Open rozyczko opened 3 years ago
This can be directly taken from SasView.
The GH yml file contains this:
- name: Sign executable and create dmg
if: ${{ matrix.os == 'macos-latest' }}
env:
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
run: |
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
security create-keychain -p DloaAcYP build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p DloaAcYP build.keychain
security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k DloaAcYP build.keychain
cd installers/dist
python ../../build_tools/code_sign_osx.py
codesign --verify --options=runtime --entitlements ../../build_tools/entitlements.plist --timestamp --deep --verbose=4 --force --sign "Developer ID Application: European Spallation Source Eric (W2AG9MPZ43)" SasView5.app
hdiutil create SasView5.dmg -srcfolder SasView5.app -ov -format UDZO
codesign -s "Developer ID Application: European Spallation Source Eric (W2AG9MPZ43)" SasView5.dmg
and code_sign_osx.py
is here:
https://github.com/SasView/sasview/blob/gh_osx/build_tools/code_sign_osx.py
Updated (?) version of the file: https://github.com/SasView/sasview/blob/main/build_tools/code_sign_osx.py
It seems to be signing all the .so's and .dylib's though - is this what we need?
and then one can open it anyway via Settings / Security & Privacy
Now, the following steps are implemented:
One still need to select Allow apps downloaded from: App Store and identified developers
in the Settings / Security & Privacy
Then, the only message you get is:
Extension of #25 to cover macos