Refactor notarization process and enhance build scripts for macOS
This commit updates the build_sign_notarize.sh script to improve the notarization process by introducing a conditional stapling option. It also cleans up temporary files and clears macOS provenance metadata to prevent issues during builds. The Dmg.cmake script is modified to remove the reliance on environment variables for codesigning, streamlining the build process. Additionally, the build_app.sh script is enhanced with heartbeat logging for long-running commands and improved cleanup procedures for build directories.
This commit is contained in:
@@ -118,9 +118,10 @@ bin_path="${app_path}/Contents/MacOS/strawberry"
|
||||
zip_path="${build_dir}/strawberry-notarize.zip"
|
||||
dmg_path=""
|
||||
|
||||
notarize_and_staple() {
|
||||
notarize_and_maybe_staple() {
|
||||
local file_path="$1"
|
||||
local label="$2"
|
||||
local do_staple="${3:-1}"
|
||||
|
||||
echo "==> [$(ts)] Notarizing ${label}"
|
||||
local out
|
||||
@@ -146,8 +147,10 @@ notarize_and_staple() {
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "==> [$(ts)] Stapling ${label}"
|
||||
xcrun stapler staple "$file_path"
|
||||
if [[ "$do_staple" -eq 1 ]]; then
|
||||
echo "==> [$(ts)] Stapling ${label}"
|
||||
xcrun stapler staple "$file_path"
|
||||
fi
|
||||
}
|
||||
|
||||
if [[ -z "$identity" ]]; then
|
||||
@@ -167,9 +170,6 @@ if [[ "$do_clean" -eq 1 ]]; then build_args+=( "--clean" ); fi
|
||||
if [[ -n "$build_dir" ]]; then build_args+=( "--build-dir" "$build_dir" ); fi
|
||||
if [[ "$do_deploy" -eq 1 ]]; then build_args+=( "--deploy" ); fi
|
||||
|
||||
# Let CMake (deploy/macdeployqt/create-dmg) know the signing identity if it wants it.
|
||||
export APPLE_DEVELOPER_ID="$identity"
|
||||
|
||||
"${repo_root}/build_tools/macos/build_app.sh" "${build_args[@]}"
|
||||
|
||||
if [[ ! -x "$bin_path" ]]; then
|
||||
@@ -183,6 +183,16 @@ if [[ -n "$entitlements" ]]; then
|
||||
codesign_args+=( --entitlements "$entitlements" )
|
||||
fi
|
||||
|
||||
# Clean up any leftover codesign temp files from previous interrupted runs.
|
||||
# codesign may create *.cstemp alongside binaries while updating signatures.
|
||||
find "$app_path" -name "*.cstemp" -print0 2>/dev/null | while IFS= read -r -d '' f; do
|
||||
rm -f "$f" || true
|
||||
done
|
||||
|
||||
# Clear macOS provenance/quarantine metadata which can interfere with modifying files in-place.
|
||||
xattr -dr com.apple.provenance "$app_path" >/dev/null 2>&1 || true
|
||||
xattr -dr com.apple.quarantine "$app_path" >/dev/null 2>&1 || true
|
||||
|
||||
# Sign nested code first, then frameworks, then the main app bundle.
|
||||
#
|
||||
# Important: do NOT codesign individual files *inside* a .framework bundle (e.g. Sparkle.framework/Sparkle),
|
||||
@@ -191,6 +201,7 @@ fi
|
||||
|
||||
# 1) Sign dylibs and standalone executables that are NOT inside a .framework/.app/.xpc bundle.
|
||||
find "$app_path" -type f \( -name "*.dylib" -o -name "*.so" -o -perm -111 \) \
|
||||
! -name "*.cstemp" \
|
||||
! -path "*/Contents/Frameworks/*.framework/*" \
|
||||
! -path "*/Contents/Frameworks/*.app/*" \
|
||||
! -path "*/Contents/Frameworks/*.xpc/*" \
|
||||
@@ -211,6 +222,7 @@ done
|
||||
sparkle_fw="$app_path/Contents/Frameworks/Sparkle.framework"
|
||||
if [[ -d "$sparkle_fw" ]]; then
|
||||
find "$sparkle_fw/Versions" -type f -perm -111 \
|
||||
! -name "*.cstemp" \
|
||||
! -path "*/_CodeSignature/*" \
|
||||
-print0 2>/dev/null | while IFS= read -r -d '' f; do
|
||||
codesign "${codesign_args[@]}" "$f" >/dev/null
|
||||
@@ -233,15 +245,44 @@ rm -f "$zip_path"
|
||||
ditto -c -k --sequesterRsrc --keepParent "$app_path" "$zip_path"
|
||||
|
||||
if [[ "$skip_notarize" -eq 0 ]]; then
|
||||
notarize_and_staple "$zip_path" "ZIP"
|
||||
# ZIP archives cannot be stapled; notarization is still useful for distribution and Sparkle.
|
||||
notarize_and_maybe_staple "$zip_path" "ZIP" 0
|
||||
echo "==> [$(ts)] Stapling app"
|
||||
xcrun stapler staple "$app_path"
|
||||
fi
|
||||
|
||||
if [[ "$do_dmg" -eq 1 ]]; then
|
||||
echo "==> [$(ts)] Building DMG"
|
||||
cmake --build "$build_dir" --target dmg
|
||||
dmg_path="$(ls -1t "$build_dir"/strawberry-*.dmg 2>/dev/null | head -n 1 || true)"
|
||||
echo "==> [$(ts)] Building DMG (from already-signed app; no redeploy)"
|
||||
if ! command -v create-dmg >/dev/null 2>&1; then
|
||||
echo "Error: create-dmg not found. Install it with Homebrew (it's in Brewfile):" >&2
|
||||
echo " ./build_tools/macos/install_brew_deps.sh" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Build a versioned DMG name using Info.plist (falls back to Strawberry version constant).
|
||||
plist="${app_path}/Contents/Info.plist"
|
||||
bundle_version="$(/usr/libexec/PlistBuddy -c 'Print :CFBundleVersion' "$plist" 2>/dev/null || true)"
|
||||
if [[ -z "${bundle_version}" ]]; then
|
||||
bundle_version="$(/usr/libexec/PlistBuddy -c 'Print :CFBundleShortVersionString' "$plist" 2>/dev/null || true)"
|
||||
fi
|
||||
if [[ -z "${bundle_version}" ]]; then
|
||||
bundle_version="unknown"
|
||||
fi
|
||||
arch="$(uname -m)"
|
||||
dmg_path="${build_dir}/strawberry-${bundle_version}-${arch}.dmg"
|
||||
|
||||
rm -f "$dmg_path"
|
||||
(
|
||||
cd "$build_dir"
|
||||
create-dmg \
|
||||
--volname strawberry \
|
||||
--background "${repo_root}/dist/macos/dmg_background.png" \
|
||||
--app-drop-link 450 218 \
|
||||
--icon strawberry.app 150 218 \
|
||||
--window-size 600 450 \
|
||||
"$(basename "$dmg_path")" \
|
||||
strawberry.app
|
||||
)
|
||||
if [[ -z "$dmg_path" ]]; then
|
||||
echo "Error: DMG was not created in $build_dir" >&2
|
||||
exit 1
|
||||
@@ -251,7 +292,7 @@ if [[ "$do_dmg" -eq 1 ]]; then
|
||||
codesign --force --timestamp --sign "$identity" "$dmg_path"
|
||||
|
||||
if [[ "$skip_notarize" -eq 0 ]]; then
|
||||
notarize_and_staple "$dmg_path" "DMG"
|
||||
notarize_and_maybe_staple "$dmg_path" "DMG" 1
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
Reference in New Issue
Block a user