Index: trunk/native/macosx/macos-jpackage.sh =================================================================== --- trunk/native/macosx/macos-jpackage.sh (revision 17463) +++ trunk/native/macosx/macos-jpackage.sh (revision 17487) @@ -1,3 +1,9 @@ #!/bin/bash + +## Expected environment, passed from GitHub secrets: +# https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets +# APPLE_ID_PW Password for the Apple ID +# CERT_MACOS_P12 Certificate used for code signing, base64 encoded +# CERT_MACOS_PW Password for that certificate set -Eeou pipefail @@ -6,5 +12,5 @@ set +x -SIGNING_KEY_NAME="Developer ID Application: FOSSGIS e.V. (P8AAAGN2AM)" +APPLE_ID="thomas.skowron@fossgis.de" IMPORT_AND_UNLOCK_KEYCHAIN=${IMPORT_AND_UNLOCK_KEYCHAIN:-1} @@ -19,43 +25,40 @@ mkdir app -if [[ $IMPORT_AND_UNLOCK_KEYCHAIN == 1 ]]; then - if [ -z "$CERT_MACOS_P12" ] - then - echo "CERT_MACOS_P12 must be set in the environment. Won't sign app." - exit 1 - fi - - - if [ -z "$CERT_MACOS_PW" ] - then - echo "CERT_MACOS_P12 must be set in the environment. Won't sign app." - exit 1 - fi - +if [ -z "$CERT_MACOS_P12" ] || [ -z "$CERT_MACOS_PW" ] || [ -z "$APPLE_ID_PW" ] +then + echo "CERT_MACOS_P12, CERT_MACOS_PW and APPLE_ID_PW are not set in the environment." + echo "I will create a JOSM.app but I won't attempt to sign and notarize it." + SIGNAPP=false +else echo "Preparing certificates/keychain for signing…" KEYCHAIN=build.keychain KEYCHAINPATH=~/Library/Keychains/$KEYCHAIN-db - KEYCHAIN_PW=`head /dev/urandom | base64 | head -c 20` + KEYCHAIN_PW=$(head /dev/urandom | base64 | head -c 20) CERTIFICATE_P12=certificate.p12 - echo $CERT_MACOS_P12 | base64 --decode > $CERTIFICATE_P12 - security create-keychain -p $KEYCHAIN_PW $KEYCHAIN + echo "$CERT_MACOS_P12" | base64 --decode > $CERTIFICATE_P12 + security create-keychain -p "$KEYCHAIN_PW" $KEYCHAIN security default-keychain -s $KEYCHAIN - security unlock-keychain -p $KEYCHAIN_PW $KEYCHAIN - security import $CERTIFICATE_P12 -k $KEYCHAIN -P $CERT_MACOS_PW -T /usr/bin/codesign - security set-key-partition-list -S apple-tool:,apple: -s -k $KEYCHAIN_PW $KEYCHAIN + security unlock-keychain -p "$KEYCHAIN_PW" $KEYCHAIN + security import $CERTIFICATE_P12 -k $KEYCHAIN -P "$CERT_MACOS_PW" -T /usr/bin/codesign + security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PW" $KEYCHAIN rm $CERTIFICATE_P12 - + SIGNAPP=true echo "Signing preparation done." fi +if $SIGNAPP; then + JPACKAGEOPTIONS="--mac-sign --mac-signing-keychain $KEYCHAINPATH" +else + JPACKAGEOPTIONS="" +fi + echo "Building and signin app" - jpackage -n "JOSM" --input dist --main-jar josm-custom.jar \ + jpackage $JPACKAGEOPTIONS -n "JOSM" --input dist --main-jar josm-custom.jar \ --main-class org.openstreetmap.josm.gui.MainApplication \ --icon ./native/macosx/JOSM.icns --type app-image --dest app \ --java-options "-Xmx8192m" \ - --java-options "-Dapple.awt.application.appearance=system" \ - --app-version $1 \ + --app-version "$1" \ --copyright "JOSM, and all its integral parts, are released under the GNU General Public License v2 or later" \ --vendor "https://josm.openstreetmap.de" \ @@ -76,7 +79,9 @@ echo "Building done." -echo "Preparing for notarization" -ditto -c -k --zlibCompressionLevel 9 --keepParent app/JOSM.app app/JOSM.zip +if $SIGNAPP; then + echo "Preparing for notarization" + ditto -c -k --zlibCompressionLevel 9 --keepParent app/JOSM.app app/JOSM.zip -echo "Uploading to Apple" -xcrun altool --notarize-app -f app/JOSM.zip -p "$APPLE_ID_PW" -u "thomas.skowron@fossgis.de" --primary-bundle-id de.openstreetmap.josm + echo "Uploading to Apple" + xcrun altool --notarize-app -f app/JOSM.zip -p "$APPLE_ID_PW" -u "$APPLE_ID" --primary-bundle-id de.openstreetmap.josm +fi