bin/build-distribution-archives


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158

VERSION="${VERSION:-$(echo ${GITHUB_REF} | sed -e 's|refs/heads/||' -e 's|refs/tags/||' -e 's|/|-|g')}"
OS="${BUILD:-$(uname)}"
ARCH="$(uname -m)"
mkdir artifacts

if [ "$BUILD" = "osx" ]; then
    cp -a icons locales print LICENSE VERSION palettes symbols fonts tiles dbus inx dist/inkstitch.app/Contents/Resources
    # adding version to Info.plist
    plutil -replace CFBundleShortVersionString -string ${VERSION} dist/inkstitch.app/Contents/Info.plist
    rm -rf dist/inkstitch/
    # Install location for pkgbuild
    PKG_INSTALL_PATH="/tmp/inkstitch/"

    # inside the scripts folder are:
    # - preinstaller (checks for previously installed inkstitch and deletes it, Inkscape check with error message) and
    # - postinstaller (moves inkstitch folder from /tmp to user Inkscape extensions folder in $HOME)
    # The postinstaller is a workaround for a proper way to install in user $HOME space

    # Build on GitHub will be handled differently from local builds.
    # Local builds will not be signed nor notarized. They are run to produce releases for legacy versions of macOS.
    # Notarization for development branches can be forced with this variable set to true
    NOTARIZE_DEVELOPMENT_BUILDS=false

    if [[ ! -z "${GITHUB_REF}" ]]; then
        # This code signs and notarize the inkstitch.app
        DEV_IDENT="Developer ID Application: Lex Neva (929A568N58)"
        echo "Signing of inkstitch.app"
        # signing the binary may fix notary issue
        /usr/bin/codesign -s "${DEV_IDENT}" \
                        --deep \
                        --force \
                        --entitlements installer_scripts/entitlements.plist \
                        -o runtime \
                        --timestamp \
                        dist/inkstitch.app/Contents/MacOS/inkstitch -v
        # last signing before packaging
        /usr/bin/codesign -s "${DEV_IDENT}" \
                        --deep \
                        --force \
                        --entitlements installer_scripts/entitlements.plist \
                        -o runtime \
                        --timestamp \
                        dist/inkstitch.app -v
        echo "Running pkgbuild"
        INSTALLER_IDENT="Developer ID Installer: Lex Neva (929A568N58)"
        /usr/bin/pkgbuild --root dist/inkstitch.app \
                        -s "${INSTALLER_IDENT}" \
                        --ownership recommended \
                        --identifier org.inkstitch.installer \
                        --version ${VERSION} \
                        --scripts installer_scripts/scripts \
                        --install-location ${PKG_INSTALL_PATH}inkstitch.app \
                        artifacts/inkstitch-${VERSION}-${OS}-${ARCH}.pkg
        if [[ "${GITHUB_REF}" =~ ^refs/tags/v[0-9.]+$ || $NOTARIZE_DEVELOPMENT_BUILDS == true ]]; then
            echo "Notary starting"
            echo "Adding keychain item for notarytool"
            xcrun notarytool store-credentials "inkstitch-profile"  \
                                                --apple-id "${NOTARY_ACCOUNT}" \
                                                --team-id '929A568N58' \
                                                --password "${NOTARY_PASSWORD}"
            echo "Invoking notary process"
            xcrun notarytool submit -f json --wait \
                                    --keychain-profile "inkstitch-profile" \
                                    artifacts/inkstitch-${VERSION}-${OS}-${ARCH}.pkg 2>&1 | tee /tmp/notarization_info.json
            echo "Stapling the pkg for release"
            xcrun stapler staple artifacts/inkstitch-${VERSION}-${OS}-${ARCH}.pkg
            echo "Fetching the Notary Log"
            # code snippet is from https://github.com/ddev/signing_tools/blob/master/macos_notarize.sh
            status=$(jq -r .status </tmp/notarization_info.json)
            id=$(jq -r .id </tmp/notarization_info.json)
            echo "status=${status} id=${id}"
            xcrun notarytool log --apple-id "${NOTARY_ACCOUNT}" --team-id '929A568N58'  --password "${NOTARY_PASSWORD}" ${id} -f json >/tmp/notarization_log.json
            issues=$(jq -r .issues </tmp/notarization_log.json)
            if [ "$issues" != "null" ]; then
                printf "There are issues with the notarization (${issues})\n"
                printf "=== Log output === \n$(cat /tmp/notarization_log.json)\n"
                exit 7;
            fi;
        fi
    else
        # local builds will not be signed or notarized
        pkgbuild --root dist/inkstitch.app \
                --ownership recommended \
                --identifier org.inkstitch.installer \
                --version ${VERSION} \
                --scripts installer_scripts/scripts \
                --install-location ${PKG_INSTALL_PATH}inkstitch.app \
                artifacts/inkstitch-${VERSION}-${OS}-${ARCH}.pkg
    fi
    # Creating the zip for Drag n' Drop install
    cd dist
    7z a ../artifacts/inkstitch-${VERSION}-${OS}-${ARCH}.zip *
    cd ..
else
    cp -a palettes symbols fonts tiles dbus inx LICENSE VERSION dist/inkstitch
    cp -a icons locales print dist/inkstitch/bin
fi

if [ "$BUILD" = "windows" ]; then
    # build the installer locally
    # remotely it will be called through build.yml after signing
    if [[ -z "${GITHUB_REF}" ]]; then
        bash bin/build-windows-installer
    fi
fi

if [ "$BUILD" = "linux" ]; then
    if [[ "$VERSION" =~ ^v[0-9][.0-9]+$ ]]; then
        VERSION=${VERSION#v}
    else
        # dpkg requires versions to start with a number, so we have to add
        # 0.0.1 for development builds
        VERSION="0.0.1-${VERSION}"
    fi

    echo -n "$INKSTITCH_GPG_KEY" | base64 -d | gpg --import
    cat <<EOF > $HOME/.rpmmacros
%_gpg_name EA93BCE2CCD0FB2E77B2CC29E8120E50709E5C44
%_signature gpg
EOF

    deb_version="$(sed -E 's/[^a-zA-Z0-9.+]/./g' <<< "$VERSION")"
    fpm -s dir \
        -t deb \
        -n inkstitch \
        -v "$deb_version" \
        -d "inkscape >= 1.0.0" \
        --deb-compression xz \
        --license "GPL-3.0" \
        --description "An open-source machine embroidery design platform based on Inkscape" \
        --url "https://inkstitch.org" \
        --maintainer "maintainer@inkstitch.org" \
        --after-install bin/after-install \
        --before-remove bin/before-remove \
        --verbose \
        dist/inkstitch=/opt

    fpm -s dir \
        -t rpm \
        -n inkstitch \
        -v "$VERSION" \
        -d "inkscape >= 1.0.0" \
        --rpm-compression xz \
        --license "GPL-3.0" \
        --description "An open-source machine embroidery design platform based on Inkscape" \
        --url "https://inkstitch.org"  \
        --maintainer "maintainer@inkstitch.org" \
        --after-install bin/after-install \
        --before-remove bin/before-remove \
        --verbose \
        dist/inkstitch=/opt

    rpmsign --addsign inkstitch*.rpm
    mv inkstitch*.deb inkstitch*.rpm artifacts/

    tar -C dist -Jcf artifacts/inkstitch-${VERSION}-${OS}.tar.xz inkstitch
    cat "$(dirname "$0")/linux-sh-installer" artifacts/inkstitch-${VERSION}-${OS}.tar.xz > artifacts/inkstitch-${VERSION}-${OS}.sh
fi