Merge pull request #48 from qwertyyb/feature/sign

Feature/sign

Author: qwertyyb

.github/workflows/release.yml

@@ -11,32 +11,33 @@ jobs:
 
     steps:
     - uses: actions/checkout@v1
+    - uses: apple-actions/import-codesign-certs@v1
+      with: 
+        p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
+        p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
     - name: update version
       run: |
         PRODUCT_SETTINGS_PATH=./YPaste/Info.plist
         version=$(git describe --tags `git rev-list --tags --max-count=1`)
         /usr/libexec/PlistBuddy -c "Set :CFBundleShortVersionString $version" $PRODUCT_SETTINGS_PATH
 
     - name: install depencies
-      run: pod install
-    - name: archive
-      run: xcodebuild archive -workspace YPaste.xcworkspace -scheme YPaste -archivePath ./archive-YPaste -configuration Release
-    - name: copy app && zip app && generate appcast
+      run: |
+        pod install
+        npm install -g appdmg
+    - name: build
       env:
         sparkle_key: ${{ secrets.sparkle_key }}
+      run: ./scripts/build.sh
+    - name: generate YPaste.zip
       run: |
-        mkdir apps
-        cp -a ./archive-YPaste.xcarchive/Products/Applications/*.app apps
         ditto -c -k --sequesterRsrc --keepParent apps/YPaste.app apps/YPaste.zip
         # rm -r ~/Library/Caches/Sparkle_generate_appcast/*
-        ./bin/generate_appcast -s $sparkle_key ./apps/
-        c=$(cat ./apps/appcast.xml)
-        echo $c | sed -e "s/url[^ ]*/url=\"https:\/\/github.com\/qwertyyb\/YPaste\/releases\/latest\/download\/YPaste.zip\"/g" > apps/appcast.xml
 
     - name: upload release file
       uses: AButler/[email protected]
       with:
-        files: 'apps/YPaste.zip'
+        files: 'apps/dmg/YPaste.dmg'
         repo-token: ${{ secrets.GITHUB_TOKEN }}
 
     - uses: actions/upload-artifact@v1

.github/workflows/test.yml

@@ -11,16 +11,21 @@ jobs:
 
     steps:
     - uses: actions/checkout@v1
+    - uses: apple-actions/import-codesign-certs@v1
+      with: 
+        p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
+        p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
     - name: install depencies
       run: pod install
     - name: archive
-      run: xcodebuild archive -workspace YPaste.xcworkspace -scheme YPaste -archivePath ./archive-YPaste -configuration Release
+      run: |
+        xcodebuild archive -workspace YPaste.xcworkspace -scheme YPaste -archivePath ./archive-YPaste -configuration Release
+        echo "export archive"
+        /usr/bin/xcodebuild -exportArchive -archivePath ./archive-YPaste.xcarchive -exportOptionsPlist "./scripts/ExportOptions.plist" -exportPath ./apps/ || { echo "Export Archive Failed : xcodebuild exportArchive action failed"; exit 1; }
     - name: copy app && zip app && generate appcast
       env:
         sparkle_key: ${{ secrets.sparkle_key }}
       run: |
-        mkdir apps
-        cp -a ./archive-YPaste.xcarchive/Products/Applications/*.app apps
         ditto -c -k --sequesterRsrc --keepParent apps/YPaste.app apps/YPaste.zip
         # rm -r ~/Library/Caches/Sparkle_generate_appcast/*
         ./bin/generate_appcast -s $sparkle_key ./apps/

YPaste.xcodeproj/project.pbxproj

@@ -591,10 +591,11 @@
 			buildSettings = {
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CODE_SIGN_ENTITLEMENTS = YPaste/YPaste.entitlements;
-				CODE_SIGN_IDENTITY = "-";
-				CODE_SIGN_STYLE = Automatic;
+				CODE_SIGN_IDENTITY = "Developer ID Application";
+				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
-				DEVELOPMENT_TEAM = T68XK6867P;
+				DEVELOPMENT_TEAM = FQ45888HUK;
+				ENABLE_HARDENED_RUNTIME = YES;
 				INFOPLIST_FILE = YPaste/Info.plist;
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
@@ -603,6 +604,7 @@
 				MACOSX_DEPLOYMENT_TARGET = 10.15;
 				PRODUCT_BUNDLE_IDENTIFIER = com.qwertyyb.YPaste;
 				PRODUCT_NAME = "$(TARGET_NAME)";
+				PROVISIONING_PROFILE_SPECIFIER = "";
 				SWIFT_VERSION = 4.2;
 			};
 			name = Debug;
@@ -613,10 +615,11 @@
 			buildSettings = {
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CODE_SIGN_ENTITLEMENTS = YPaste/YPaste.entitlements;
-				CODE_SIGN_IDENTITY = "-";
-				CODE_SIGN_STYLE = Automatic;
+				CODE_SIGN_IDENTITY = "Developer ID Application";
+				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
-				DEVELOPMENT_TEAM = T68XK6867P;
+				DEVELOPMENT_TEAM = FQ45888HUK;
+				ENABLE_HARDENED_RUNTIME = YES;
 				INFOPLIST_FILE = YPaste/Info.plist;
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
@@ -625,6 +628,7 @@
 				MACOSX_DEPLOYMENT_TARGET = 10.15;
 				PRODUCT_BUNDLE_IDENTIFIER = com.qwertyyb.YPaste;
 				PRODUCT_NAME = "$(TARGET_NAME)";
+				PROVISIONING_PROFILE_SPECIFIER = "";
 				SWIFT_VERSION = 4.2;
 			};
 			name = Release;

YPaste/Info.plist

@@ -19,7 +19,7 @@
 	<key>CFBundleShortVersionString</key>
 	<string>Explosion v1.0.0－alpha</string>
 	<key>CFBundleVersion</key>
-	<string>103119</string>
+	<string>103143</string>
 	<key>LSApplicationCategoryType</key>
 	<string>public.app-category.utilities</string>
 	<key>LSMinimumSystemVersion</key>

YPaste/YPaste.entitlements

@@ -1,5 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
-<dict/>
+<dict>
+	<key>com.apple.security.cs.allow-jit</key>
+	<true/>
+</dict>
 </plist>

scripts/ExportOptions.plist

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>method</key>
+	<string>developer-id</string>
+	<key>signingCertificate</key>
+	<string>Developer ID Application</string>
+	<key>teamID</key>
+	<string>FQ45888HUK</string>
+</dict>
+</plist>

scripts/appdmg.json

@@ -0,0 +1,9 @@
+{
+  "title": "YPaste",
+  "icon": "logo.icns",
+  "format": "UDBZ",
+  "contents": [
+    { "x": 448, "y": 344, "type": "link", "path": "/Applications" },
+    { "x": 192, "y": 344, "type": "file", "path": "../apps/YPaste.app" }
+  ]
+}

scripts/build.sh

@@ -0,0 +1,94 @@
+# altool credentials.
+# AC_PASSWORD is the name of the keychain item with App Connect password
+# Grant access to Xcode if prompted by Xcode.
+AC_USERNAME="$APPLEID"
+AC_PASSWORD="$APPLE_PASSWORD"
+
+if [[ $AC_USERNAME == "" ]]; then
+  echo "error: no username"
+  exit 1
+  break
+fi
+
+if [[ $AC_PASSWORD == "" ]]; then
+  echo "error: no pass"
+  exit 1
+  break
+fi
+
+# Do all of the work in a subdirectory of /tmp, and use a
+# unique ID so that there's no collision with previous builds.
+PRODUCT_NAME="YPaste"
+SCRIPTROOT=$(cd "$(dirname "$0")";pwd)
+SRCROOT=$(dirname "$SCRIPTROOT")
+ARCHIVE_PATH="$SRCROOT/archive-YPaste.xcarchive"
+EXPORT_PATH="$SRCROOT/apps"
+APP_PATH="$EXPORT_PATH/$PRODUCT_NAME.app"
+DMG_ROOT="$EXPORT_PATH/dmg"
+DMG_PATH="$DMG_ROOT/$PRODUCT_NAME.dmg"
+PRODUCT_BUNDLE_IDENTIFIER="com.qwertyyb.YPaste"
+
+echo $SRCROOT
+
+echo "clean build fold"
+rm -rf "$EXPORT_PATH"
+
+echo "build archive"
+xcodebuild archive -workspace YPaste.xcworkspace -scheme YPaste -archivePath "$SRCROOT/archive-YPaste" -configuration Release || { echo "Archive and Notarization Failed : xcodebuild archive action failed"; exit 1; }
+
+# Xcode doesn't show run script errors in build log.
+# Uncomment to save any messages aside.
+# exec > "/tmp/Xcode run script.log" 2>&1
+
+# Ask xcodebuild(1) to export the app. Use the export options
+# from a previous manual export that used a Developer ID.
+
+echo "export archive"
+/usr/bin/xcodebuild -exportArchive -archivePath "$ARCHIVE_PATH" -exportOptionsPlist "$SRCROOT/scripts/ExportOptions.plist" -exportPath "$EXPORT_PATH" || { echo "Export Archive Failed : xcodebuild exportArchive action failed"; exit 1; }
+
+# Create a UDIF bzip2-compressed disk image.
+cd "$EXPORT_PATH/"
+mkdir dmg
+# mv "$APP_PATH" "$PRODUCT_NAME"
+
+# /usr/bin/hdiutil create -srcfolder "$PRODUCT_NAME" -format UDBZ "$DMG_PATH"
+
+echo "use appdmg create DMG file"
+appdmg "$SRCROOT/scripts/appdmg.json" "$DMG_PATH"
+
+# Submit the finished deliverables for notarization. The "--primary-bundle-id" 
+# argument is only used for the response email. 
+echo "notarize app"
+xcrun altool --notarize-app --primary-bundle-id ${PRODUCT_BUNDLE_IDENTIFIER}.dmg -u "$AC_USERNAME" -p "$AC_PASSWORD" -f "$DMG_PATH" > "NotarizationUUIDs.log"
+
+uuid=`cat $EXPORT_PATH/NotarizationUUIDs.log | grep -Eo '\w{8}-(\w{4}-){3}\w{12}$'`
+echo "uuid=$uuid"
+while true; do
+    echo "checking for notarization..."
+ 
+    xcrun altool --notarization-info "$uuid" --username "$AC_USERNAME" --password "$AC_PASSWORD" &> check.log
+    r=`cat check.log`
+    t=`echo "$r" | grep "success"`
+    f=`echo "$r" | grep "invalid"`
+    if [[ "$t" != "" ]]; then
+        echo "notarization done!"
+        xcrun stapler staple "$APP_PATH"
+        xcrun stapler staple "$DMG_PATH"
+        echo "stapler done!"
+        break
+    fi
+    if [[ "$f" != "" ]]; then
+        echo "$r"
+        exit 1
+    fi
+    echo "not finish yet, sleep 2m then check again..."
+    sleep 120
+done
+
+APPCAST_PATH="$DMG_ROOT/appcast.xml"
+echo "generate appcast.xml"
+"$SRCROOT/bin/generate_appcast" -s $sparkle_key "$DMG_ROOT"
+
+echo "update appcast.xml download url"
+appcast=$(cat "$DMG_ROOT/appcast.xml")
+echo "$appcast" | sed -e "s/url[^ ]*/url=\"https:\/\/github.com\/qwertyyb\/YPaste\/releases\/latest\/download\/YPaste.dmg\"/g" > "$EXPORT_PATH/appcast.xml"