Fix Apple signing

.github/workflows/release.yml

@@ -63,17 +63,21 @@ jobs:
           KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
         run: |
           echo $APPLE_CERTIFICATE | base64 --decode > certificate.p12
-          security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
-          security default-keychain -s build.keychain
-          security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
-          security set-keychain-settings -t 3600 -u build.keychain
+          # security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
+          # security default-keychain -s build.keychain
+          # security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
+          # security set-keychain-settings -t 3600 -u build.keychain
           
-          curl https://droposs.org/drop.crt --output drop.pem
-          sudo security authorizationdb write com.apple.trust-settings.user allow
-          security add-trusted-cert -r trustRoot -k build.keychain -p codeSign -u -1 drop.pem
-          sudo security authorizationdb remove com.apple.trust-settings.user
+          curl https://droposs.org/drop.der --output drop.der
+          swiftc libs/appletrust/add-certificate.swift
+          ./add-certificate drop.der
+          rm add-certificate
 
-          security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
+          # sudo security authorizationdb write com.apple.trust-settings.user allow
+          # security add-trusted-cert -r trustRoot -k build.keychain -p codeSign -u -1 drop.pem
+          # sudo security authorizationdb remove com.apple.trust-settings.user
+
+          security import certificate.p12 -k /Library/Keychains/System.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
           security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
           security find-identity -v -p codesigning build.keychain
 

.gitlab-ci-local/.gitignore

@@ -1,2 +0,0 @@
-*
-!.gitignore

libs/appletrust/add-certificate.swift

@@ -0,0 +1,72 @@
+import Foundation
+import Security
+
+enum SecurityError: Error {
+    case generalError
+}
+
+func deleteCertificateFromKeyChain(_ certificateLabel: String) -> Bool {
+    let delQuery: [NSString: Any] = [
+        kSecClass: kSecClassCertificate,
+        kSecAttrLabel: certificateLabel,
+    ]
+    let delStatus: OSStatus = SecItemDelete(delQuery as CFDictionary)
+
+    return delStatus == errSecSuccess
+}
+
+func saveCertificateToKeyChain(_ certificate: SecCertificate, certificateLabel: String) throws {
+    SecKeychainSetPreferenceDomain(SecPreferencesDomain.system)
+    deleteCertificateFromKeyChain(certificateLabel)
+
+    let setQuery: [NSString: AnyObject] = [
+        kSecClass: kSecClassCertificate,
+        kSecValueRef: certificate,
+        kSecAttrLabel: certificateLabel as AnyObject,
+        kSecAttrAccessible: kSecAttrAccessibleWhenUnlocked,
+    ]
+    let addStatus: OSStatus = SecItemAdd(setQuery as CFDictionary, nil)
+
+    guard addStatus == errSecSuccess else {
+        throw SecurityError.generalError
+    }
+
+    var status = SecTrustSettingsSetTrustSettings(certificate, SecTrustSettingsDomain.admin, nil)
+}
+
+func getCertificateFromString(stringData: String) throws -> SecCertificate {
+    if let data = NSData(base64Encoded: stringData, options: NSData.Base64DecodingOptions.ignoreUnknownCharacters) {
+        if let certificate = SecCertificateCreateWithData(kCFAllocatorDefault, data) {
+            return certificate
+        }
+    }
+    throw SecurityError.generalError
+}
+
+if CommandLine.arguments.count != 2 {
+    print("Usage: \(CommandLine.arguments[0]) [cert.file]")
+    print("Usage: \(CommandLine.arguments[0]) --version")
+    exit(1)
+}
+
+if (CommandLine.arguments[1] == "--version") {
+    let version = "dev"
+    print(version)
+    exit(0)
+} else {
+    let fileURL = URL(fileURLWithPath: CommandLine.arguments[1])
+    do {
+        let certData = try Data(contentsOf: fileURL)
+        let certificate = SecCertificateCreateWithData(nil, certData as CFData)
+        if certificate != nil {
+            print("Saving certificate")
+            try? saveCertificateToKeyChain(certificate!, certificateLabel: "DropOSS")
+            exit(0)
+        } else {
+            print("ERROR: Unknown error while reading the \(CommandLine.arguments[1]) file.")
+        }
+    } catch {
+        print("ERROR: Unexpected error while reading the \(CommandLine.arguments[1]) file. \(error)")
+    }
+}
+exit(1)

main/package.json

@@ -1,7 +1,7 @@
 {
   "name": "view",
   "private": true,
-  "version": "0.3.3",
+  "version": "0.3.4",
   "type": "module",
   "scripts": {
     "build": "nuxt generate",

src-tauri/Cargo.lock

@@ -1339,7 +1339,7 @@ dependencies = [
 
 [[package]]
 name = "drop-app"
-version = "0.3.3"
+version = "0.3.4"
 dependencies = [
  "atomic-instant-full",
  "bitcode",

src-tauri/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "drop-app"
-version = "0.3.3"
+version = "0.3.4"
 description = "The client application for the open-source, self-hosted game distribution platform Drop"
 authors = ["Drop OSS"]
 edition = "2024"

src-tauri/games/src/downloads/download_logic.rs

@@ -39,7 +39,8 @@ impl DropWriter<File> {
             .write(true)
             .create(true)
             .truncate(false)
-            .open(&path)?;
+            .open(&path)
+            .inspect_err(|_v| warn!("failed to open {}", path.display()))?;
         Ok(Self {
             destination: BufWriter::with_capacity(1024 * 1024, destination),
             hasher: Context::new(),
@@ -122,7 +123,7 @@ impl<'a> DropDownloadPipeline<'a, Response, File> {
                     .source
                     .read(&mut copy_buffer[0..size])
                     .inspect_err(|_| {
-                        info!("got error from {}", drop.filename);
+                        warn!("got error from {}", drop.filename);
                     })?;
                 remaining -= size;
                 last_bump += size;
@@ -272,7 +273,12 @@ pub fn download_game_bucket(
     #[cfg(unix)]
     {
         for drop in bucket.drops.iter() {
-            let permissions = Permissions::from_mode(drop.permissions);
+            let permission = if drop.permissions == 0 {
+                0o744
+            } else {
+                drop.permissions
+            };
+            let permissions = Permissions::from_mode(permission);
             set_permissions(drop.path.clone(), permissions)
                 .map_err(|e| ApplicationDownloadError::IoError(Arc::new(e)))?;
         }

src-tauri/tauri.conf.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://schema.tauri.app/config/2.0.0",
   "productName": "Drop Desktop Client",
-  "version": "0.3.3",
+  "version": "0.3.4",
   "identifier": "dev.drop.client",
   "build": {
     "beforeDevCommand": "yarn --cwd main dev --port 1432",