From 41ace3a9e53b52b4271554d7aedd88d533ee5f5e Mon Sep 17 00:00:00 2001 From: rejbasket <39080670+rejbasket@users.noreply.github.com> Date: Wed, 8 Dec 2021 22:18:41 +0100 Subject: add macOS and windows installer (#1352) --- bin/build-distribution-archives | 93 ++++++++++++++++++++++++++++++++++------- bin/build-electron | 1 + bin/build-python | 10 +++++ bin/build-windows-installer | 15 +++++++ bin/import-macos-keys | 12 ++++++ bin/notarize-app | 46 ++++++++++++++++++++ 6 files changed, 162 insertions(+), 15 deletions(-) create mode 100644 bin/build-windows-installer create mode 100644 bin/import-macos-keys create mode 100644 bin/notarize-app (limited to 'bin') diff --git a/bin/build-distribution-archives b/bin/build-distribution-archives index 68dd46cf..2373c23a 100755 --- a/bin/build-distribution-archives +++ b/bin/build-distribution-archives @@ -1,27 +1,90 @@ -#!/bin/bash - VERSION="$(echo ${GITHUB_REF} | sed -e 's|refs/heads/||' -e 's|refs/tags/||' -e 's|/|-|g')" OS="${BUILD:-$(uname)}" -ARCH="$(uname -m)" - +mkdir artifacts if [ "$BUILD" = "osx" ]; then - cp -a images/examples palettes symbols fonts inx LICENSE VERSION dist/inkstitch.app/Contents - cp -a icons locales print dist/inkstitch.app/Contents/MacOS - cp -a electron/build/mac dist/inkstitch.app/Contents/electron + cp -a icons locales print LICENSE VERSION images/examples palettes symbols fonts inx dist/inkstitch.app/Contents/Resources rm -rf dist/inkstitch/ + temp_path="/tmp/inkstitch/" + # inside the scripts folder are: + # - preinstaller (checks for previously installed inkstitch and deletes it) and + # - postinstaller (moves inkstitch folder from /tmp to user Inkscape extensions folder in $HOME) + # The postinstaller is a workaround for a proper way to install in user $HOME space + + # Build on GitHub will be handled differently from local builds. + # Local builds will not be signed nor notarized. They are run to produce releases for legacy versions of macOS. + # Notarization for development branches can be forced with this variable set to true + NOTARIZE_DEVELOPMENT_BUILDS=false + + if [[ ! -z "${GITHUB_REF}" ]]; then + # This code signs and notarize the inkstitch.app + DEV_IDENT="Developer ID Application: Lex Neva (929A568N58)" + echo "Signing of inkstitch.app" + # Coyping inkstitch-gui.app into inkstitch + ditto electron/build/mac dist/inkstitch.app/Contents/MacOS/electron + # signing the binary may fix notary issue + /usr/bin/codesign -s "${DEV_IDENT}" \ + --deep \ + --force \ + --entitlements installer_scripts/entitlements.plist \ + -o runtime \ + --timestamp \ + dist/inkstitch.app/Contents/MacOS/inkstitch -v + # last signing before packaging + /usr/bin/codesign -s "${DEV_IDENT}" \ + --deep \ + --force \ + --entitlements installer_scripts/entitlements.plist \ + -o runtime \ + --timestamp \ + dist/inkstitch.app -v + echo "Running pkgbuild" + INSTALLER_IDENT="Developer ID Installer: Lex Neva (929A568N58)" + /usr/bin/pkgbuild --root dist/inkstitch.app \ + -s "${INSTALLER_IDENT}" \ + --component-plist installer_scripts/inkstitch.plist \ + --ownership recommended \ + --identifier org.inkstitch.installer \ + --version ${VERSION} \ + --scripts installer_scripts/scripts \ + --install-location ${temp_path}inkstitch.app \ + artifacts/inkstitch-${VERSION}-${OS}.pkg + if [[ "${GITHUB_REF}" =~ ^refs/tags/v[0-9.]+$ || $NOTARIZE_DEVELOPMENT_BUILDS == true ]]; then + echo "Notary starting" + bash bin/notarize-app "929A568N58" \ + "${NOTARY_ACCOUNT}" \ + "${NOTARY_PASSWORD}" \ + "org.inkstitch.app" \ + artifacts/inkstitch-${VERSION}-${OS}.pkg + fi + else + # local builds will not be signed or notarized + cp -a electron/build/mac dist/inkstitch.app/Contents/MacOS/electron + pkgbuild --root dist/inkstitch.app \ + --component-plist installer_scripts/inkstitch.plist \ + --ownership recommended \ + --identifier org.inkstitch.installer \ + --version ${VERSION} \ + --scripts installer_scripts/scripts \ + --install-location ${temp_path}inkstitch.app \ + artifacts/inkstitch-${VERSION}-${OS}.pkg + fi else cp -a images/examples palettes symbols fonts inx LICENSE VERSION dist/inkstitch cp -a icons locales print dist/inkstitch/bin cp -a electron/build/*-unpacked dist/inkstitch/electron + fi -mkdir artifacts -cd dist +if [ "$BUILD" = "windows" ]; then + # build the installer locally + # remotely it will be called through build.yml after signing + if [[ -z "${GITHUB_REF}" ]]; then + bash bin/build-windows-installer + fi +fi -if [ "$$BUILD" = "windows" ]; then - # The python zipfile command line utility can't handle directories - # containing files with UTF-8 names on Windows, so we use 7-zip instead. - 7z a ../artifacts/inkstitch-${VERSION}-${OS}.zip *; -else - python -m zipfile -c ../artifacts/inkstitch-${VERSION}-${OS}.zip *; +if [ "$BUILD" = "linux" ]; then + cd dist + python -m zipfile -c ../artifacts/inkstitch-${VERSION}-${OS}.zip *; + cd .. fi diff --git a/bin/build-electron b/bin/build-electron index 11616cb4..f375e347 100755 --- a/bin/build-electron +++ b/bin/build-electron @@ -8,6 +8,7 @@ if [ "$BUILD" = "windows" ]; then elif [ "$BUILD" = "linux" ]; then args="-l --x64" elif [ "$BUILD" = "osx" ]; then + cp installer_scripts/electron-entitlements.plist electron/build/ args="-m" fi diff --git a/bin/build-python b/bin/build-python index 88e166ae..5d16cdf8 100755 --- a/bin/build-python +++ b/bin/build-python @@ -36,6 +36,16 @@ pyinstaller_args+="-p inkscape/share/extensions " # output useful debugging info that helps us trace library dependency issues pyinstaller_args+="--log-level DEBUG " +# This adds bundle identifier in reverse DSN format for macos +if [ "$BUILD" = "osx" ]; then + pyinstaller_args+="--osx-bundle-identifier org.inkstitch.app " + if [[ -z ${GITHUB_REF} ]]; then + : + else + bash bin/import-macos-keys + fi +fi + if [ "$BUILD" = "windows" ]; then python -m PyInstaller $pyinstaller_args inkstitch.py else diff --git a/bin/build-windows-installer b/bin/build-windows-installer new file mode 100644 index 00000000..44c29742 --- /dev/null +++ b/bin/build-windows-installer @@ -0,0 +1,15 @@ +#!/bin/bash +VERSION="$(echo ${GITHUB_REF} | sed -e 's|refs/heads/||' -e 's|refs/tags/||' -e 's|/|-|g')" +OS="${BUILD:-$(uname)}" +# Create windows installer +mkdir win +cp installer_scripts/template.iss win/win_build.iss +# adds the year and version to the inno installer +info_year=$( date "+%Y" ) +copyright_year="#define COPYRIGHT \""${info_year}"\" + URL" +version_block="#define VERSION \""${VERSION}"\"" +sed -i'' -e '/;inkstitch-year/ a\'$'\n'"${copyright_year}"'' win/win_build.iss +sed -i'' -e '/;inkstitch-version/ a\'$'\n'"${version_block}"'' win/win_build.iss + +iscc win/win_build.iss +mv win/inkstitch.exe artifacts/inkstitch-${VERSION}-${OS}.exe diff --git a/bin/import-macos-keys b/bin/import-macos-keys new file mode 100644 index 00000000..2fa55f89 --- /dev/null +++ b/bin/import-macos-keys @@ -0,0 +1,12 @@ +#!/bin/bash +# first part of codesiging which is importing to build keychain +echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 +security create-keychain -p "$KEYCHAIN_PWD" build.keychain +security default-keychain -s build.keychain +security unlock-keychain -p "$KEYCHAIN_PWD" build.keychain +security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign +security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PWD" build.keychain +# importing notary certificate +echo $INSTALLER_CERTIFICATE | base64 --decode > installer-certificate.p12 +security import installer-certificate.p12 -k build.keychain -P "$INSTALLER_PWD" -T /usr/bin/pkgbuild +security set-key-partition-list -S apple-tool:,apple:,pkgbuild: -s -k "$KEYCHAIN_PWD" build.keychain diff --git a/bin/notarize-app b/bin/notarize-app new file mode 100644 index 00000000..4a2bbc41 --- /dev/null +++ b/bin/notarize-app @@ -0,0 +1,46 @@ +#!/bin/sh -u +# source of this code: https://github.com/rednoah/notarize-app +ASC_PROVIDER="$1" +ASC_USERNAME="$2" +ASC_PASSWORD="$3" + +BUNDLE_ID="$4" +BUNDLE_PKG="$5" + + +# create temporary files +NOTARIZE_APP_LOG=$(mktemp -t notarize-app) +NOTARIZE_INFO_LOG=$(mktemp -t notarize-info) + +# delete temporary files on exit +function finish { + rm "$NOTARIZE_APP_LOG" "$NOTARIZE_INFO_LOG" +} +trap finish EXIT + + +# submit app for notarization +if xcrun altool --notarize-app --primary-bundle-id "$BUNDLE_ID" --asc-provider "$ASC_PROVIDER" --username "$ASC_USERNAME" --password "$ASC_PASSWORD" -f "$BUNDLE_PKG" > "$NOTARIZE_APP_LOG" 2>&1; then + cat "$NOTARIZE_APP_LOG" + RequestUUID=$(awk -F ' = ' '/RequestUUID/ {print $2}' "$NOTARIZE_APP_LOG") + + # check status periodically + while sleep 60 && date; do + # check notarization status + if xcrun altool --notarization-info "$RequestUUID" --asc-provider "$ASC_PROVIDER" --username "$ASC_USERNAME" --password "$ASC_PASSWORD" > "$NOTARIZE_INFO_LOG" 2>&1; then + cat "$NOTARIZE_INFO_LOG" + + # once notarization is complete, run stapler and exit + if ! grep -q "Status: in progress" "$NOTARIZE_INFO_LOG"; then + xcrun stapler staple "$BUNDLE_PKG" + exit $? + fi + else + cat "$NOTARIZE_INFO_LOG" 1>&2 + exit 1 + fi + done +else + cat "$NOTARIZE_APP_LOG" 1>&2 + exit 1 +fi -- cgit v1.2.3