Add mac signing (#176)

* Add mac signing
HDFGroup · Apr 5, 2024 · 7874b6f · 7874b6f
1 parent e8cc33e
commit 7874b6f
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 11 deletions.
diff --git a/.github/workflows/ant.yml b/.github/workflows/ant.yml
@@ -338,10 +338,34 @@ jobs:
   #
     name: "mac clang CMake"
     runs-on: macos-13
-    if: false
+    #if: false
     steps:
     - uses: actions/checkout@v3
 
+    - name: Install the Apple certificate and provisioning profile
+      shell: bash
+      env:
+          BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTS_BASE64 }}
+          P12_PASSWORD: ${{ secrets.APPLE_CERTS_BASE64_PASSWORD }}
+          KEYCHAIN_PASSWD: ${{ secrets.KEYCHAIN_PASSWD }}
+      run: |
+          # create variables
+          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          # import certificate from secrets
+          base64 -i "${{ env.BUILD_CERTIFICATE_BASE64 }}" --decode -o $CERTIFICATE_PATH
+          ls -la $RUNNER_TEMP
+          security -v verify-cert -c $CERTIFICATE_PATH
+          # create temporary keychain
+          security -v create-keychain -p "$KEYCHAIN_PASSWD" $KEYCHAIN_PATH
+          security -v list-keychains
+          security -v set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security -v unlock-keychain -p "$KEYCHAIN_PASSWD" $KEYCHAIN_PATH
+          # import certificate to keychain
+          security -v import $CERTIFICATE_PATH -P "${{ env.P12_PASSWORD }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security -v set-key-partition-list -S apple-tool:,apple: -k "${{ env.KEYCHAIN_PASSWD }}" $KEYCHAIN_PATH
+          security -v list-keychain -d user -s $KEYCHAIN_PATH
+
     - name: Set up JDK 19
       uses: actions/setup-java@v3
       with:
@@ -439,6 +463,8 @@ jobs:
       env:
         HDFLIBS: ${{ steps.set-hdflib-name.outputs.HDFLIB_ENV }}
         HDF5LIBS: ${{ steps.set-hdf5lib-name.outputs.HDF5LIB_ENV }}
+        KEYCHAIN_PASSWD: ${{ secrets.KEYCHAIN_PASSWD }}
+        KEYCHAIN_NAME: app-signing
       run: ant -Dsign_state=NOSIGN -noinput -buildfile build.xml binaryPackage
 
     - name: Rename snapshot binary base name

diff --git a/.github/workflows/tarball.yml b/.github/workflows/tarball.yml
@@ -24,7 +24,7 @@ on:
         description: "Whether there were changes the previous day"
         value: ${{ jobs.check_commits.outputs.has_changes }}
       source_base:
-        description: "The common base name of the source tarballs"
+        description: "The common version name of the binaries"
         value: ${{ jobs.create_tarball.outputs.source_base }}
       file_base:
         description: "The common base name of the source tarballs"

diff --git a/build.xml b/build.xml
@@ -21,7 +21,8 @@
     </condition>
     <!-- MAC signing: -->
     <property name="sign.account" value="${env.SIGNER}" />
-    <property name="login.keychain_key" value="${env.KEYCHAIN_PASSWD}" />
+    <property name="pass.keychain_key" value="${env.KEYCHAIN_PASSWD}" />
+    <property name="name.keychain_key" value="${env.KEYCHAIN_NAME}" />
 
     <!-- MAC notary: -->
     <property name="notarize.account" value="${env.NOTARY_USER}" />
@@ -1450,8 +1451,8 @@
         <exec executable="security" dir="${dist.dir}" failonerror="true">
             <arg value="unlock-keychain" />
             <arg value="-p" />
-            <arg value="${login.keychain_key}" />
-            <arg value="login.keychain" />
+            <arg value="${pass.keychain_key}" />
+            <arg value="${name.keychain_key}" />
         </exec>
 
         <echo> JXPackage the mac application</echo>
@@ -1752,8 +1753,8 @@
         <exec executable="security" dir="${dist.dir}" failonerror="true">
             <arg value="unlock-keychain" />
             <arg value="-p" />
-            <arg value="${login.keychain_key}" />
-            <arg value="login.keychain" />
+            <arg value="${pass.keychain_key}" />
+            <arg value="${name.keychain_key}" />
         </exec>
 
         <echo message="xxxx Code sign the mac dmg xxxx"/>
@@ -1840,8 +1841,8 @@
         <exec executable="security" dir="${dist.dir}" failonerror="true">
             <arg value="unlock-keychain" />
             <arg value="-p" />
-            <arg value="${login.keychain_key}" />
-            <arg value="login.keychain" />
+            <arg value="${pass.keychain_key}" />
+            <arg value="${name.keychain_key}" />
         </exec>
 
         <echo> Create the mac jpackage</echo>
@@ -2274,8 +2275,8 @@
         <exec executable="security" dir="${dist.dir}" failonerror="true">
             <arg value="unlock-keychain" />
             <arg value="-p" />
-            <arg value="${login.keychain_key}" />
-            <arg value="login.keychain" />
+            <arg value="${pass.keychain_key}" />
+            <arg value="${name.keychain_key}" />
         </exec>
 
         <echo message="---- Create the mac zip ----"/>