Fix subframework signing attempt 3

jpmhouston · jpmhouston · commit b70e59af927d · 2024-10-07T14:07:55.000-06:00
diff --git a/.github/workflows/build+release.yml b/.github/workflows/build+release.yml
@@ -61,14 +61,19 @@ jobs:
         id: version
         run: |
           :
-          echo "- Extract version from project"
-          version=$(xcodebuild -scheme "${{ env.buildscheme }}" -configuration Release \
-            -project "${{ env.projectfile }}" -showBuildSettings \
-            | sed -nr 's/^.*MARKETING_VERSION = (.*)$/\1/p') 2>/dev/null
+          echo "- Extract version and bundle id from the project"
+          xcodebuild -scheme "${{ env.buildscheme }}" -configuration Release \
+            -project "${{ env.projectfile }}" -showBuildSettings 2>/dev/null > buildsettings.txt
+          version=$(sed -nr 's/^.*MARKETING_VERSION = (.*)$/\1/p' < buildsettings.txt)
           if [[ -z $version ]] ; then
             echo "::error::Unable to determine a version number for the current state of the xcode project"
             exit 1
           fi
+          bundleID=$(sed -nr 's/^.*PRODUCT_BUNDLE_IDENTIFIER = (.*)$/\1/p' < buildsettings.txt)
+          if [[ -z $bundleID ]] ; then
+            echo "::error::Unable to extract bundle id from the xcode project"
+            exit 1
+          fi
           
           echo "- Check script inputs"
           if [[ -z "${{ inputs.releaseVersion }}" || $version == "${{ inputs.releaseVersion }}" ]] ; then
@@ -114,6 +119,7 @@ jobs:
           fi
           
           echo "version=$version" >> $GITHUB_OUTPUT
+          echo "bundleID=$bundleID" >> $GITHUB_OUTPUT
           echo "releaseName=$releaseName" >> $GITHUB_OUTPUT
           echo "releaseArchivename=$releaseNameNoSpaces" >> $GITHUB_OUTPUT
           echo "isPrerelease=$isPrerelease" >> $GITHUB_OUTPUT
@@ -209,41 +215,51 @@ jobs:
           
           echo "- Sign subcomponents..."
           # this is thanks to https://stackoverflow.com/a/11284404/592739
+          # within this section change the Internal Field Separator (IFS) to
+          # iterate over newline-separated paths that contain spaces
+          savedIFS=$IFS
+          IFS=$(echo -en "\n\b")
+          
           subitems=""
+          addsubitems()
+          {
+            if [ -z "$subitems" ] ; then
+              subitems="$1"
+            else
+              subitems="$subitems"$'\n'"$1"
+            fi
+          }
+          
           frameworksdir="${{ env.builddir }}/${{ env.bundlename }}/Contents/Frameworks"
           if [ -d "$frameworksdir" ] ; then
             frameworksdirdylibs=$(find "$frameworksdir" -depth -name "*.dylib")
-            subitems="$frameworksdirdylibs"
+            if [ -n "$frameworksdirdylibs" ] ; then
+              addsubitems "$frameworksdirdylibs"
+            fi
             frameworksdirbundles=$(find "$frameworksdir" -depth -type d -name "*.bundle")
-            if [ -n "$frameworksdirbundles" -a -z "$subitems" ] ; then
-              subitems="$frameworksdirbundles"
-            elif [ -n "$frameworksdirbundles" ] ; then
-              subitems="$subitems"$'\n'"$frameworksdirbundles"
+            if [ -n "$frameworksdirbundles" ] ; then
+              addsubitems "$frameworksdirbundles"
             fi
             frameworksdirframeworks=$(find "$frameworksdir" -depth -type d -name "*.framework")
-            if [ -n "$frameworksdirframeworks" -a -z "$subitems" ] ; then
-              subitems="$frameworksdirframeworks"
-            elif [ -n "$frameworksdirframeworks" ] ; then
-              subitems="$subitems"$'\n'"$frameworksdirframeworks"
+            if [ -n "$frameworksdirframeworks" ] ; then
+              for framework in $frameworksdirframeworks; do
+                frameworksubapp=$(find "$framework" -depth -type d -name "*.app")
+                if [ -n "$frameworksubapp" ] ; then
+                  addsubitems "$frameworksubapp"
+                fi
+                # search for executables with limited depth to avoid ones within an .app
+                frameworksubexecutable=$(find "$framework" -depth 4 -type f -perm +111)
+                if [ -n "$frameworksubexecutable" ] ; then
+                  addsubitems "$frameworksubexecutable"
+                fi
+              done
+              addsubitems "$frameworksdirframeworks"
             fi
+            
           fi
           # potentially grab more subitems from other places within the .app here
-          #resourcesdir="${{ env.builddir }}/${{ env.bundlename }}/Contents/Resources"
-          #...
-          # not totally sure we have to manually sign the executable separately
-          executableitem="${{ env.builddir }}/${{ env.bundlename }}/Contents/MacOS/${{ env.productname }}"
-          if [ -x "$executableitem" -a -z "$subitems" ] ; then
-            subitems="$executableitem"
-          elif [ -x "$executableitem" ] ; then
-            subitems="$subitems"$'\n'"$executableitem"
-          else
-            echo "::error::App bundle executable not found for signing"
-          fi
+          # ie. resourcesdir="${{ env.builddir }}/${{ env.bundlename }}/Contents/Resources"
           
-          # change the Internal Field Separator (IFS) to allow newline-separated
-          # paths that contain spaces
-          savedIFS=$IFS
-          IFS=$(echo -en "\n\b")
           for subitem in $subitems; do
             xcrun codesign --force -s "${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}" \
               --options runtime -v "$subitem"
@@ -258,8 +274,6 @@ jobs:
         if: success()
         run: |
           :
-          test -d "${{ env.builddir }}/${{ env.bundlename }}" || exit 1
-          
           if [[ -z "${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}" ]] ; then
             echo "::error::Secret PROD_MACOS_NOTARIZATION_APPLE_ID not defined"
             exit 1
@@ -294,7 +308,7 @@ jobs:
           # characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
           # you're curious
           
-          echo "- Notarize"
+          echo "- Notarize app"
           xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait \
             2>&1 | tee notarytool-out.txt
           if [ ${PIPESTATUS[0]} -ne 0 ] || grep -q Invalid notarytool-out.txt ; then
@@ -331,8 +345,6 @@ jobs:
         id: dmg
         run: |
           :
-          test -d "${{ env.builddir }}/${{ env.bundlename }}" || exit 1
-          
           if ! command -v create-dmg >/dev/null 2>&1 ; then
             echo "::warning::Required helper script not found: create-dmg. Skipping dmg creation"
             # not sure if need to do `echo "file=whatever" >> $GITHUB_OUTPUT`
@@ -365,6 +377,24 @@ jobs:
           #xcrun stapler staple "${{ env.builddir }}/$imageFileName"
           
           echo "file=${{ env.builddir }}/$imageFileName" >> $GITHUB_OUTPUT
+          
+      - name: "Sign and notarize disk image"
+        if: success()
+        run: |
+          :
+          echo "- Notarize disk image"
+          xcrun notarytool submit "${{ steps.dmg.outputs.file }}" --keychain-profile "notarytool-profile" --wait \
+            2>&1 | tee notarytool-out.txt
+          if [ ${PIPESTATUS[0]} -ne 0 ] || grep -q Invalid notarytool-out.txt ; then
+            if sed -nr '/^[[:space:]]*id: (.*)$/{s//\1/p;q;}' notarytool-out.txt > notarytool-id.txt ; then
+              echo "- Extract notarytool failure log"
+              xcrun notarytool log "$(<notarytool-id.txt)" --keychain-profile "notarytool-profile"
+            fi
+            exit 1
+          fi
+          
+          echo "- Attach staple"
+          xcrun stapler staple "${{ steps.dmg.outputs.file }}"
       
       - name: Release Notes
         id: notes
