Build a notarized macOS installer

Users should now be able to download and install / run Pinta without warnings about it being an unverified application etc. This is done with a .dmg file as I had difficulty getting the zip file to preserve code signatures correctly. The .dmg will also provide the standard shortcut to drag the app into /Applications for easier installation, though. Removed some debug information from the script to avoid logging secrets to the console
jobily · Dec 20, 2021 · c3c9a16 · c3c9a16
1 parent 988629f
commit c3c9a16
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 13 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -65,19 +65,21 @@ jobs:
     - name: Add Cert to Keychain
       uses: apple-actions/import-codesign-certs@v1
       with:
-        p12-file-base64: ${{ secrets.MAC_CERT_BASE64 }}
-        p12-password: ${{ secrets.MAC_CERT_PASSWORD }}
+        p12-file-base64: ${{ secrets.MAC_CERTS_BASE64 }}
+        p12-password: ${{ secrets.MAC_CERTS_PASSWORD }}
 
     - name: Build Installer
+      env:
+        MAC_DEV_PASSWORD: ${{ secrets.MAC_DEV_PASSWORD }}
       run: |
         cd installer/macos
         ./build_installer.sh
 
     - name: Upload Installer
       uses: actions/upload-artifact@v2
       with:
-        name: "Pinta.app.zip"
-        path: installer/macos/Pinta.app.zip
+        name: "Pinta.dmg"
+        path: installer/macos/Pinta.dmg
         if-no-files-found: error
 
   build-windows:

diff --git a/.gitignore b/.gitignore
@@ -12,8 +12,8 @@ config.log
 config.status
 configure
 install-sh
-installer/macos/Pinta.app
-installer/macos/Pinta.app.zip
+installer/macos/Pinta.dmg
+installer/macos/package
 installer/linux/pinta
 intltool-extract.in
 intltool-merge.in

diff --git a/installer/macos/build_installer.sh b/installer/macos/build_installer.sh
@@ -1,8 +1,7 @@
 #!/bin/sh
 set -e
-set -x
 
-MAC_APP_DIR=Pinta.app
+MAC_APP_DIR=package/Pinta.app
 MAC_APP_BIN_DIR="${MAC_APP_DIR}/Contents/MacOS/"
 MAC_APP_RESOURCE_DIR="${MAC_APP_DIR}/Contents/Resources/"
 MAC_APP_SHARE_DIR="${MAC_APP_RESOURCE_DIR}/share"
@@ -30,20 +29,33 @@ cp Info.plist ${MAC_APP_DIR}/Contents
 cp pinta.icns ${MAC_APP_DIR}/Contents/Resources
 
 # Install the GTK dependencies.
+echo "Bundling GTK..."
 ./bundle_gtk.py --resource_dir ${MAC_APP_RESOURCE_DIR}
 # Add the GTK lib dir to the library search path (for dlopen()), as an alternative to $DYLD_LIBRARY_PATH.
 install_name_tool -add_rpath "@executable_path/../Resources/lib" ${MAC_APP_BIN_DIR}/Pinta
 
 touch ${MAC_APP_DIR}
 
-# Sign the main executable and .NET stuff.
-run_codesign Pinta.app
-
 # Sign the GTK binaries.
+echo "Signing..."
 for lib in `find ${MAC_APP_RESOURCE_DIR} -name \*.dylib -or -name \*.so`
 do
     run_codesign ${lib}
 done
 
-# Zip
-zip -r9uq --symlinks ${MAC_APP_DIR}.zip ${MAC_APP_DIR}
+# Sign the main executable and .NET stuff.
+run_codesign ${MAC_APP_DIR}
+
+# Create and sign the .dmg image, and include a link to drag the app into /Applications
+echo "Creating dmg..."
+ln -s /Applications package/Applications
+hdiutil create -quiet -srcFolder package -volname "Pinta Installer" -o Pinta.dmg
+run_codesign Pinta.dmg
+
+# Notarize
+echo "Notarizing..."
+xcrun notarytool submit --wait [email protected] --password ${MAC_DEV_PASSWORD} --team-id D5G6C56TBH Pinta.dmg
+
+# Staple the result to the dmg
+echo "Stapling..."
+xcrun stapler staple Pinta.dmg