Skip to content

Commit 7130666

Browse files
committed
Enhance macOS code signing process in GitHub Actions workflow by adding entitlements validation, improved signing verification, and detailed logging for secure timestamp checks. Updated entitlements file with additional permissions for user-selected file access.
1 parent e5a373d commit 7130666

3 files changed

Lines changed: 134 additions & 15 deletions

File tree

.github/workflows/release.yml

Lines changed: 47 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -192,6 +192,24 @@ jobs:
192192
echo "⚠️ Using fallback identity: ${CERT_IDENTITY}"
193193
fi
194194
195+
# Validate entitlements file formatting (Apple's recommendation)
196+
echo "=== Validating entitlements file ==="
197+
if [ -f "scripts/entitlements.plist" ]; then
198+
echo "Validating entitlements formatting with plutil..."
199+
if plutil -lint scripts/entitlements.plist; then
200+
echo "✅ Entitlements file is properly formatted"
201+
else
202+
echo "❌ Entitlements file has formatting issues"
203+
exit 1
204+
fi
205+
206+
# Convert to XML format if needed (Apple's recommendation)
207+
plutil -convert xml1 scripts/entitlements.plist
208+
echo "✅ Entitlements converted to XML format"
209+
else
210+
echo "⚠️ No entitlements file found"
211+
fi
212+
195213
# Sign with proper Developer ID certificate, hardened runtime, and timestamp
196214
echo "=== Signing binary with hardened runtime ==="
197215
@@ -248,13 +266,39 @@ jobs:
248266
fi
249267
fi
250268
251-
# Verify signing, hardened runtime, and timestamp
252-
echo "=== Verifying binary signature ==="
269+
# Verify signing, hardened runtime, and timestamp using Apple's recommended methods
270+
echo "=== Verifying binary signature (Apple's recommended verification) ==="
271+
272+
# Basic verification
253273
codesign --verify --verbose ${CLEAN_BINARY}
254274
echo "Basic verification: $?"
255275
276+
# Apple's recommended strict verification for notarization
277+
echo "=== Strict verification (matches notarization requirements) ==="
278+
if codesign -vvv --deep --strict ${CLEAN_BINARY}; then
279+
echo "✅ Strict verification PASSED - ready for notarization"
280+
else
281+
echo "❌ Strict verification FAILED - will not pass notarization"
282+
exit 1
283+
fi
284+
285+
# Check for secure timestamp (Apple's recommended check)
286+
echo "=== Checking for secure timestamp ==="
287+
TIMESTAMP_CHECK=$(codesign -dvv ${CLEAN_BINARY} 2>&1)
288+
if echo "$TIMESTAMP_CHECK" | grep -q "Timestamp="; then
289+
echo "✅ Secure timestamp present:"
290+
echo "$TIMESTAMP_CHECK" | grep "Timestamp="
291+
else
292+
echo "❌ No secure timestamp found"
293+
echo "Full output:"
294+
echo "$TIMESTAMP_CHECK"
295+
fi
296+
297+
# Display detailed signature info
256298
codesign --display --verbose=4 ${CLEAN_BINARY}
257-
echo "=== Checking for hardened runtime and timestamp ==="
299+
300+
# Check entitlements formatting (Apple's recommendation)
301+
echo "=== Checking entitlements formatting ==="
258302
codesign --display --entitlements - ${CLEAN_BINARY} | head -10
259303
260304
# Verify with spctl (Gatekeeper assessment) - expected to fail before notarization

scripts/create-dmg.sh

Lines changed: 85 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -73,6 +73,14 @@ cat > "$TEMP_DIR/$APP_BUNDLE/Contents/Info.plist" << EOF
7373
<true/>
7474
<key>LSBackgroundOnly</key>
7575
<false/>
76+
<key>NSHighResolutionCapable</key>
77+
<true/>
78+
<key>NSRequiresAquaSystemAppearance</key>
79+
<false/>
80+
<key>LSApplicationCategoryType</key>
81+
<string>public.app-category.utilities</string>
82+
<key>NSUserNotificationAlertStyle</key>
83+
<string>alert</string>
7684
EOF
7785

7886
if [ -n "$ICON_FILE" ]; then
@@ -90,22 +98,87 @@ EOF
9098
# Create empty PkgInfo file (required for proper app bundle)
9199
echo "APPLMCPP" > "$TEMP_DIR/$APP_BUNDLE/Contents/PkgInfo"
92100

93-
# Sign the app bundle properly
94-
echo "Signing app bundle..."
95-
96-
# Use development entitlements if available, otherwise sign without entitlements
97-
if [ -f "scripts/entitlements-dev.plist" ]; then
98-
echo "Using development entitlements..."
99-
codesign --force --deep --sign - --identifier "$BUNDLE_ID" --entitlements "scripts/entitlements-dev.plist" "$TEMP_DIR/$APP_BUNDLE"
101+
# Sign the app bundle properly with Developer ID certificate
102+
echo "Signing app bundle with Developer ID certificate..."
103+
104+
# Find the Developer ID certificate (same logic as in workflow)
105+
CERT_IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | grep -o '"[^"]*"' | tr -d '"')
106+
107+
if [ -n "${CERT_IDENTITY}" ]; then
108+
echo "✅ Found Developer ID certificate: ${CERT_IDENTITY}"
109+
110+
# Validate entitlements file formatting (Apple's recommendation)
111+
if [ -f "scripts/entitlements.plist" ]; then
112+
echo "=== Validating entitlements file ==="
113+
if plutil -lint scripts/entitlements.plist; then
114+
echo "✅ Entitlements file is properly formatted"
115+
else
116+
echo "❌ Entitlements file has formatting issues"
117+
exit 1
118+
fi
119+
120+
# Convert to XML format if needed
121+
plutil -convert xml1 scripts/entitlements.plist
122+
echo "✅ Entitlements converted to XML format"
123+
fi
124+
125+
# Sign with proper Developer ID certificate, hardened runtime, and production entitlements
126+
if [ -f "scripts/entitlements.plist" ]; then
127+
echo "Using production entitlements..."
128+
codesign --force --deep \
129+
--options runtime \
130+
--sign "${CERT_IDENTITY}" \
131+
--identifier "$BUNDLE_ID" \
132+
--entitlements "scripts/entitlements.plist" \
133+
--timestamp \
134+
"$TEMP_DIR/$APP_BUNDLE"
135+
else
136+
echo "No entitlements file found, signing without..."
137+
codesign --force --deep \
138+
--options runtime \
139+
--sign "${CERT_IDENTITY}" \
140+
--identifier "$BUNDLE_ID" \
141+
--timestamp \
142+
"$TEMP_DIR/$APP_BUNDLE"
143+
fi
144+
145+
# Verify signing using Apple's recommended methods
146+
echo "=== Verifying app bundle signature ==="
147+
codesign --verify --verbose "$TEMP_DIR/$APP_BUNDLE"
148+
149+
# Apple's recommended strict verification for notarization
150+
echo "=== Strict verification (matches notarization requirements) ==="
151+
if codesign -vvv --deep --strict "$TEMP_DIR/$APP_BUNDLE"; then
152+
echo "✅ App bundle strict verification PASSED - ready for notarization"
153+
else
154+
echo "❌ App bundle strict verification FAILED - will not pass notarization"
155+
exit 1
156+
fi
157+
158+
# Check for secure timestamp
159+
echo "=== Checking app bundle timestamp ==="
160+
TIMESTAMP_CHECK=$(codesign -dvv "$TEMP_DIR/$APP_BUNDLE" 2>&1)
161+
if echo "$TIMESTAMP_CHECK" | grep -q "Timestamp="; then
162+
echo "✅ App bundle has secure timestamp:"
163+
echo "$TIMESTAMP_CHECK" | grep "Timestamp="
164+
else
165+
echo "❌ App bundle missing secure timestamp"
166+
fi
167+
168+
# Show detailed signature information
169+
echo "=== App bundle signature details ==="
170+
codesign --display --verbose=4 "$TEMP_DIR/$APP_BUNDLE"
171+
172+
# Check entitlements
173+
echo "=== App bundle entitlements ==="
174+
codesign --display --entitlements - "$TEMP_DIR/$APP_BUNDLE"
175+
100176
else
101-
echo "Signing without entitlements..."
177+
echo "❌ No Developer ID certificate found - using ad-hoc signature"
178+
echo "This will NOT work for notarization!"
102179
codesign --force --deep --sign - --identifier "$BUNDLE_ID" "$TEMP_DIR/$APP_BUNDLE"
103180
fi
104181

105-
# Verify signing
106-
codesign --verify --verbose "$TEMP_DIR/$APP_BUNDLE"
107-
echo "App bundle signed successfully"
108-
109182
# Create Applications symlink
110183
ln -s /Applications "$TEMP_DIR/Applications"
111184

scripts/entitlements.plist

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,5 +12,7 @@
1212
<true/>
1313
<key>com.apple.security.network.server</key>
1414
<true/>
15+
<key>com.apple.security.files.user-selected.read-write</key>
16+
<true/>
1517
</dict>
1618
</plist>

0 commit comments

Comments
 (0)