juli/OrcaSlicer
1
1
Fork 0
mirror of https://github.com/OrcaSlicer/OrcaSlicer.git synced 2026-06-11 14:33:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

feature signs app and don't signs dmg.

Browse Source
This commit is contained in:
alves
2026-01-28 18:52:41 +08:00
parent 4b2f5c158e
commit 1044e770b6
1 changed files with 119 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

124
.github/workflows/build_orca.yml vendored
View File

@@ -140,10 +140,108 @@ jobs:
security import $CERTIFICATE_PATH -P $P12_PASSWORD -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $P12_PASSWORD $KEYCHAIN_PATH
codesign --deep --force --verbose --options runtime --timestamp --entitlements ${{ github.workspace }}/scripts/disable_validation.entitlements --sign "$CERTIFICATE_ID" "${{ github.workspace }}/build/universal/Snapmaker_Orca/Snapmaker Orca.app"
# Sign app with proper recursive signing (not using --deep)
APP_PATH="${{ github.workspace }}/build/universal/Snapmaker_Orca/Snapmaker Orca.app"
ENTITLEMENTS_PATH="${{ github.workspace }}/scripts/disable_validation.entitlements"
# Verify entitlements file exists
if [ ! -f "$ENTITLEMENTS_PATH" ]; then
echo "Error: Entitlements file not found: $ENTITLEMENTS_PATH"
exit 1
fi
echo "Using entitlements: $ENTITLEMENTS_PATH"
# Sign Frameworks (must succeed, no silent failures)
echo "Signing Frameworks..."
if [ -d "$APP_PATH/Contents/Frameworks" ]; then
find "$APP_PATH/Contents/Frameworks" -name "*.dylib" -o -name "*.framework" | while read -r item; do
if [ -f "$item" ] || [ -d "$item" ]; then
echo " Signing: $item"
codesign --force --verbose --options runtime --timestamp --sign "$CERTIFICATE_ID" "$item" || {
echo "Error: Failed to sign $item"
exit 1
}
fi
done
fi
# Sign MacOS executables (must succeed, no silent failures)
echo "Signing MacOS executables..."
if [ -d "$APP_PATH/Contents/MacOS" ]; then
find "$APP_PATH/Contents/MacOS" -type f -perm +111 | while read -r item; do
echo " Signing: $item"
codesign --force --verbose --options runtime --timestamp --sign "$CERTIFICATE_ID" "$item" || {
echo "Error: Failed to sign $item"
exit 1
}
done
fi
# Sign main app with entitlements
echo "Signing main app with entitlements..."
codesign --force --verbose --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$CERTIFICATE_ID" "$APP_PATH" || {
echo "Error: Failed to sign main app"
exit 1
}
# Verify signature
echo "Verifying signature..."
codesign --verify --verbose "$APP_PATH" || {
echo "Error: Signature verification failed"
exit 1
}
# Verify entitlements are embedded
echo "Verifying entitlements are embedded..."
EMBEDDED_ENTITLEMENTS=$(codesign -d --entitlements - "$APP_PATH" 2>&1)
if echo "$EMBEDDED_ENTITLEMENTS" | grep -q "com.apple.security.network.client"; then
echo "✓ Entitlements successfully embedded"
echo " Found network.client entitlement"
else
echo "✗ Error: Entitlements not embedded correctly"
echo " Embedded entitlements output:"
echo "$EMBEDDED_ENTITLEMENTS" | head -20
exit 1
fi
# Sign Snapmaker_Orca_profile_validator.app if it exists
if [ -f "${{ github.workspace }}/build/universal/Snapmaker_Orca/Snapmaker_Orca_profile_validator.app/Contents/MacOS/Snapmaker_Orca_profile_validator" ]; then
codesign --deep --force --verbose --options runtime --timestamp --entitlements ${{ github.workspace }}/scripts/disable_validation.entitlements --sign "$CERTIFICATE_ID" ${{ github.workspace }}/build/universal/Snapmaker_Orca/Snapmaker_Orca_profile_validator.app
VALIDATOR_APP_PATH="${{ github.workspace }}/build/universal/Snapmaker_Orca/Snapmaker_Orca_profile_validator.app"
if [ -f "$VALIDATOR_APP_PATH/Contents/MacOS/Snapmaker_Orca_profile_validator" ]; then
echo "Signing Snapmaker_Orca_profile_validator.app..."
# Sign validator app components
if [ -d "$VALIDATOR_APP_PATH/Contents/Frameworks" ]; then
find "$VALIDATOR_APP_PATH/Contents/Frameworks" -name "*.dylib" -o -name "*.framework" | while read -r item; do
if [ -f "$item" ] || [ -d "$item" ]; then
codesign --force --verbose --options runtime --timestamp --sign "$CERTIFICATE_ID" "$item" || {
echo "Error: Failed to sign validator component $item"
exit 1
}
fi
done
fi
if [ -d "$VALIDATOR_APP_PATH/Contents/MacOS" ]; then
find "$VALIDATOR_APP_PATH/Contents/MacOS" -type f -perm +111 | while read -r item; do
codesign --force --verbose --options runtime --timestamp --sign "$CERTIFICATE_ID" "$item" || {
echo "Error: Failed to sign validator executable $item"
exit 1
}
done
fi
# Sign main validator app with entitlements
codesign --force --verbose --options runtime --timestamp --entitlements "$ENTITLEMENTS_PATH" --sign "$CERTIFICATE_ID" "$VALIDATOR_APP_PATH" || {
echo "Error: Failed to sign validator app"
exit 1
}
# Verify validator signature
codesign --verify --verbose "$VALIDATOR_APP_PATH" || {
echo "Error: Validator signature verification failed"
exit 1
}
fi
# Create main Snapmaker Orca DMG without the profile validator helper
@@ -152,7 +250,15 @@ jobs:
cp -R "${{ github.workspace }}/build/universal/Snapmaker_Orca/Snapmaker Orca.app" "${{ github.workspace }}/build/universal/Snapmaker_Orca_dmg/"
ln -sfn /Applications ${{ github.workspace }}/build/universal/Snapmaker_Orca_dmg/Applications
hdiutil create -volname "Snapmaker_Orca" -srcfolder ${{ github.workspace }}/build/universal/Snapmaker_Orca_dmg -ov -format UDZO "${{ github.workspace }}/Snapmaker_Orca_Mac_universal_${{ env.ver }}.dmg"
codesign --deep --force --verbose --options runtime --timestamp --entitlements ${{ github.workspace }}/scripts/disable_validation.entitlements --sign "$CERTIFICATE_ID" "${{ github.workspace }}/Snapmaker_Orca_Mac_universal_${{ env.ver }}.dmg"
# Sign DMG (DMG files should NOT have entitlements, only signature)
codesign --force --verbose --options runtime --timestamp --sign "$CERTIFICATE_ID" "${{ github.workspace }}/Snapmaker_Orca_Mac_universal_${{ env.ver }}.dmg" || {
echo "Error: Failed to sign DMG"
exit 1
}
codesign --verify --verbose "${{ github.workspace }}/Snapmaker_Orca_Mac_universal_${{ env.ver }}.dmg" || {
echo "Error: DMG signature verification failed"
exit 1
}
# Create separate Snapmaker_Orca_profile_validator DMG if the app exists
if [ -f "${{ github.workspace }}/build/universal/Snapmaker_Orca/Snapmaker_Orca_profile_validator.app/Contents/MacOS/Snapmaker_Orca_profile_validator" ]; then
@@ -161,7 +267,15 @@ jobs:
cp -R ${{ github.workspace }}/build/universal/Snapmaker_Orca/Snapmaker_Orca_profile_validator.app ${{ github.workspace }}/build/universal/Snapmaker_Orca_profile_validator_dmg/
ln -sfn /Applications ${{ github.workspace }}/build/universal/Snapmaker_Orca_profile_validator_dmg/Applications
hdiutil create -volname "Snapmaker_Orca Profile Validator" -srcfolder ${{ github.workspace }}/build/universal/Snapmaker_Orca_profile_validator_dmg -ov -format UDZO "${{ github.workspace }}/Snapmaker_Orca_profile_validator_Mac_universal_${{ env.ver }}.dmg"
codesign --deep --force --verbose --options runtime --timestamp --entitlements ${{ github.workspace }}/scripts/disable_validation.entitlements --sign "$CERTIFICATE_ID" "${{ github.workspace }}/Snapmaker_Orca_profile_validator_Mac_universal_${{ env.ver }}.dmg"
# Sign DMG (DMG files should NOT have entitlements, only signature)
codesign --force --verbose --options runtime --timestamp --sign "$CERTIFICATE_ID" "${{ github.workspace }}/Snapmaker_Orca_profile_validator_Mac_universal_${{ env.ver }}.dmg" || {
echo "Error: Failed to sign validator DMG"
exit 1
}
codesign --verify --verbose "${{ github.workspace }}/Snapmaker_Orca_profile_validator_Mac_universal_${{ env.ver }}.dmg" || {
echo "Error: Validator DMG signature verification failed"
exit 1
}
fi
# Notarize main DMG