build: Add a workflow for signing the app bundle with a set of entitlements

2022-03-18 19:28:01 -06:00 · 2022-03-18 19:28:01 -06:00 · c877bfe886
parent cc3d4f7638
commit c877bfe886
2 changed files with 20 additions and 0 deletions
--- a/.github/workflows/release_nightly.yml
+++ b/.github/workflows/release_nightly.yml
@ -204,6 +204,21 @@ jobs:
          mkdir package/Ruffle.app/Contents/Resources
          xcrun actool --compile package/Ruffle.app/Contents/Resources desktop/assets/Assets.xcassets --minimum-deployment-target 10.0 --platform macosx --warnings --errors --notices --include-all-app-icons
      - name: Sign bundle
        continue-on-error: true
        env:
          APPLE_DEVELOPER_KEY: ${{ secrets.APPLE_DEVELOPER_KEY }}
          APPLE_DEVELOPER_KEY_PASSWORD: ${{ secrets.APPLE_DEVELOPER_KEY_PASSWORD }}
        run: |
          echo $APPLE_DEVELOPER_KEY | base64 -decode > certificate.p12
          security create-keychain -p correct-horse-battery-staple build.keychain
          security default-keychain -s build.keychain
          security unlock-keychain -p correct-horse-battery-staple build.keychain
          security import certificate.p12 -k build.keychain -P $APPLE_DEVELOPER_KEY_PASSWORD -T /usr/bin/codesign
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k correct-horse-battery-staple build.keychain
          codesign -s ${{ secrets.APPLE_DEVELOPER_IDENTITY }} -f --entitlements desktop/assets/macOSEntitlements.plist package/Ruffle.app
          codesign --verify -vvvv package/Ruffle.app
      - name: Package macOS
        run: |
          # We must enter the package/ directory in order to create a flat tarball (i.e. without a directory in it).
--- a/desktop/assets/macOSEntitlements.plist
+++ b/desktop/assets/macOSEntitlements.plist
@ -0,0 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
 <plist version="1.0">
    <dict>
    </dict>
 </plist>