Yubico/yubioath-flutter
1
1
Fork 0
mirror of https://github.com/Yubico/yubioath-flutter.git synced 2025-01-03 15:47:52 +03:00
Code Issues Packages Projects Releases Wiki Activity

macOS release fixes part 2

Browse Source
This commit is contained in:
Dennis Fokin 2022-11-10 15:17:30 +01:00
parent 0503297d2f
commit eb16a3d123
No known key found for this signature in database
GPG Key ID: 870B88256690D8BC
2 changed files with 24 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/macos.yml vendored
View File

@ -67,6 +67,9 @@ jobs:
mv build/macos/Build/Products/Release/"Yubico Authenticator.app" deploy mv build/macos/Build/Products/Release/"Yubico Authenticator.app" deploy
mv create-dmg.sh deploy mv create-dmg.sh deploy
mv resources/icons/dmg-background.png deploy mv resources/icons/dmg-background.png deploy
mv macos/helper.entitlements deploy
mv macos/helper-sandbox.entitlements deploy
mv macos/Runner/Release.entitlements deploy
- name: Upload artifact - name: Upload artifact
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3

50
doc/MacOS_Packaging.adoc
View File

@ -18,20 +18,26 @@ it. For Notarization to work, we must enable "hardened runtime" by setting the
The following commands can be done to re-sign the files using the Yubico The following commands can be done to re-sign the files using the Yubico
signing key: signing key:
# Sign the main binary, with the entitlements: # Sign the main binaries, with the entitlements:
codesign -f --timestamp --options runtime --entitlements macos/helper.entitlements --sign 'Application' build/macos/helper/authenticator-helper codesign -f --timestamp --options runtime --entitlements helper.entitlements --sign 'Application' Yubico\ Authenticator.app/Contents/Resources/helper/authenticator-helper
codesign -f --timestamp --options runtime --entitlements helper.entitlements --sign 'Application' Yubico\ Authenticator.app/Contents/Resources/helper-arm64/authenticator-helper
# Sign the dylib and so files, without entitlements: # Sign the dylib and so files, without entitlements:
codesign -f --timestamp --options runtime --sign 'Application' $(find build/macos/helper/ -name "*.dylib" -o -name "*.so") codesign -f --timestamp --options runtime --sign 'Application' $(find Yubico\ Authenticator.app/Contents/Resources/helper/ -name "*.dylib" -o -name "*.so")
codesign -f --timestamp --options runtime --sign 'Application' $(find Yubico\ Authenticator.app/Contents/Resources/helper-arm64/ -name "*.dylib" -o -name "*.so")
# Sign the Python binary (if it exists), without entitlements: # Sign the Python binary (if it exists), without entitlements:
codesign -f --timestamp --options runtime --sign 'Application' build/macos/helper/Python codesign -f --timestamp --options runtime --sign 'Application' Yubico\ Authenticator.app/Contents/Resources/helper/Python
codesign -f --timestamp --options runtime --sign 'Application' Yubico\ Authenticator.app/Contents/Resources/helper-arm64/Python
==== Signing the GUI ==== Signing the GUI
After signing the Helper, make a release build of the GUI and then re-sign it After signing the Helper, make a release build of the GUI and then re-sign it
with the Yubico key: with the Yubico key:
codesign --timestamp --options runtime --sign 'Application' --entitlements macos/Runner/Release.entitlements --deep "build/macos/Build/Products/Release/Yubico Authenticator.app" codesign --timestamp --options runtime --sign 'Application' --entitlements Release.entitlements --deep "Yubico Authenticator.app"
The app should now be properly signed, and needs to be Notarized. Create a zip file with the .app, and: The app should now be properly signed, and needs to be Notarized. Create a zip file with the .app, and:
@ -45,30 +51,14 @@ To check if notarization is complete:
When the notarization is complete, and successful, the original .app bundle (not the .zip archive) needs to be stapled. When the notarization is complete, and successful, the original .app bundle (not the .zip archive) needs to be stapled.
xcrun stapler staple -v "build/macos/Build/Products/Release/Yubico Authenticator.app" xcrun stapler staple -v "Yubico Authenticator.app"
Create the installer with productbuild.
productbuild --sign 'Installer' --component "build/macos/Build/Products/Release/Yubico Authenticator.app" /Applications/ output-file-xyz.pkg
Then notarize and staple (when ready) the .pkg as well:
xcrun altool -t osx -f output-file-xyz.pkg --primary-bundle-id com.yubico.authenticator --notarize-app -u $APPLE_ID -p $PASSWORD
xcrun altool --notarization-info $APP_GUID -u $APPLE_ID -p $PASSWORD
xcrun stapler staple -v <pkg file>
Finally, we're done! The .pkg is ready for distribution.
Everything has now been signed and we can create a dmg.
==== Creating a dmg ==== Creating a dmg
Repeat all the steps from above until (and including) notarization of the .zip. Create a directory called `source_folder` and move the .app to it.
Afterwards create a directory containing the .app and the following shortcut: Install `create-dmg` by running `brew install create-dmg`.
Run the `create-dmg.sh` script.
ln -s /Applications/ Applications
Open Disk Utility. Press File > New image > Image from Folder.
Choose the folder you just created.
=== Signing for the App Store === Signing for the App Store
All binaries must have sandbox enabled for the Apple App Store, but the Helper All binaries must have sandbox enabled for the Apple App Store, but the Helper
@ -80,14 +70,16 @@ different code signing key than the standalone distribution.
==== Signing the Yubico Authenticator Helper ==== Signing the Yubico Authenticator Helper
Follow the same steps as for "standalone", with the exception of signing the `authenticator-helper` binary: Follow the same steps as for "standalone", with the exception of signing the `authenticator-helper` binary:
# Sign the main binary, with sandbox enabled, without hardened runtime: # Sign the main binaries, with sandbox enabled, without hardened runtime:
codesign -f --timestamp --entitlements macos/helper-sandbox.entitlements --sign 'Application' build/macos/helper/authenticator-helper codesign -f --timestamp --entitlements helper-sandbox.entitlements --sign 'Application' Yubico\ Authenticator.app/Contents/Resources/helper/authenticator-helper
codesign -f --timestamp --entitlements helper-sandbox.entitlements --sign 'Application' Yubico\ Authenticator.app/Contents/Resources/helper-arm64/authenticator-helper
NOTE: This sandboxed Helper will not run on its own, it has to be run as a NOTE: This sandboxed Helper will not run on its own, it has to be run as a
subprocess to the main application. subprocess to the main application.
Once you have the signed .app, (no Notarization required) build the package for AppStore submission: Once you have the signed .app, (no Notarization required) build the package for AppStore submission:
productbuild --sign 'Installer' --component build/macos/Build/Products/Release/flutter_rpc_test.app /Applications/ output-appstore.pkg productbuild --sign 'Installer' --component "Yubico Authenticator.app" /Applications/ output-appstore.pkg
Use the Transporter app to upload the package to Apple. Use the Transporter app to upload the package to Apple.