Add notarization

alisomay · Nov 30, 2024 · 53aac74 · 53aac74
1 parent 2842060
commit 53aac74
Show file tree

Hide file tree

Showing 3 changed files with 143 additions and 32 deletions.
diff --git a/.env.example b/.env.example
@@ -1,2 +1,5 @@
-DEVELOPER_ID="add yours for apple code signing"
-ENTITLEMENTS="path relative to this file"
+DEVELOPER_ID="Developer ID Application: John Doe (XXXXXXXXXX)"
+ENTITLEMENTS="./entitlements/rytm.entitlements"
+APPLE_ID="[email protected]"
+APP_PASSWORD="your-app-specific-password"
+TEAM_ID="XXXXXXXXXX"
diff --git a/Makefile.toml b/Makefile.toml
@@ -1,11 +1,9 @@
-env_files = [
-    { path = "./.env", profile = "release" },
-]
+env_files = [{ path = "./.env", profile = "release" }]
 
 # vim: set ts=4 sw=4 expandtab:
 [config]
 default_to_workspace = false
-additional_profiles = [ "release" ]
+additional_profiles = ["release"]
 
 ## Environment setup, some will get overridden in other tasks
 
@@ -14,7 +12,9 @@ CARGO_MAKE_CRATE_FS_NAME = "rytm"
 CARGO_MAKE_WORKSPACE_INCLUDE_MEMBERS = ["rytm-external"]
 PACKAGE_TO_BUILD = "rytm-external"
 MAX_PACKAGE_NAME = "petunia"
-MAX_EXT_NAME = { value = "${CARGO_MAKE_CRATE_FS_NAME}", condition = { env_not_set = ["MAX_EXT_NAME"] } }
+MAX_EXT_NAME = { value = "${CARGO_MAKE_CRATE_FS_NAME}", condition = { env_not_set = [
+    "MAX_EXT_NAME",
+] } }
 MAX_EXT_BASE_NAME = "${MAX_EXT_NAME}"
 PLATFORM_INSTALL_DIR = { source = "${CARGO_MAKE_RUST_TARGET_OS}", default_value = "ERROR", mapping = { "macos" = "${HOME}/Documents/Max 8/Packages", windows = "${USERPROFILE}/Documents/Max 8/Packages" } }
 EXTERNAL_INSTALL_DIR = "${PLATFORM_INSTALL_DIR}/${MAX_PACKAGE_NAME}/externals/"
@@ -30,7 +30,7 @@ IS_MAC_AARCH64 = { source = "${CARGO_MAKE_RUST_TARGET_TRIPLE}", default_value =
 IS_MAC_X86 = { source = "${CARGO_MAKE_RUST_TARGET_TRIPLE}", default_value = "false", mapping = { "x86_64-apple-darwin" = "true" } }
 IS_WIN_X86 = { source = "${CARGO_MAKE_RUST_TARGET_OS}", default_value = "false", mapping = { "windows" = "true" } }
 IS_TILDE = false
-WORKSPACE_TARGET_DIR = "target" 
+WORKSPACE_TARGET_DIR = "target"
 
 
 [env.development]
@@ -46,21 +46,27 @@ PROFILE_DIR = "release"
 [tasks.build-target]
 private = true
 args = [
-  "@@split(BUILD_ARGS,|)",
-  "--target",
-  "${TARGET_TRIPLE}",
-  "-p",
-  "${PACKAGE_TO_BUILD}"
+    "@@split(BUILD_ARGS,|)",
+    "--target",
+    "${TARGET_TRIPLE}",
+    "-p",
+    "${PACKAGE_TO_BUILD}",
 ]
 command = "cargo"
 
 [tasks.build]
 clear = true
 dependencies = ["setup"]
 run_task = [
-    { name = "build-windows", condition = { env_true = ["IS_WIN_X86"] } },
-    { name = "build-mac-x86", condition = { env_true = ["IS_MAC_X86"] } },
-    { name = "build-mac-aarch64", condition = { env_true = ["IS_MAC_AARCH64"] } },
+    { name = "build-windows", condition = { env_true = [
+        "IS_WIN_X86",
+    ] } },
+    { name = "build-mac-x86", condition = { env_true = [
+        "IS_MAC_X86",
+    ] } },
+    { name = "build-mac-aarch64", condition = { env_true = [
+        "IS_MAC_AARCH64",
+    ] } },
 ]
 
 [tasks.build-windows]
@@ -89,6 +95,19 @@ cp "${CARGO_MAKE_CURRENT_TASK_INITIAL_MAKEFILE_DIRECTORY}/PkgInfo" "${PROFILE_EX
 lipo -create -output "${PROFILE_EXTERNAL_PATH}/Contents/MacOS/${PACKAGED_LIB_FILE_NAME}" "${WORKSPACE_TARGET_DIR}/${TARGET_TRIPLE_MAC_X86}/${PROFILE_DIR}/${LIB_FILE_NAME}" "${WORKSPACE_TARGET_DIR}/${TARGET_TRIPLE_MAC_AARCH64}/${PROFILE_DIR}/${LIB_FILE_NAME}"
 '''
 
+# Add universal signing task that uses the profile-dependent signing
+[tasks.sign-mac-universal]
+dependencies = ["build-mac-universal"]
+run_task = [
+    { name = "codesign-ad-hoc", condition = { profiles = [
+        "development",
+    ] } },
+    { name = "codesign-with-dev-id", condition = { profiles = [
+        "release",
+    ] } },
+]
+
+
 ## Pre build Setup
 
 [tasks.env-mac]
@@ -107,8 +126,12 @@ env = { "LIB_FILE_NAME" = "${PLATFORM_DYLIB_PREFIX}${CARGO_MAKE_CRATE_FS_NAME}.$
 
 [tasks.setup]
 run_task = [
-    { name = "env-windows", condition = { platforms = ["windows"] } },
-    { name = "env-mac", condition = { platforms = ["mac"] } }
+    { name = "env-windows", condition = { platforms = [
+        "windows",
+    ] } },
+    { name = "env-mac", condition = { platforms = [
+        "mac",
+    ] } },
 ]
 
 ## Post build setup
@@ -167,7 +190,7 @@ cp "${CARGO_MAKE_CURRENT_TASK_INITIAL_MAKEFILE_DIRECTORY}/PkgInfo" "${PROFILE_EX
 '''
 
 [tasks.codesign-ad-hoc]
-condition = { profiles = [ "development" ] }
+condition = { profiles = ["development"] }
 private = true
 clear = true
 script_runner = "@shell"
@@ -176,27 +199,55 @@ codesign -f -s - "${PROFILE_EXTERNAL_PATH}"
 '''
 
 [tasks.codesign-with-dev-id]
-condition = { profiles = [ "release" ] }
+condition = { profiles = ["release"] }
 private = true
 clear = true
 script_runner = "@shell"
 script = '''
-codesign -f -v -s "${DEVELOPER_ID}" --entitlements "${ENTITLEMENTS}" --timestamp --options=runtime "${PROFILE_EXTERNAL_PATH}" && echo "Signed ${PROFILE_EXTERNAL_PATH}"
+codesign --deep -f -v -s "${DEVELOPER_ID}" \
+         --entitlements "${ENTITLEMENTS}" \
+         --timestamp \
+         --options=runtime \
+         "${PROFILE_EXTERNAL_PATH}" && echo "Signed ${PROFILE_EXTERNAL_PATH}" && \
+         codesign --verify --verbose=4 ${PROFILE_EXTERNAL_PATH} && \
+         codesign -d --entitlements :- --verbose=4 ${PROFILE_EXTERNAL_PATH}
 '''
 
 [tasks.package]
 dependencies = ["build", "name-env"]
 clear = true
 run_task = [
-    { name = ["package-mac", "codesign-ad-hoc"], condition = { platforms = ["mac"], profiles = ["development"] } },
-    { name = ["package-mac", "codesign-with-dev-id"], condition = { platforms = ["mac"], profiles = ["release"] } },
-    { name = "package-windows", condition = { platforms = ["windows"] } },
+    { name = [
+        "package-mac",
+        "codesign-ad-hoc",
+    ], condition = { platforms = [
+        "mac",
+    ], profiles = [
+        "development",
+    ] } },
+    { name = [
+        "package-mac",
+        "codesign-with-dev-id",
+    ], condition = { platforms = [
+        "mac",
+    ], profiles = [
+        "release",
+    ] } },
+    { name = "package-windows", condition = { platforms = [
+        "windows",
+    ] } },
 ]
 
 [tasks.package-all]
 clear = true
 run_task = [
-    { name = ["package-windows", "build-mac-universal", "copy-all"], condition = { platforms = ["mac"] } },
+    { name = [
+        "package-windows",
+        "build-mac-universal",
+        "sign-mac-universal",     # Add signing step for universal binary
+        "extend-package-members",
+        "copy-all",
+    ], condition = { platforms = ["mac"] } },
 ]
 
 [tasks.copy-all]
@@ -205,7 +256,12 @@ private = true
 # env = { "PACKAGE_DIR" = "${WORKSPACE_TARGET_DIR}/${PROFILE_DIR}/${MAX_PACKAGE_NAME}" }
 env = { "PACKAGE_DIR" = "${CARGO_MAKE_WORKING_DIRECTORY}/${MAX_PACKAGE_NAME}" }
 run_task = [
-    { name = ["extend-package-members", "copy-all-packages"], condition = { platforms = ["mac"] } },
+    { name = [
+        "extend-package-members",
+        "copy-all-packages",
+    ], condition = { platforms = [
+        "mac",
+    ] } },
 ]
 
 [tasks.copy-all-packages]
@@ -252,13 +308,30 @@ cp -r "${PROFILE_EXTERNAL_PATH}" "${EXTERNAL_INSTALL_DIR}"
 
 [tasks.install-universal.mac]
 clear = true
-dependencies = ["build-mac-universal", "extend-package-members", "install-package-members",]
+dependencies = [
+    "build-mac-universal",
+    "sign-mac-universal",      # Add signing step
+    "extend-package-members",
+    "install-package-members",
+]
 script_runner = "@shell"
 script = '''
 mkdir -p "${EXTERNAL_INSTALL_DIR}"
 cp -r "${PROFILE_EXTERNAL_PATH}" "${EXTERNAL_INSTALL_DIR}"
 '''
 
+[tasks.install]
+clear = true
+run_task = [
+    { name = "install.windows", condition = { platforms = [
+        "windows",
+    ] } },
+    { name = "install-universal.mac", condition = { platforms = [
+        "mac",
+    ] } },
+]
+
+
 [tasks.install-package-members.mac]
 condition = { files_exist = ["${PACKAGE_MEMBERS_DIR}/"] }
 script_runner = "@shell"
@@ -274,5 +347,3 @@ script = '''
 cp "${CARGO_MAKE_WORKING_DIRECTORY}/README.md" "${PACKAGE_MEMBERS_DIR}/readme.md"
 cp "${CARGO_MAKE_WORKING_DIRECTORY}/LICENSE" "${PACKAGE_MEMBERS_DIR}/license.md"
 '''
-
-
diff --git a/justfile b/justfile
@@ -1,7 +1,44 @@
+set dotenv-load
+
+replace-package:
+  rm -rf ~/Documents/Max\ 8/Packages/petunia
+  cp -r {{justfile_directory()}}/petunia ~/Documents/Max\ 8/Packages/petunia
+
 install:
    cargo make --profile release install
-package:
-   cargo make --profile release package
 package-all:
    cargo make --profile release package-all
-
+
+# Environment variables needed for notarization
+APPLE_ID := env_var('APPLE_ID')
+APP_PASSWORD := env_var('APP_PASSWORD')
+TEAM_ID := env_var('TEAM_ID')
+
+notarize:
+    #!/usr/bin/env bash
+    set -euo pipefail
+    cd {{justfile_directory()}}/petunia/externals
+    rm -f rytm.zip
+    zip -r rytm.zip rytm.mxo
+    rm -f rytm_notarization.log
+    xcrun notarytool submit rytm.zip \
+        --apple-id "{{APPLE_ID}}" \
+        --password "{{APP_PASSWORD}}" \
+        --team-id "{{TEAM_ID}}" \
+        --wait \
+        --output-format json \
+        > rytm_notarization.log
+
+    STATUS=$(cat rytm_notarization.log | grep -o '"status":"[^"]*"' | cut -d'"' -f4)
+    if [ "$STATUS" = "Accepted" ]; then
+        echo "✅ Notarization succeeded"
+    else
+        echo "❌ Notarization failed with status: $STATUS"
+        cat rytm_notarization.log
+        exit 1
+    fi
+
+    cd {{justfile_directory()}}
+
+    xcrun stapler staple petunia/externals/rytm.mxo
+    xcrun stapler validate petunia/externals/rytm.mxo