Ryan/drop-app
1
0
Fork 0
mirror of https://github.com/Drop-OSS/drop-app.git synced 2025-11-20 03:31:23 +10:00
Code Issues Packages Projects Releases Wiki Activity

Fix Apple signing

Browse Source
This commit is contained in:
DecDuck
2025-11-15 14:19:04 +11:00
parent 84f4210479
commit 490a689497
3 changed files with 105 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
.github/workflows/release.yml vendored
View File

@ -1,4 +1,4 @@
name: 'publish' name: "publish"
on: on:
workflow_dispatch: {} workflow_dispatch: {}
@ -18,16 +18,16 @@ jobs:
fail-fast: false fail-fast: false
matrix: matrix:
include: include:
- platform: 'macos-latest' # for Arm based macs (M1 and above). - platform: "macos-14" # for Arm based macs (M1 and above).
args: '--target aarch64-apple-darwin' args: "--target aarch64-apple-darwin"
- platform: 'macos-latest' # for Intel based macs. - platform: "macos-14" # for Intel based macs.
args: '--target x86_64-apple-darwin' args: "--target x86_64-apple-darwin"
- platform: 'ubuntu-22.04' # for Tauri v1 you could replace this with ubuntu-20.04. - platform: "ubuntu-22.04" # for Tauri v1 you could replace this with ubuntu-20.04.
args: '' args: ""
- platform: 'ubuntu-22.04-arm' - platform: "ubuntu-22.04-arm"
args: '--target aarch64-unknown-linux-gnu' args: "--target aarch64-unknown-linux-gnu"
- platform: 'windows-latest' - platform: "windows-latest"
args: '' args: ""
runs-on: ${{ matrix.platform }} runs-on: ${{ matrix.platform }}
steps: steps:
@ -54,9 +54,8 @@ jobs:
sudo apt-get install -y libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf xdg-utils sudo apt-get install -y libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf xdg-utils
# webkitgtk 4.0 is for Tauri v1 - webkitgtk 4.1 is for Tauri v2. # webkitgtk 4.0 is for Tauri v1 - webkitgtk 4.1 is for Tauri v2.
- name: Import Apple Developer Certificate - name: Import Apple Developer Certificate
if: matrix.platform == 'macos-latest' if: matrix.platform == 'macos-14'
env: env:
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
@ -67,18 +66,30 @@ jobs:
security default-keychain -s build.keychain security default-keychain -s build.keychain
security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
security set-keychain-settings -t 3600 -u build.keychain security set-keychain-settings -t 3600 -u build.keychain
curl https://droposs.org/drop.crt --output drop.pem
sudo security authorizationdb write com.apple.trust-settings.user allow echo "Created keychain"
security add-trusted-cert -r trustRoot -k build.keychain -p codeSign -u -1 drop.pem
sudo security authorizationdb remove com.apple.trust-settings.user curl https://droposs.org/drop.der --output drop.der
# swiftc libs/appletrust/add-certificate.swift
# ./add-certificate drop.der
# rm add-certificate
# echo "Added certificate to keychain using swift util"
## Script is equivalent to:
sudo security authorizationdb write com.apple.trust-settings.admin allow
sudo security add-trusted-cert -d -r trustRoot -k build.keychain -p codeSign -u -1 drop.der
sudo security authorizationdb remove com.apple.trust-settings.admin
security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
echo "Imported certificate"
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
security find-identity -v -p codesigning build.keychain security find-identity -v -p codesigning build.keychain
- name: Verify Certificate - name: Verify Certificate
if: matrix.platform == 'macos-latest' if: matrix.platform == 'macos-14'
run: | run: |
CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Drop OSS") CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Drop OSS")
CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}') CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}')
@ -97,8 +108,8 @@ jobs:
NO_STRIP: true NO_STRIP: true
with: with:
tagName: v__VERSION__ # the action automatically replaces \_\_VERSION\_\_ with the app version. tagName: v__VERSION__ # the action automatically replaces \_\_VERSION\_\_ with the app version.
releaseName: 'Auto-release v__VERSION__' releaseName: "Auto-release v__VERSION__"
releaseBody: 'See the assets to download this version and install. This release was created automatically.' releaseBody: "See the assets to download this version and install. This release was created automatically."
releaseDraft: false releaseDraft: false
prerelease: true prerelease: true
args: ${{ matrix.args }} args: ${{ matrix.args }}

2
.gitlab-ci-local/.gitignore vendored
View File

@ -1,2 +0,0 @@
*
!.gitignore

72
libs/appletrust/add-certificate.swift Normal file
View File

@ -0,0 +1,72 @@
import Foundation
import Security
enum SecurityError: Error {
case generalError
}
func deleteCertificateFromKeyChain(_ certificateLabel: String) -> Bool {
let delQuery: [NSString: Any] = [
kSecClass: kSecClassCertificate,
kSecAttrLabel: certificateLabel,
]
let delStatus: OSStatus = SecItemDelete(delQuery as CFDictionary)
return delStatus == errSecSuccess
}
func saveCertificateToKeyChain(_ certificate: SecCertificate, certificateLabel: String) throws {
SecKeychainSetPreferenceDomain(SecPreferencesDomain.system)
deleteCertificateFromKeyChain(certificateLabel)
let setQuery: [NSString: AnyObject] = [
kSecClass: kSecClassCertificate,
kSecValueRef: certificate,
kSecAttrLabel: certificateLabel as AnyObject,
kSecAttrAccessible: kSecAttrAccessibleWhenUnlocked,
kSecAttrCanSign: true as AnyObject,
]
let addStatus: OSStatus = SecItemAdd(setQuery as CFDictionary, nil)
guard addStatus == errSecSuccess else {
throw SecurityError.generalError
}
var status = SecTrustSettingsSetTrustSettings(certificate, SecTrustSettingsDomain.admin, nil)
}
func getCertificateFromString(stringData: String) throws -> SecCertificate {
if let data = NSData(base64Encoded: stringData, options: NSData.Base64DecodingOptions.ignoreUnknownCharacters) {
if let certificate = SecCertificateCreateWithData(kCFAllocatorDefault, data) {
return certificate
}
}
throw SecurityError.generalError
}
if CommandLine.arguments.count != 2 {
print("Usage: \(CommandLine.arguments[0]) [cert.file]")
print("Usage: \(CommandLine.arguments[0]) --version")
exit(1)
}
if (CommandLine.arguments[1] == "--version") {
let version = "dev"
print(version)
exit(0)
} else {
let fileURL = URL(fileURLWithPath: CommandLine.arguments[1])
do {
let certData = try Data(contentsOf: fileURL)
let certificate = SecCertificateCreateWithData(nil, certData as CFData)
if certificate != nil {
try? saveCertificateToKeyChain(certificate!, certificateLabel: "DropOSS")
exit(0)
} else {
print("ERROR: Unknown error while reading the \(CommandLine.arguments[1]) file.")
}
} catch {
print("ERROR: Unexpected error while reading the \(CommandLine.arguments[1]) file. \(error)")
}
}
exit(1)