kobaltcore / renconstruct

A utility script to automatically build Ren'Py applications for multiple platforms.
MIT License
7 stars 2 forks source link

Is it possible to notarize the Mac build on Windows, or Gitlab CI? #5

Open SergioAlonsoJr opened 2 years ago

SergioAlonsoJr commented 2 years ago

I want to notarize the Mac version, but I don't own a Mac.

Is it possible to notarize the Mac build on Windows, or Gitlab CI?

kobaltcore commented 2 years ago

Yes, this is possible, but a bit cumbersome. renconstruct actually ships with a notarization task that should be able to do this, but since Apple likes to change things rather frequently, this is not guaranteed to work in the future.

You can supply the relevant data for this via environment variables such as this in a Github Action:

- name: Build Project
  run: renconstruct -d -i "${{ github.workspace }}" -o "${{ github.workspace }}/../dist" -c "${{ github.workspace }}/config.yml"
  env:
    RC_APPLE_ID: ${{ secrets.RC_APPLE_ID }}
    RC_APPLE_PWD: ${{ secrets.RC_APPLE_PWD }}
    RC_SIGN_CERT: ${{ secrets.RC_SIGN_CERT }}
    RC_SIGN_CERT_PWD: ${{ secrets.RC_SIGN_CERT_PWD }}
    RC_SIGN_IDENTITY: ${{ secrets.RC_SIGN_IDENTITY }}

This requires the following:

This is unfortunately very cumbersome to obtain, especially if you do not own a Mac to prepare these things in the first place. Once they're all in place, signing on a macOS runner should be possible though.

SergioAlonsoJr commented 2 years ago

@kobaltcore, can these steps work?

  1. Rent a MAC and generate the necessary files
  2. Transfer these files to my Windows PC
  3. Run the notarization task on my Windows PC

If yes, I will do it.

kobaltcore commented 2 years ago

Unfortunately not quite. While the first step would work, the actual code signing and notarization will have to take place on a Mac as well.

It should, however, still be possible. The certificate can be generated without a Mac, I believe, by going through the Apple Developer Portal (which also allows you to download the necessary file). This can then be stored as a GitHub Actions Secret and used in a CI run. Since GGA supports macOS runners (only Intel atm, but still better than nothing), you should then be able to complete the notarization process via GHA, without having to own or rent a Mac yourself.

renconstruct actually ships with a notarization task built for this purpose, it will set up everything that's needed internally during the CI run. Fair warning though: I have not used that particular functionality in a while, so I'd have to re-check it to make sure it's still working.