mirror of
https://github.com/Retropex/bitcoin.git
synced 2025-05-12 19:20:42 +02:00
contrib: Sign and notarize all MacOS binaries
Signapple has been updated to sign individual binaries, and notarize app
bundles and binaries. When codesigning, all individual binaries will be
codesigned, and both the app bundle and individual binaries will be
notarized.
Github-Pull: #31407
Rebased-From: 31d325464d
This commit is contained in:
Ava Chow
Luke Dashjr
parent
5ef2722196
commit
af43cec3f5
@ -6,26 +6,57 @@
|
|||||||
export LC_ALL=C
|
export LC_ALL=C
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
ROOTDIR=dist
|
|
||||||
BUNDLE="${ROOTDIR}/Bitcoin-Qt.app"
|
|
||||||
BINARY="${BUNDLE}/Contents/MacOS/Bitcoin-Qt"
|
|
||||||
SIGNAPPLE=signapple
|
SIGNAPPLE=signapple
|
||||||
TEMPDIR=sign.temp
|
TEMPDIR=sign.temp
|
||||||
ARCH=$(${SIGNAPPLE} info ${BINARY} | head -n 1 | cut -d " " -f 1)
|
|
||||||
OUT="signature-osx-${ARCH}.tar.gz"
|
|
||||||
OUTROOT=osx/dist
|
|
||||||
|
|
||||||
if [ -z "$1" ]; then
|
BUNDLE_ROOT=dist
|
||||||
echo "usage: $0 <signapple args>"
|
BUNDLE_NAME="Bitcoin-Qt.app"
|
||||||
echo "example: $0 <path to key>"
|
UNSIGNED_BUNDLE="${BUNDLE_ROOT}/${BUNDLE_NAME}"
|
||||||
|
UNSIGNED_BINARY="${UNSIGNED_BUNDLE}/Contents/MacOS/Bitcoin-Qt"
|
||||||
|
|
||||||
|
ARCH=$(${SIGNAPPLE} info ${UNSIGNED_BINARY} | head -n 1 | cut -d " " -f 1)
|
||||||
|
|
||||||
|
OUTDIR="osx/${ARCH}-apple-darwin"
|
||||||
|
OUTROOT="${TEMPDIR}/${OUTDIR}"
|
||||||
|
|
||||||
|
OUT="signature-osx-${ARCH}.tar.gz"
|
||||||
|
|
||||||
|
if [ "$#" -ne 3 ]; then
|
||||||
|
echo "usage: $0 <path to key> <path to app store connect key> <apple developer team uuid>"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
rm -rf ${TEMPDIR}
|
rm -rf ${TEMPDIR}
|
||||||
mkdir -p ${TEMPDIR}
|
mkdir -p ${TEMPDIR}
|
||||||
|
|
||||||
${SIGNAPPLE} sign -f --detach "${TEMPDIR}/${OUTROOT}" "$@" "${BUNDLE}" --hardened-runtime
|
stty -echo
|
||||||
|
printf "Enter the passphrase for %s: " "$1"
|
||||||
|
read cs_key_pass
|
||||||
|
printf "\n"
|
||||||
|
printf "Enter the passphrase for %s: " "$2"
|
||||||
|
read api_key_pass
|
||||||
|
printf "\n"
|
||||||
|
stty echo
|
||||||
|
|
||||||
tar -C "${TEMPDIR}" -czf "${OUT}" .
|
# Sign and notarize app bundle
|
||||||
|
${SIGNAPPLE} sign -f --hardened-runtime --detach "${OUTROOT}/${BUNDLE_ROOT}" --passphrase "${cs_key_pass}" "$1" "${UNSIGNED_BUNDLE}"
|
||||||
|
${SIGNAPPLE} apply "${UNSIGNED_BUNDLE}" "${OUTROOT}/${BUNDLE_ROOT}/${BUNDLE_NAME}"
|
||||||
|
${SIGNAPPLE} notarize --detach "${OUTROOT}/${BUNDLE_ROOT}" --passphrase "${api_key_pass}" "$2" "$3" "${UNSIGNED_BUNDLE}"
|
||||||
|
|
||||||
|
# Sign each binary
|
||||||
|
find . -maxdepth 3 -wholename "*/bin/*" -type f -exec realpath --relative-to=. {} \; | while read -r bin
|
||||||
|
do
|
||||||
|
bin_dir=$(dirname "${bin}")
|
||||||
|
bin_name=$(basename "${bin}")
|
||||||
|
${SIGNAPPLE} sign -f --hardened-runtime --detach "${OUTROOT}/${bin_dir}" --passphrase "${cs_key_pass}" "$1" "${bin}"
|
||||||
|
${SIGNAPPLE} apply "${bin}" "${OUTROOT}/${bin_dir}/${bin_name}.${ARCH}sign"
|
||||||
|
done
|
||||||
|
|
||||||
|
# Notarize the binaries
|
||||||
|
# Binaries cannot have stapled notarizations so this does not actually generate any output
|
||||||
|
binaries_dir=$(dirname "$(find . -maxdepth 2 -wholename '*/bin' -type d -exec realpath --relative-to=. {} \;)")
|
||||||
|
${SIGNAPPLE} notarize --passphrase "${api_key_pass}" "$2" "$3" "${binaries_dir}"
|
||||||
|
|
||||||
|
tar -C "${TEMPDIR}" -czf "${OUT}" "${OUTDIR}"
|
||||||
rm -rf "${TEMPDIR}"
|
rm -rf "${TEMPDIR}"
|
||||||
echo "Created ${OUT}"
|
echo "Created ${OUT}"
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user