diff --git a/.github/workflows/build_orca.yml b/.github/workflows/build_orca.yml index 867a7b2954..54ff24e5d2 100644 --- a/.github/workflows/build_orca.yml +++ b/.github/workflows/build_orca.yml @@ -140,10 +140,108 @@ jobs: security import $CERTIFICATE_PATH -P $P12_PASSWORD -A -t cert -f pkcs12 -k $KEYCHAIN_PATH security list-keychain -d user -s $KEYCHAIN_PATH security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $P12_PASSWORD $KEYCHAIN_PATH - codesign --deep --force --verbose --options runtime --timestamp --entitlements ${{ github.workspace }}/scripts/disable_validation.entitlements --sign "$CERTIFICATE_ID" "${{ github.workspace }}/build/universal/Snapmaker_Orca/Snapmaker Orca.app" + + # Sign app with proper recursive signing (not using --deep) + APP_PATH="${{ github.workspace }}/build/universal/Snapmaker_Orca/Snapmaker Orca.app" + ENTITLEMENTS_PATH="${{ github.workspace }}/scripts/disable_validation.entitlements" + + # Verify entitlements file exists + if [ ! -f "$ENTITLEMENTS_PATH" ]; then + echo "Error: Entitlements file not found: $ENTITLEMENTS_PATH" + exit 1 + fi + echo "Using entitlements: $ENTITLEMENTS_PATH" + + # Sign Frameworks (must succeed, no silent failures) + echo "Signing Frameworks..." + if [ -d "$APP_PATH/Contents/Frameworks" ]; then + find "$APP_PATH/Contents/Frameworks" -name "*.dylib" -o -name "*.framework" | while read -r item; do + if [ -f "$item" ] || [ -d "$item" ]; then + echo " Signing: $item" + codesign --force --verbose --options runtime --timestamp --sign "$CERTIFICATE_ID" "$item" || { + echo "Error: Failed to sign $item" + exit 1 + } + fi + done + fi + + # Sign MacOS executables (must succeed, no silent failures) + echo "Signing MacOS executables..." + if [ -d "$APP_PATH/Contents/MacOS" ]; then + find "$APP_PATH/Contents/MacOS" -type f -perm +111 | while read -r item; do + echo " Signing: $item" + codesign --force --verbose --options runtime --timestamp --sign "$CERTIFICATE_ID" "$item" || { + echo "Error: Failed to sign $item" + exit 1 + } + done + fi + + # Sign main app with entitlements + echo "Signing main app with entitlements..." + codesign --force --verbose --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$CERTIFICATE_ID" "$APP_PATH" || { + echo "Error: Failed to sign main app" + exit 1 + } + + # Verify signature + echo "Verifying signature..." + codesign --verify --verbose "$APP_PATH" || { + echo "Error: Signature verification failed" + exit 1 + } + + # Verify entitlements are embedded + echo "Verifying entitlements are embedded..." + EMBEDDED_ENTITLEMENTS=$(codesign -d --entitlements - "$APP_PATH" 2>&1) + if echo "$EMBEDDED_ENTITLEMENTS" | grep -q "com.apple.security.network.client"; then + echo "✓ Entitlements successfully embedded" + echo " Found network.client entitlement" + else + echo "✗ Error: Entitlements not embedded correctly" + echo " Embedded entitlements output:" + echo "$EMBEDDED_ENTITLEMENTS" | head -20 + exit 1 + fi + # Sign Snapmaker_Orca_profile_validator.app if it exists - if [ -f "${{ github.workspace }}/build/universal/Snapmaker_Orca/Snapmaker_Orca_profile_validator.app/Contents/MacOS/Snapmaker_Orca_profile_validator" ]; then - codesign --deep --force --verbose --options runtime --timestamp --entitlements ${{ github.workspace }}/scripts/disable_validation.entitlements --sign "$CERTIFICATE_ID" ${{ github.workspace }}/build/universal/Snapmaker_Orca/Snapmaker_Orca_profile_validator.app + VALIDATOR_APP_PATH="${{ github.workspace }}/build/universal/Snapmaker_Orca/Snapmaker_Orca_profile_validator.app" + if [ -f "$VALIDATOR_APP_PATH/Contents/MacOS/Snapmaker_Orca_profile_validator" ]; then + echo "Signing Snapmaker_Orca_profile_validator.app..." + + # Sign validator app components + if [ -d "$VALIDATOR_APP_PATH/Contents/Frameworks" ]; then + find "$VALIDATOR_APP_PATH/Contents/Frameworks" -name "*.dylib" -o -name "*.framework" | while read -r item; do + if [ -f "$item" ] || [ -d "$item" ]; then + codesign --force --verbose --options runtime --timestamp --sign "$CERTIFICATE_ID" "$item" || { + echo "Error: Failed to sign validator component $item" + exit 1 + } + fi + done + fi + + if [ -d "$VALIDATOR_APP_PATH/Contents/MacOS" ]; then + find "$VALIDATOR_APP_PATH/Contents/MacOS" -type f -perm +111 | while read -r item; do + codesign --force --verbose --options runtime --timestamp --sign "$CERTIFICATE_ID" "$item" || { + echo "Error: Failed to sign validator executable $item" + exit 1 + } + done + fi + + # Sign main validator app with entitlements + codesign --force --verbose --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$CERTIFICATE_ID" "$VALIDATOR_APP_PATH" || { + echo "Error: Failed to sign validator app" + exit 1 + } + + # Verify validator signature + codesign --verify --verbose "$VALIDATOR_APP_PATH" || { + echo "Error: Validator signature verification failed" + exit 1 + } fi # Create main Snapmaker Orca DMG without the profile validator helper @@ -152,7 +250,15 @@ jobs: cp -R "${{ github.workspace }}/build/universal/Snapmaker_Orca/Snapmaker Orca.app" "${{ github.workspace }}/build/universal/Snapmaker_Orca_dmg/" ln -sfn /Applications ${{ github.workspace }}/build/universal/Snapmaker_Orca_dmg/Applications hdiutil create -volname "Snapmaker_Orca" -srcfolder ${{ github.workspace }}/build/universal/Snapmaker_Orca_dmg -ov -format UDZO "${{ github.workspace }}/Snapmaker_Orca_Mac_universal_${{ env.ver }}.dmg" - codesign --deep --force --verbose --options runtime --timestamp --entitlements ${{ github.workspace }}/scripts/disable_validation.entitlements --sign "$CERTIFICATE_ID" "${{ github.workspace }}/Snapmaker_Orca_Mac_universal_${{ env.ver }}.dmg" + # Sign DMG (DMG files should NOT have entitlements, only signature) + codesign --force --verbose --options runtime --timestamp --sign "$CERTIFICATE_ID" "${{ github.workspace }}/Snapmaker_Orca_Mac_universal_${{ env.ver }}.dmg" || { + echo "Error: Failed to sign DMG" + exit 1 + } + codesign --verify --verbose "${{ github.workspace }}/Snapmaker_Orca_Mac_universal_${{ env.ver }}.dmg" || { + echo "Error: DMG signature verification failed" + exit 1 + } # Create separate Snapmaker_Orca_profile_validator DMG if the app exists if [ -f "${{ github.workspace }}/build/universal/Snapmaker_Orca/Snapmaker_Orca_profile_validator.app/Contents/MacOS/Snapmaker_Orca_profile_validator" ]; then @@ -161,7 +267,15 @@ jobs: cp -R ${{ github.workspace }}/build/universal/Snapmaker_Orca/Snapmaker_Orca_profile_validator.app ${{ github.workspace }}/build/universal/Snapmaker_Orca_profile_validator_dmg/ ln -sfn /Applications ${{ github.workspace }}/build/universal/Snapmaker_Orca_profile_validator_dmg/Applications hdiutil create -volname "Snapmaker_Orca Profile Validator" -srcfolder ${{ github.workspace }}/build/universal/Snapmaker_Orca_profile_validator_dmg -ov -format UDZO "${{ github.workspace }}/Snapmaker_Orca_profile_validator_Mac_universal_${{ env.ver }}.dmg" - codesign --deep --force --verbose --options runtime --timestamp --entitlements ${{ github.workspace }}/scripts/disable_validation.entitlements --sign "$CERTIFICATE_ID" "${{ github.workspace }}/Snapmaker_Orca_profile_validator_Mac_universal_${{ env.ver }}.dmg" + # Sign DMG (DMG files should NOT have entitlements, only signature) + codesign --force --verbose --options runtime --timestamp --sign "$CERTIFICATE_ID" "${{ github.workspace }}/Snapmaker_Orca_profile_validator_Mac_universal_${{ env.ver }}.dmg" || { + echo "Error: Failed to sign validator DMG" + exit 1 + } + codesign --verify --verbose "${{ github.workspace }}/Snapmaker_Orca_profile_validator_Mac_universal_${{ env.ver }}.dmg" || { + echo "Error: Validator DMG signature verification failed" + exit 1 + } fi # Notarize main DMG