add macOS and windows installer (#1352)

6 files changed, 162 insertions, 15 deletions

diff --git a/bin/build-distribution-archives b/bin/build-distribution-archives
index 68dd46cf..2373c23a 100755
--- a/bin/build-distribution-archives
+++ b/bin/build-distribution-archives
@@ -1,27 +1,90 @@
-#!/bin/bash
-
 VERSION="$(echo ${GITHUB_REF} | sed -e 's|refs/heads/||' -e 's|refs/tags/||' -e 's|/|-|g')"
 OS="${BUILD:-$(uname)}"
-ARCH="$(uname -m)"
-
+mkdir artifacts
 if [ "$BUILD" = "osx" ]; then
-    cp -a images/examples palettes symbols fonts inx LICENSE VERSION dist/inkstitch.app/Contents
-    cp -a icons locales print dist/inkstitch.app/Contents/MacOS
-    cp -a electron/build/mac dist/inkstitch.app/Contents/electron
+    cp -a icons locales print LICENSE VERSION images/examples palettes symbols fonts inx dist/inkstitch.app/Contents/Resources
     rm -rf dist/inkstitch/
+    temp_path="/tmp/inkstitch/"
+    # inside the scripts folder are:
+    # - preinstaller (checks for previously installed inkstitch and deletes it) and
+    # - postinstaller (moves inkstitch folder from /tmp to user Inkscape extensions folder in $HOME)
+    # The postinstaller is a workaround for a proper way to install in user $HOME space
+
+    # Build on GitHub will be handled differently from local builds.
+    # Local builds will not be signed nor notarized. They are run to produce releases for legacy versions of macOS.
+    # Notarization for development branches can be forced with this variable set to true
+    NOTARIZE_DEVELOPMENT_BUILDS=false
+
+    if [[ ! -z "${GITHUB_REF}" ]]; then
+        # This code signs and notarize the inkstitch.app
+        DEV_IDENT="Developer ID Application: Lex Neva (929A568N58)"
+        echo "Signing of inkstitch.app"
+        # Coyping inkstitch-gui.app into inkstitch
+        ditto electron/build/mac dist/inkstitch.app/Contents/MacOS/electron
+        # signing the binary may fix notary issue
+        /usr/bin/codesign -s "${DEV_IDENT}" \
+                        --deep \
+                        --force \
+                        --entitlements installer_scripts/entitlements.plist \
+                        -o runtime \
+                        --timestamp \
+                        dist/inkstitch.app/Contents/MacOS/inkstitch -v
+        # last signing before packaging
+        /usr/bin/codesign -s "${DEV_IDENT}" \
+                        --deep \
+                        --force \
+                        --entitlements installer_scripts/entitlements.plist \
+                        -o runtime \
+                        --timestamp \
+                        dist/inkstitch.app -v
+        echo "Running pkgbuild"
+        INSTALLER_IDENT="Developer ID Installer: Lex Neva (929A568N58)"
+        /usr/bin/pkgbuild --root dist/inkstitch.app \
+                        -s "${INSTALLER_IDENT}" \
+                        --component-plist installer_scripts/inkstitch.plist \
+                        --ownership recommended \
+                        --identifier org.inkstitch.installer \
+                        --version ${VERSION} \
+                        --scripts installer_scripts/scripts \
+                        --install-location ${temp_path}inkstitch.app \
+                        artifacts/inkstitch-${VERSION}-${OS}.pkg
+        if [[ "${GITHUB_REF}" =~ ^refs/tags/v[0-9.]+$ || $NOTARIZE_DEVELOPMENT_BUILDS == true ]]; then
+            echo "Notary starting"
+            bash bin/notarize-app "929A568N58" \
+                                "${NOTARY_ACCOUNT}" \
+                                "${NOTARY_PASSWORD}" \
+                                "org.inkstitch.app" \
+                                artifacts/inkstitch-${VERSION}-${OS}.pkg
+        fi
+    else
+        # local builds will not be signed or notarized
+        cp -a electron/build/mac dist/inkstitch.app/Contents/MacOS/electron
+        pkgbuild --root dist/inkstitch.app \
+                --component-plist installer_scripts/inkstitch.plist \
+                --ownership recommended \
+                --identifier org.inkstitch.installer \
+                --version ${VERSION} \
+                --scripts installer_scripts/scripts \
+                --install-location ${temp_path}inkstitch.app \
+                artifacts/inkstitch-${VERSION}-${OS}.pkg
+    fi
 else
     cp -a images/examples palettes symbols fonts inx LICENSE VERSION dist/inkstitch
     cp -a icons locales print dist/inkstitch/bin
     cp -a electron/build/*-unpacked dist/inkstitch/electron
+
 fi
 
-mkdir artifacts
-cd dist
+if [ "$BUILD" = "windows" ]; then
+    # build the installer locally
+    # remotely it will be called through build.yml after signing
+    if [[ -z "${GITHUB_REF}" ]]; then
+        bash bin/build-windows-installer
+    fi
+fi
 
-if [ "$$BUILD" = "windows" ]; then
-    # The python zipfile command line utility can't handle directories
-    # containing files with UTF-8 names on Windows, so we use 7-zip instead.
-    7z a ../artifacts/inkstitch-${VERSION}-${OS}.zip *;
-else
-	  python -m zipfile -c ../artifacts/inkstitch-${VERSION}-${OS}.zip *;
+if [ "$BUILD" = "linux" ]; then
+    cd dist
+    python -m zipfile -c ../artifacts/inkstitch-${VERSION}-${OS}.zip *;
+    cd ..
 fi
diff --git a/bin/build-electron b/bin/build-electron
index 11616cb4..f375e347 100755
--- a/bin/build-electron
+++ b/bin/build-electron
@@ -8,6 +8,7 @@ if [ "$BUILD" = "windows" ]; then
 elif [ "$BUILD" = "linux" ]; then
   args="-l --x64"
 elif [ "$BUILD" = "osx" ]; then
+  cp installer_scripts/electron-entitlements.plist electron/build/
   args="-m"
 fi
 
diff --git a/bin/build-python b/bin/build-python
index 88e166ae..5d16cdf8 100755
--- a/bin/build-python
+++ b/bin/build-python
@@ -36,6 +36,16 @@ pyinstaller_args+="-p inkscape/share/extensions "
 # output useful debugging info that helps us trace library dependency issues
 pyinstaller_args+="--log-level DEBUG "
 
+# This adds bundle identifier in reverse DSN format for macos
+if [ "$BUILD" = "osx" ]; then
+    pyinstaller_args+="--osx-bundle-identifier org.inkstitch.app "
+    if [[ -z ${GITHUB_REF} ]]; then
+        :
+    else
+        bash bin/import-macos-keys
+    fi
+fi
+
 if [ "$BUILD" = "windows" ]; then
     python -m PyInstaller $pyinstaller_args inkstitch.py
 else
diff --git a/bin/build-windows-installer b/bin/build-windows-installer
new file mode 100644
index 00000000..44c29742
--- /dev/null
+++ b/bin/build-windows-installer
@@ -0,0 +1,15 @@
+#!/bin/bash
+VERSION="$(echo ${GITHUB_REF} | sed -e 's|refs/heads/||' -e 's|refs/tags/||' -e 's|/|-|g')"
+OS="${BUILD:-$(uname)}"
+# Create windows installer
+mkdir win
+cp installer_scripts/template.iss win/win_build.iss
+# adds the year and version to the inno installer
+info_year=$( date "+%Y" )
+copyright_year="#define COPYRIGHT \""${info_year}"\" + URL"
+version_block="#define VERSION \""${VERSION}"\""
+sed -i'' -e '/;inkstitch-year/ a\'$'\n'"${copyright_year}"'' win/win_build.iss
+sed -i'' -e '/;inkstitch-version/ a\'$'\n'"${version_block}"'' win/win_build.iss
+
+iscc win/win_build.iss
+mv  win/inkstitch.exe artifacts/inkstitch-${VERSION}-${OS}.exe
diff --git a/bin/import-macos-keys b/bin/import-macos-keys
new file mode 100644
index 00000000..2fa55f89
--- /dev/null
+++ b/bin/import-macos-keys
@@ -0,0 +1,12 @@
+#!/bin/bash
+# first part of codesiging which is importing to build keychain
+echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+security create-keychain -p "$KEYCHAIN_PWD" build.keychain
+security default-keychain -s build.keychain
+security unlock-keychain -p "$KEYCHAIN_PWD" build.keychain
+security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
+security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PWD" build.keychain
+# importing notary certificate
+echo $INSTALLER_CERTIFICATE | base64 --decode > installer-certificate.p12
+security import installer-certificate.p12 -k build.keychain -P "$INSTALLER_PWD" -T /usr/bin/pkgbuild
+security set-key-partition-list -S apple-tool:,apple:,pkgbuild: -s -k "$KEYCHAIN_PWD" build.keychain
diff --git a/bin/notarize-app b/bin/notarize-app
new file mode 100644
index 00000000..4a2bbc41
--- /dev/null
+++ b/bin/notarize-app
@@ -0,0 +1,46 @@
+#!/bin/sh -u
+# source of this code: https://github.com/rednoah/notarize-app
+ASC_PROVIDER="$1"
+ASC_USERNAME="$2"
+ASC_PASSWORD="$3"
+
+BUNDLE_ID="$4"
+BUNDLE_PKG="$5"
+
+
+# create temporary files
+NOTARIZE_APP_LOG=$(mktemp -t notarize-app)
+NOTARIZE_INFO_LOG=$(mktemp -t notarize-info)
+
+# delete temporary files on exit
+function finish {
+	rm "$NOTARIZE_APP_LOG" "$NOTARIZE_INFO_LOG"
+}
+trap finish EXIT
+
+
+# submit app for notarization
+if xcrun altool --notarize-app --primary-bundle-id "$BUNDLE_ID" --asc-provider "$ASC_PROVIDER" --username "$ASC_USERNAME" --password "$ASC_PASSWORD" -f "$BUNDLE_PKG" > "$NOTARIZE_APP_LOG" 2>&1; then
+	cat "$NOTARIZE_APP_LOG"
+	RequestUUID=$(awk -F ' = ' '/RequestUUID/ {print $2}' "$NOTARIZE_APP_LOG")
+
+	# check status periodically
+	while sleep 60 && date; do
+		# check notarization status
+		if xcrun altool --notarization-info "$RequestUUID" --asc-provider "$ASC_PROVIDER" --username "$ASC_USERNAME" --password "$ASC_PASSWORD" > "$NOTARIZE_INFO_LOG" 2>&1; then
+			cat "$NOTARIZE_INFO_LOG"
+
+			# once notarization is complete, run stapler and exit
+			if ! grep -q "Status: in progress" "$NOTARIZE_INFO_LOG"; then
+				xcrun stapler staple "$BUNDLE_PKG"
+				exit $?
+			fi
+		else
+			cat "$NOTARIZE_INFO_LOG" 1>&2
+			exit 1
+		fi
+	done
+else
+	cat "$NOTARIZE_APP_LOG" 1>&2
+	exit 1
+fi