search

openframeworks / apothecary

This is the OpenFrameworks library apothecary. It mixes formulas and potions to build and update the C/C++ lib dependencies.
Other
56 stars 51 forks source link

Apple Distribution/Developer Signing Certs added to Apothecary (for XCFramework Signed) #369

Open danoli3 opened 5 months ago

danoli3 commented 5 months ago

Looks like we need Apple Developer / Distribution Signing @ofTheo

https://developer.apple.com/documentation/xcode/creating-a-multi-platform-binary-framework-bundle

Screenshot 2024-03-22 at 2 56 26 pm

This is only required for when using Multiplatform Target it seems however best to get this sorted now!

Current PR xcframeworks no issues. Best we set this up though! Here's some guides

Changes can be made once added to Apothecary. Refer to Project Generator - https://github.com/openframeworks/projectGenerator/tree/master/scripts

Or guide: https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions

Then add to actions workflow when needed:

  env:
          GA_CI_SECRET: ${{ secrets.CI_SECRET }}
          CERTIFICATE_OSX_APPLICATION: ${{ secrets.CERTIFICATE_OSX_APPLICATION }}
          CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
          GA_APPLE_USERNAME: ${{ secrets.GA_APPLE_USERNAME }}
          GA_APPLE_PASS: ${{ secrets.GA_APPLE_PASS }}
          GA_NOTARIZE_PROVIDER: ${{ secrets.GA_NOTARIZE_PROVIDER }}

I would recommend making a new signing cert for Distribution and Developer so we can test both for these binaries. Again this is just to validate to developers we built it here, its signed from here, and to our best ability is the most secure it can be :)

danoli3 commented 5 months ago

Currently all the static binaries within the framework are signed via:

XCFRAMEWORK_PATH="${LIBS_DIR_REAL}/${1}/lib/${TYPE}/$1.xcframework"
        # Loop over each .a file found within the xcframework
        find "$XCFRAMEWORK_PATH" -type f -name "*.a" | while read -r lib_a; do
            echo "Securing $lib_a..."
            lipo -info "$lib_a"
            xcrun codesign --sign - "$lib_a" || true
             . "$SECURE_SCRIPT"
            secure "$lib_a" "$VERSION" "$DEFINES"
        done

This method, and this is mostly okay however this is the error in the Super Mega Multiplatform Workplace project I'm building for macOS:

Screenshot 2024-03-22 at 3 15 19 pm
danoli3 commented 5 months ago
Screenshot 2024-03-22 at 3 17 21 pm Screenshot 2024-03-22 at 3 17 31 pm

And these errors do go away once accepting unsigned xcframework.

danoli3 commented 5 months ago

Also just for Sanity, again. This does not occur in any of the current Xcode Projects just the new one