diff --git a/packaging/macosx/resign.sh b/packaging/macosx/resign.sh new file mode 100644 index 000000000..520e66f87 --- /dev/null +++ b/packaging/macosx/resign.sh @@ -0,0 +1,66 @@ +#!/bin/bash -e +# +# resign the binaries in a DMG created on GitHub + +# usage: +# resign.sh path-where-DMG-is-mounted temp-dir-where-output-happens version + +# little silly helper functions +croak() { + echo "$0: $*" >&2 + exit 1 +} + +# call either in the build directory (it will then sign the compiled app in staging) +# or call with a target directory for it to sign + +if [[ "$1" == "" || ! -d "$1" || ! -d "$1/Subsurface.app/Contents/MacOS" ]] ; then + croak "$1 doesn't look like a mounted Subsurface DMG" +fi +if [[ "$2" == "" || ! -d "$2" ]] ; then + mkdir -p "$2" || croak "can't create $2 as output directory" +fi +[[ "$3" == "" ]] && croak "missing a version argument" +VERSION="$3" + +DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && cd ../../.. && pwd ) + +DMGCREATE=create-dmg + +mkdir "$2"/staging +cd "$2"/staging +cp -a "$1/Subsurface.app" . + + +# remove anything codesign doesn't want us to sign +find Subsurface.app/Contents/Frameworks/ \( -name Headers -o -name \*.prl -o -name \*_debug \) -print0 | xargs -0 rm -rf + +# codesign --deep doesn't find the shared libraries that are QML plugins +for dylib in $(find Subsurface.app/Contents/Resources/qml -name \*.dylib) ; do + codesign --options runtime --keychain $HOME/Library/Keychains/login.keychain -s "Developer ID Application: Dirk Hohndel" --deep --force $dylib +done + +codesign --options runtime --keychain $HOME/Library/Keychains/login.keychain -s "Developer ID Application: Dirk Hohndel" --deep --force Subsurface.app + +# ok, now the app is signed. let's notarize it +# first create a apple appropriate zip file; +# regular zip command isn't good enough, need to use "ditto" +ditto -c -k --sequesterRsrc --keepParent Subsurface.app Subsurface-$VERSION.zip + +# this assumes that you have setup the notary tool and have the credentials stored +# in your keychain +xcrun notarytool submit ./Subsurface-$VERSION.zip --keychain-profile "notarytool-password" --wait +xcrun stapler staple Subsurface.app + +cd "$2" + +# it's not entirely clear if signing / stapling the DMG is required as well +# all I can say is that when I do both, it appears to work +$DMGCREATE --background ${DIR}/subsurface/packaging/macosx/DMG-Background.png \ + --window-size 500 300 --icon-size 96 --volname Subsurface-$VERSION \ + --app-drop-link 380 205 \ + --volicon ${DIR}/subsurface/packaging/macosx/Subsurface.icns \ + --icon "Subsurface" 110 205 ./Subsurface-$VERSION.dmg ./staging + +xcrun notarytool submit ./Subsurface-$VERSION.dmg --keychain-profile "notarytool-password" --wait +xcrun stapler staple Subsurface-$VERSION.dmg