|
68 | 68 | if: matrix.use_cross == true |
69 | 69 | run: cross build --release --target ${{ matrix.target }} |
70 | 70 |
|
| 71 | + - name: Import signing certificate |
| 72 | + if: runner.os == 'macOS' |
| 73 | + env: |
| 74 | + APPLE_SIGNING_CERTIFICATE: ${{ secrets.APPLE_SIGNING_CERTIFICATE }} |
| 75 | + APPLE_SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_SIGNING_CERTIFICATE_PASSWORD }} |
| 76 | + run: | |
| 77 | + KEYCHAIN_PATH="$RUNNER_TEMP/signing.keychain-db" |
| 78 | + KEYCHAIN_PASSWORD=$(openssl rand -hex 16) |
| 79 | + echo "$APPLE_SIGNING_CERTIFICATE" | base64 --decode > "$RUNNER_TEMP/certificate.p12" |
| 80 | + security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" |
| 81 | + security set-keychain-settings -lut 900 "$KEYCHAIN_PATH" |
| 82 | + security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" |
| 83 | + security import "$RUNNER_TEMP/certificate.p12" \ |
| 84 | + -k "$KEYCHAIN_PATH" \ |
| 85 | + -P "$APPLE_SIGNING_CERTIFICATE_PASSWORD" \ |
| 86 | + -T /usr/bin/codesign |
| 87 | + security list-keychain -d user -s "$KEYCHAIN_PATH" |
| 88 | + security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" |
| 89 | +
|
| 90 | + - name: Sign binary |
| 91 | + if: runner.os == 'macOS' |
| 92 | + run: | |
| 93 | + IDENTITY=$(security find-identity -v -p codesigning "$RUNNER_TEMP/signing.keychain-db" \ |
| 94 | + | grep "Developer ID Application" \ |
| 95 | + | awk '{print $2}') |
| 96 | + codesign \ |
| 97 | + --deep \ |
| 98 | + --force \ |
| 99 | + --sign "$IDENTITY" \ |
| 100 | + --options runtime \ |
| 101 | + target/${{ matrix.target }}/release/openshell-image-builder |
| 102 | +
|
| 103 | + - name: Notarize binary |
| 104 | + if: runner.os == 'macOS' |
| 105 | + env: |
| 106 | + APPLE_ID: ${{ secrets.APPLE_ID }} |
| 107 | + APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} |
| 108 | + APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} |
| 109 | + run: | |
| 110 | + zip -j "$RUNNER_TEMP/openshell-image-builder.zip" \ |
| 111 | + target/${{ matrix.target }}/release/openshell-image-builder |
| 112 | + xcrun notarytool submit "$RUNNER_TEMP/openshell-image-builder.zip" \ |
| 113 | + --apple-id "$APPLE_ID" \ |
| 114 | + --password "$APPLE_ID_PASSWORD" \ |
| 115 | + --team-id "$APPLE_TEAM_ID" \ |
| 116 | + --wait |
| 117 | +
|
| 118 | + - name: Clean up keychain |
| 119 | + if: always() && runner.os == 'macOS' |
| 120 | + run: security delete-keychain "$RUNNER_TEMP/signing.keychain-db" |
| 121 | + |
71 | 122 | - name: Upload artifact |
72 | 123 | uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 |
73 | 124 | with: |
|
0 commit comments