Apple ID
6# CERT_MACOS_P12 Certificate used for code signing, base64 encoded
7# CERT_MACOS_PW Password for that certificate
8
9set -Eeo pipefail
10
11# Don't show one time passwords
12set +x
13
14APPLE_ID="thomas.skowron@fossgis.de"
15IMPORT_AND_UNLOCK_KEYCHAIN=${IMPORT_AND_UNLOCK_KEYCHAIN:-1}
16
17if [ -z "${1-}" ]
18then
19 echo "Usage: $0 josm_revision"
20 exit 1
21fi
22
23echo "Building JOSM.app"
24
25mkdir app
26
27if [ -z "$CERT_MACOS_P12" ] || [ -z "$CERT_MACOS_PW" ] || [ -z "$APPLE_ID_PW" ]
28then
29 echo "CERT_MACOS_P12, CERT_MACOS_PW and APPLE_ID_PW are not set in the environment."
30 echo "A JOSM.app will be created but not signed nor notarized."
31 SIGNAPP=false
32 KEYCHAINPATH=false
33 JPACKAGEOPTIONS=""
34else
35 echo "Preparing certificates/keychain for signing…"
36
37 KEYCHAIN=build.keychain
38 KEYCHAINPATH=~/Library/Keychains/$KEYCHAIN-db
39 KEYCHAIN_PW=$(head /dev/urandom | base64 | head -c 20)
40 CERTIFICATE_P12=certificate.p12
41
42 echo "$CERT_MACOS_P12" | base64 --decode > $CERTIFICATE_P12
43 security create-keychain -p "$KEYCHAIN_PW" $KEYCHAIN
44 security default-keychain -s $KEYCHAIN
45 security unlock-keychain -p "$KEYCHAIN_PW" $KEYCHAIN
46 security import $CERTIFICATE_P12 -k $KEYCHAIN -P "$CERT_MACOS_PW" -T /usr/bin/codesign
47 security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PW" $KEYCHAIN
48 rm $CERTIFICATE_P12
49 SIGNAPP=true
50 echo "Signing preparation done."
51 JPACKAGEOPTIONS="--mac-sign --mac-signing-keychain $KEYCHAINPATH"
52fi
53
54set -u
55
56echo "Building and signing app"
57jpackage $JPACKAGEOPTIONS -n "JOSM" --input dist --main-jar josm-custom.jar \
58 --main-class org.openstreetmap.josm.gui.MainApplication \
59 --icon ./native/macosx/JOSM.icns --type app-image --dest app \
60 --java-options "--add-modules java.scripting,java.sql,javafx.controls,javafx.media,javafx.swing,javafx.web" \
61 --java-options "--add-exports=java.base/sun.security.action=ALL-UNNAMED" \
62 --java-options "--add-exports=java.desktop/com.apple.eawt=ALL-UNNAMED" \
63 --java-options "--add-exports=java.desktop/com.sun.imageio.plugins.jpeg=ALL-UNNAMED" \
64 --java-options "--add-exports=java.desktop/com.sun.imageio.spi=ALL-UNNAMED" \
65 --java-options "--add-opens=java.base/java.lang=ALL-UNNAMED" \
66 --java-options "--add-opens=java.base/java.nio=ALL-UNNAMED" \
67 --java-options "--add-opens=java.base/jdk.internal.loader=ALL-UNNAMED" \
68 --java-options "--add-opens=java.base/jdk.internal.ref=ALL-UNNAMED" \
69 --java-options "--add-opens=java.desktop/javax.imageio.spi=ALL-UNNAMED" \
70 --java-options "--add-opens=java.desktop/javax.swing.text.html=ALL-UNNAMED" \
71 --java-options "--add-opens=java.prefs/java.util.prefs=ALL-UNNAMED" \
72 --app-version "$1" \
73 --copyright "JOSM, and all its integral parts, are released under the GNU General Public License v2 or later" \
74 --vendor "JOSM" \
75 --mac-package-identifier de.openstreetmap.josm \
76 --mac-package-signing-prefix de.openstreetmap.josm \
77 --file-associations native/file-associations/bz2.properties \
78 --file-associations native/file-associations/geojson.properties \
79 --file-associations native/file-associations/gpx.properties \
80 --file-associations native/file-associations/gz.properties \
81 --file-associations native/file-associations/jos.properties \
82 --file-associations native/file-associations/joz.properties \
83 --file-associations native/file-associations/osm.properties \
84 --file-associations native/file-associations/xz.properties \
85 --file-associations native/file-associations/zip.properties \
86 --add-modules java.compiler,java.base,java.datatransfer,java.desktop,java.logging,java.management,java.naming,java.net.http,java.prefs,java.rmi,java.scripting,java.sql,java.transaction.xa,java.xml,jdk.crypto.ec,jdk.jfr,jdk.jsobject,jdk.unsupported,jdk.unsupported.desktop,jdk.xml.dom,javafx.controls,javafx.media,javafx.swing,javafx.web
87
88echo "Building done."
89
90if $SIGNAPP; then
91 echo "Preparing for notarization"
92 ditto -c -k --zlibCompressionLevel 9 --keepParent app/JOSM.app app/JOSM.zip
93
94 echo "Uploading to Apple"
95 # Note: --primary-bundle-id was never parsed server side, apparently. See https://developer.apple.com/documentation/technotes/tn3147-migrating-to-the-latest-notarization-tool#Submit-a-file
96 # Keep altool as a backup until 2023-11-01, when it will no longer be able to notarize apps.
97 xcrun notarytool submit --apple-id "$APPLE_ID" --password "$APPLE_ID_PW" --wait app/JOSM.zip || \
98 xcrun altool --notarize-app -f app/JOSM.zip -p "$APPLE_ID_PW" -u "$APPLE_ID" --primary-bundle-id de.openstreetmap.josm
99fi
Note: See TracBrowser for help on using the repository browser.