build(macos): allow local codesign [skip ci]

2024-09-28 15:13:31 +00:00 · 2024-06-02 17:45:59 +02:00 · 2024-06-02 17:45:59 +02:00 · c3064a2cb3
parent 3860f2832c
commit c3064a2cb3
5 changed files with 48 additions and 20 deletions
--- a/build/build.sh
+++ b/build/build.sh
@ -120,5 +120,11 @@ if [[ "${SKIP_ASSETS}" == "no" ]]; then
    rm -rf build/windows/msi/releasedir
  fi

+  if [[ "${OS_NAME}" == "osx" && -f "./macos-codesign.env" ]]; then
+    . macos-codesign.env
+
+    echo "CERTIFICATE_OSX_ID: ${CERTIFICATE_OSX_ID}"
+  fi
+
  . prepare_assets.sh
 fi
--- a/macos-codesign.env.template
+++ b/macos-codesign.env.template
@ -0,0 +1,5 @@
+CERTIFICATE_OSX_APP_PASSWORD=
+CERTIFICATE_OSX_ID=
+CERTIFICATE_OSX_P12_DATA=
+CERTIFICATE_OSX_P12_PASSWORD=
+CERTIFICATE_OSX_TEAM_ID=
--- a/patches/fix-darwin-codesign.patch
+++ b/patches/fix-darwin-codesign.patch
@ -0,0 +1,28 @@
+diff --git a/build/darwin/sign.js b/build/darwin/sign.js
+index f5913b7..100b950 100644
+--- a/build/darwin/sign.js
+++ b/build/darwin/sign.js
+@@ -53,5 +53,7 @@ async function main(buildDir) {
+         ignore: (filePath) => {
+						const ext = path.extname(filePath);
+             return filePath.includes(gpuHelperAppName) ||
+                 filePath.includes(rendererHelperAppName) ||
+-                filePath.includes(pluginHelperAppName);
+                filePath.includes(pluginHelperAppName) ||
+								ext == '.asar' || ext == '.dat' || ext == '.gif' || ext == '.icns' || ext == '.ico' || ext == '.json' || ext == '.mp3' || ext == '.nib' || ext == '.pak' || ext == '.png' || ext == '.scpt' || ext == '.ttf' || ext == '.wasm' || ext == '.woff' || ext == '.woff2';
+         }
+@@ -83,3 +85,3 @@ async function main(buildDir) {
+             '-string',
+-            'An application in Visual Studio Code wants to use AppleScript.',
+            'An application in VSCodium wants to use AppleScript.',
+             `${infoPlistPath}`
+@@ -90,3 +92,3 @@ async function main(buildDir) {
+             '-string',
+-            'An application in Visual Studio Code wants to use the Microphone.',
+            'An application in VSCodium wants to use the Microphone.',
+             `${infoPlistPath}`
+@@ -97,3 +99,3 @@ async function main(buildDir) {
+             '-string',
+-            'An application in Visual Studio Code wants to use the Camera.',
+            'An application in VSCodium wants to use the Camera.',
+             `${infoPlistPath}`
--- a/patches/fix-darwin-sign.patch
+++ b/patches/fix-darwin-sign.patch
@ -1,19 +0,0 @@
-diff --git a/build/darwin/sign.js b/build/darwin/sign.js
-index f5913b7..c861e3e 100644
--- a/build/darwin/sign.js
-+++ b/build/darwin/sign.js
-@@ -83,3 +83,3 @@ async function main(buildDir) {
-             '-string',
-            'An application in Visual Studio Code wants to use AppleScript.',
-+            'An application in VSCodium wants to use AppleScript.',
-             `${infoPlistPath}`
-@@ -90,3 +90,3 @@ async function main(buildDir) {
-             '-string',
-            'An application in Visual Studio Code wants to use the Microphone.',
-+            'An application in VSCodium wants to use the Microphone.',
-             `${infoPlistPath}`
-@@ -97,3 +97,3 @@ async function main(buildDir) {
-             '-string',
-            'An application in Visual Studio Code wants to use the Camera.',
-+            'An application in VSCodium wants to use the Camera.',
-             `${infoPlistPath}`
--- a/prepare_assets.sh
+++ b/prepare_assets.sh
@ -20,13 +20,19 @@ sum_file() {
 mkdir -p assets

 if [[ "${OS_NAME}" == "osx" ]]; then
-  if [[ "${CI_BUILD}" != "no" ]]; then
+  if [[ -n "${CERTIFICATE_OSX_P12_DATA}" ]]; then
+    if [[ "${CI_BUILD}" == "no" ]]; then
+      RUNNER_TEMP="${TMPDIR}"
+    fi
+
    CERTIFICATE_P12="${APP_NAME}.p12"
    KEYCHAIN="${RUNNER_TEMP}/buildagent.keychain"
    AGENT_TEMPDIRECTORY="${RUNNER_TEMP}"
    # shellcheck disable=SC2006
    KEYCHAINS=`security list-keychains | xargs`

+    rm -f "${KEYCHAIN}"
+
    echo "${CERTIFICATE_OSX_P12_DATA}" | base64 --decode > "${CERTIFICATE_P12}"

    echo "+ create temporary keychain"
@ -48,6 +54,7 @@ if [[ "${OS_NAME}" == "osx" ]]; then
    export CODESIGN_IDENTITY AGENT_TEMPDIRECTORY

    DEBUG="electron-osx-sign*" node vscode/build/darwin/sign.js "$( pwd )"
+    # codesign --display --entitlements :- ""

    echo "+ notarize"

@ -57,6 +64,7 @@ if [[ "${OS_NAME}" == "osx" ]]; then
    zip -r -X -y "${ZIP_FILE}" ./*.app

    xcrun notarytool store-credentials "${APP_NAME}" --apple-id "${CERTIFICATE_OSX_ID}" --team-id "${CERTIFICATE_OSX_TEAM_ID}" --password "${CERTIFICATE_OSX_APP_PASSWORD}" --keychain "${KEYCHAIN}"
+    # xcrun notarytool history --keychain-profile "${APP_NAME}" --keychain "${KEYCHAIN}"
    xcrun notarytool submit "${ZIP_FILE}" --keychain-profile "${APP_NAME}" --wait --keychain "${KEYCHAIN}"

    echo "+ attach staple"