173 lines
5.4 KiB
Bash
Executable File
173 lines
5.4 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
ts() { date +"%H:%M:%S"; }
|
|
|
|
script_dir="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
|
|
repo_root="$(cd -- "${script_dir}/../.." && pwd)"
|
|
|
|
usage() {
|
|
cat <<'EOF'
|
|
Usage:
|
|
./build_tools/macos/build_sign_notarize.sh # list local signing identities + notary profiles
|
|
./build_tools/macos/build_sign_notarize.sh --run [options] # build, sign, notarize, staple
|
|
|
|
Common options:
|
|
--run Perform build/sign/notarize (otherwise list identities/profiles)
|
|
--release | --debug Build config (default: Release)
|
|
--clean Clean build dir before build
|
|
--deploy Run CMake 'deploy' target before signing (recommended for distributing)
|
|
--build-dir <path> Override build directory
|
|
|
|
Signing options:
|
|
--identity "<name>" Codesign identity (e.g. "Developer ID Application: Your Name (TEAMID)")
|
|
--entitlements <plist> Optional entitlements plist for codesign
|
|
|
|
Notarization options (recommended):
|
|
--notary-profile <name> notarytool keychain profile name (created via `xcrun notarytool store-credentials <name> ...`)
|
|
--skip-notarize Skip notarization
|
|
|
|
Outputs:
|
|
- Signed app: <build-dir>/strawberry.app
|
|
- Zip for notarization: <build-dir>/strawberry-notarize.zip
|
|
|
|
Notes:
|
|
- This script is intended for Developer ID distribution (outside Mac App Store).
|
|
- If you want Sparkle updates, you'll typically ship a notarized .zip + an appcast feed.
|
|
EOF
|
|
}
|
|
|
|
list_identities_and_profiles() {
|
|
echo "==> [$(ts)] macOS code signing identities (Keychain)"
|
|
security find-identity -p codesigning -v || true
|
|
|
|
echo
|
|
echo "==> [$(ts)] notarytool profiles (keychain profiles)"
|
|
xcrun notarytool list-profiles 2>/dev/null || echo "(none; create one with: xcrun notarytool store-credentials <name> ...)"
|
|
|
|
echo
|
|
echo "==> [$(ts)] Provisioning profiles (macOS)"
|
|
prof_dir="${HOME}/Library/MobileDevice/Provisioning Profiles"
|
|
if [[ -d "${prof_dir}" ]]; then
|
|
ls -la "${prof_dir}" | head -n 50
|
|
else
|
|
echo "(none found at '${prof_dir}')"
|
|
fi
|
|
}
|
|
|
|
if [[ "$(uname -s)" != "Darwin" ]]; then
|
|
echo "Error: This script is for macOS only." >&2
|
|
exit 1
|
|
fi
|
|
|
|
if ! command -v xcode-select >/dev/null 2>&1 || ! xcode-select -p >/dev/null 2>&1; then
|
|
echo "Error: Xcode Command Line Tools not found." >&2
|
|
echo "Install them first: xcode-select --install" >&2
|
|
exit 1
|
|
fi
|
|
|
|
do_run=0
|
|
config="Release"
|
|
do_clean=0
|
|
do_deploy=0
|
|
build_dir=""
|
|
identity=""
|
|
entitlements=""
|
|
notary_profile=""
|
|
skip_notarize=0
|
|
|
|
while [[ $# -gt 0 ]]; do
|
|
case "$1" in
|
|
--run) do_run=1; shift ;;
|
|
--release) config="Release"; shift ;;
|
|
--debug) config="Debug"; shift ;;
|
|
--clean) do_clean=1; shift ;;
|
|
--deploy) do_deploy=1; shift ;;
|
|
--build-dir) build_dir="${2:-}"; shift 2 ;;
|
|
--identity) identity="${2:-}"; shift 2 ;;
|
|
--entitlements) entitlements="${2:-}"; shift 2 ;;
|
|
--notary-profile) notary_profile="${2:-}"; shift 2 ;;
|
|
--skip-notarize) skip_notarize=1; shift ;;
|
|
-h|--help) usage; exit 0 ;;
|
|
*) echo "Unknown arg: $1" >&2; usage; exit 2 ;;
|
|
esac
|
|
done
|
|
|
|
if [[ "$do_run" -eq 0 ]]; then
|
|
usage
|
|
echo
|
|
list_identities_and_profiles
|
|
exit 0
|
|
fi
|
|
|
|
if [[ -z "$build_dir" ]]; then
|
|
lc_config="$(echo "$config" | tr '[:upper:]' '[:lower:]')"
|
|
build_dir="${repo_root}/cmake-build-macos-${lc_config}"
|
|
fi
|
|
|
|
app_path="${build_dir}/strawberry.app"
|
|
bin_path="${app_path}/Contents/MacOS/strawberry"
|
|
zip_path="${build_dir}/strawberry-notarize.zip"
|
|
|
|
if [[ -z "$identity" ]]; then
|
|
echo "Error: Missing --identity (Developer ID Application identity)." >&2
|
|
exit 2
|
|
fi
|
|
|
|
if [[ "$skip_notarize" -eq 0 && -z "$notary_profile" ]]; then
|
|
echo "Error: Missing --notary-profile (or pass --skip-notarize)." >&2
|
|
exit 2
|
|
fi
|
|
|
|
echo "==> [$(ts)] Building Strawberry"
|
|
build_args=( "--release" )
|
|
if [[ "$config" == "Debug" ]]; then build_args=( "--debug" ); fi
|
|
if [[ "$do_clean" -eq 1 ]]; then build_args+=( "--clean" ); fi
|
|
if [[ -n "$build_dir" ]]; then build_args+=( "--build-dir" "$build_dir" ); fi
|
|
if [[ "$do_deploy" -eq 1 ]]; then build_args+=( "--deploy" ); fi
|
|
|
|
"${repo_root}/build_tools/macos/build_app.sh" "${build_args[@]}"
|
|
|
|
if [[ ! -x "$bin_path" ]]; then
|
|
echo "Error: built app not found at: $app_path" >&2
|
|
exit 1
|
|
fi
|
|
|
|
echo "==> [$(ts)] Codesigning (hardened runtime)"
|
|
codesign_args=( --force --timestamp --options runtime --sign "$identity" )
|
|
if [[ -n "$entitlements" ]]; then
|
|
codesign_args+=( --entitlements "$entitlements" )
|
|
fi
|
|
|
|
find "$app_path" -type f \( -name "*.dylib" -o -name "*.so" -o -perm -111 \) -print0 | while IFS= read -r -d '' f; do
|
|
codesign "${codesign_args[@]}" "$f" >/dev/null
|
|
done
|
|
find "$app_path/Contents/Frameworks" "$app_path/Contents/PlugIns" -type d -name "*.framework" -print0 2>/dev/null | while IFS= read -r -d '' fw; do
|
|
codesign "${codesign_args[@]}" "$fw" >/dev/null
|
|
done
|
|
codesign "${codesign_args[@]}" "$app_path" >/dev/null
|
|
|
|
echo "==> [$(ts)] Verifying codesign"
|
|
codesign --verify --deep --strict --verbose=2 "$app_path"
|
|
|
|
echo "==> [$(ts)] Creating zip for notarization"
|
|
rm -f "$zip_path"
|
|
ditto -c -k --sequesterRsrc --keepParent "$app_path" "$zip_path"
|
|
|
|
if [[ "$skip_notarize" -eq 0 ]]; then
|
|
echo "==> [$(ts)] Notarizing"
|
|
xcrun notarytool submit "$zip_path" --keychain-profile "$notary_profile" --wait
|
|
|
|
echo "==> [$(ts)] Stapling"
|
|
xcrun stapler staple "$app_path"
|
|
fi
|
|
|
|
echo "==> [$(ts)] Gatekeeper assessment"
|
|
spctl -a -vv --type execute "$app_path" || true
|
|
|
|
echo
|
|
echo "Done."
|
|
echo "App: $app_path"
|
|
echo "Zip: $zip_path"
|
|
|