From 7913d4ac04223d71fdb820beeea1c8ef4db7e186 Mon Sep 17 00:00:00 2001
From: Yuriy Puchkov <yuriy.puchkov@namecheap.com>
Date: Thu, 21 Jan 2021 13:43:44 +0200
Subject: [PATCH] MacOS - code signing

(cherry picked from commit 97ca4890ee6813900b17aed84444bffba2f1f079)
---
 .github/workflows/MacOS-pack.yml        | 42 ++++++++++++---
 cmake/modules/MacOSXBundleInfo.plist.in |  2 +-
 packaging/macos/create_keychain.sh      | 33 ++++++++++++
 packaging/macos/siqn_qtapp.sh           | 72 +++++++++++++++++++++++++
 4 files changed, 140 insertions(+), 9 deletions(-)
 create mode 100755 packaging/macos/create_keychain.sh
 create mode 100755 packaging/macos/siqn_qtapp.sh

diff --git a/.github/workflows/MacOS-pack.yml b/.github/workflows/MacOS-pack.yml
index e63f6bd5..e9160ccf 100644
--- a/.github/workflows/MacOS-pack.yml
+++ b/.github/workflows/MacOS-pack.yml
@@ -22,6 +22,25 @@ jobs:
     name: macOS Catalina 10.15
     runs-on: macos-10.15
 
+    env:
+      APP_NAME: flameshot
+      DIR_BULD: build
+      DIR_PKG: build/src
+      HELPERS_SCRIPTS_PATH: ../../packaging/macos
+      # Apple developer identity, example: "Developer ID Application: <user name> (code)"
+      # Note: no signing and notarization will be be proceed if this variable is not set
+      APPLE_DEV_IDENTITY: ${{ secrets.APPLE_DEV_IDENTITY }}
+      # Apple ID user
+      APPLE_DEV_USER: ${{ secrets.APPLE_DEV_USER }}
+      # Apple ID user password
+      APPLE_DEV_PASS: ${{ secrets.APPLE_DEV_PASS }}
+      # Apple certificate with private and public keys in base64 format
+      APPLE_DEVELOPER_ID_APPLICATION_CERT_DATA: ${{ secrets.APPLE_DEVELOPER_ID_APPLICATION_CERT_DATA }}
+      # Apple certificate password
+      APPLE_DEVELOPER_ID_APPLICATION_CERT_PASS: ${{ secrets.APPLE_DEVELOPER_ID_APPLICATION_CERT_PASS }}
+      # Any temporary password for keychain, which will be created on github actions CI
+      APPLE_TEMP_CI_KEYCHAIN_PASS: ${{ secrets.APPLE_TEMP_CI_KEYCHAIN_PASS }}
+
     steps:
       - name: Checkout Source code
         uses: actions/checkout@v1
@@ -31,25 +50,32 @@ jobs:
 
       - name: Configure
         run: |
-          mkdir build
+          mkdir -p "${DIR_BULD}"
           cd build
           rm -rf ./src/flameshot.dmg ./src/flameshot.app/
           cmake .. -DQt5_DIR=$(brew --prefix qt5)/lib/cmake/Qt5
 
       - name: Compile
         run: |
-          cd build
+          cd "${DIR_BULD}"
           make
 
+      - name: Create key-chain and import certificate
+        run: |
+          cd "${DIR_PKG}"
+          ${HELPERS_SCRIPTS_PATH}/create_keychain.sh flameshot
+
       - name: Build dmg package
         run: |
-          cd build/src
-          /usr/local/opt/qt5/bin/macdeployqt flameshot.app -dmg
+          cd "${DIR_PKG}"
+          ${HELPERS_SCRIPTS_PATH}/siqn_qtapp.sh flameshot
 
-      - name: Update dmg package links
-        run: |
-          cd build/src
-          ../../packaging/macos/update_package.sh
+#          /usr/local/opt/qt5/bin/macdeployqt flameshot.app -dmg
+
+#      - name: Update dmg package links
+#        run: |
+#          cd build/src
+#          ../../packaging/macos/update_package.sh
 
       - name: Upload dmg package
         shell: bash
diff --git a/cmake/modules/MacOSXBundleInfo.plist.in b/cmake/modules/MacOSXBundleInfo.plist.in
index 8072a17c..4e895a8e 100644
--- a/cmake/modules/MacOSXBundleInfo.plist.in
+++ b/cmake/modules/MacOSXBundleInfo.plist.in
@@ -11,7 +11,7 @@
 	<key>CFBundleIconFile</key>
 	<string>flameshot</string>
 	<key>CFBundleIdentifier</key>
-	<string>https://flameshot.org/</string>
+	<string>https://github.com/namecheap/flameshot/releases/latest</string>
 	<key>CFBundleInfoDictionaryVersion</key>
 	<string>6.0</string>
 	<key>CFBundleName</key>
diff --git a/packaging/macos/create_keychain.sh b/packaging/macos/create_keychain.sh
new file mode 100755
index 00000000..24eeb9ca
--- /dev/null
+++ b/packaging/macos/create_keychain.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+# Inspired by
+# https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
+
+TEMP_CI_CERT_FILENAME="temp_ci_appleDistribution.p12"
+
+# Get the following variables from MacOS-pack.yaml:
+# APP_NAME
+# APPLE_DEV_IDENTITY
+# APPLE_DEVELOPER_ID_APPLICATION_CERT_PASS
+# APPLE_DEVELOPER_ID_APPLICATION_CERT_DATA
+# APPLE_TEMP_CI_KEYCHAIN_PASS
+
+# For the Community (if no Apple Developer ID available)
+if [[ "${APPLE_DEV_IDENTITY}" == "" ]]; then
+  echo "WARNING: No credentials for signing found"
+  echo "WARNING: Cannot create keychain for signing"
+  echo "WARNING: dmg package won't be signed and notarized"
+  exit 0
+fi
+
+# create keychain
+security create-keychain -p "${APPLE_TEMP_CI_KEYCHAIN_PASS}" build.keychain
+security default-keychain -s build.keychain
+security unlock-keychain -p "${APPLE_TEMP_CI_KEYCHAIN_PASS}" build.keychain
+
+# import certificate
+[ -r "${TEMP_CI_CERT_FILENAME}" ] && rm ${TEMP_CI_CERT_FILENAME}
+echo "${APPLE_DEVELOPER_ID_APPLICATION_CERT_DATA}" | base64 --decode > "${TEMP_CI_CERT_FILENAME}"
+security import "${TEMP_CI_CERT_FILENAME}" -P "${APPLE_DEVELOPER_ID_APPLICATION_CERT_PASS}" -k build.keychain -T /usr/bin/codesign
+[ -r "${TEMP_CI_CERT_FILENAME}" ] && rm ${TEMP_CI_CERT_FILENAME}
+security find-identity -v
+security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${APPLE_TEMP_CI_KEYCHAIN_PASS}" build.keychain
diff --git a/packaging/macos/siqn_qtapp.sh b/packaging/macos/siqn_qtapp.sh
new file mode 100755
index 00000000..bcd36874
--- /dev/null
+++ b/packaging/macos/siqn_qtapp.sh
@@ -0,0 +1,72 @@
+#!/bin/bash
+# Inspired by
+# https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
+# https://forum.qt.io/topic/96652/how-to-notarize-qt-application-on-macos/18
+
+# Get the following variables from the MacOS-pack.yaml:
+# APP_NAME
+# APPLE_DEV_IDENTITY
+# APPLE_DEV_USER
+# APPLE_DEV_PASS
+
+# For the Community (if no Apple Developer ID available)
+if [[ "${APPLE_DEV_IDENTITY}" == "" ]]; then
+  echo "WARNING: No credentials for signing found"
+  echo "WARNING: dmg package won't be signed and notarized"
+  echo "--> Start packaging process"
+  "$(brew --prefix qt5)/bin/macdeployqt" "${APP_NAME}.app" -dmg
+  echo "--> Update dmg package links"
+  "./${HELPERS_SCRIPTS_PATH}/update_package.sh"
+  exit 0
+fi
+
+echo "--> Start application signing process"
+codesign --sign "${APPLE_DEV_IDENTITY}" --verbose --deep ${APP_NAME}.app
+
+echo "--> Start packaging process"
+"$(brew --prefix qt5)/bin/macdeployqt" "${APP_NAME}.app" -dmg -sign-for-notarization="${APPLE_DEV_IDENTITY}"
+
+echo "--> Update dmg package links"
+"./${HELPERS_SCRIPTS_PATH}/update_package.sh"
+
+echo "--> Start dmg signing process"
+codesign --sign "${APPLE_DEV_IDENTITY}" --verbose --deep "${APP_NAME}.dmg"
+
+echo "--> Start Notarization process"
+response=$(xcrun altool -t osx -f "${APP_NAME}.dmg" --primary-bundle-id "org.namecheap.${APP_NAME}" --notarize-app -u "${APPLE_DEV_USER}" -p "${APPLE_DEV_PASS}")
+requestUUID=$(echo "${response}" | tr ' ' '\n' | tail -1)
+
+while true; do
+  echo "--> Checking notarization status"
+  statusCheckResponse=$(xcrun altool --notarization-info "${requestUUID}" -u "${APPLE_DEV_USER}" -p "${APPLE_DEV_PASS}")
+
+  isSuccess=$(echo "${statusCheckResponse}" | grep "success")
+  isFailure=$(echo "${statusCheckResponse}" | grep "invalid")
+
+  if [[ "${isSuccess}" != "" ]]; then
+    echo "Notarization done!"
+    xcrun stapler staple "${APP_NAME}.dmg"
+    EXIT_CODE=$?
+    if [ ${EXIT_CODE} -ne 0 ]; then
+      echo "Stapler failed!"
+      exit ${EXIT_CODE}
+    fi
+    echo "Stapler done!"
+    break
+  fi
+  if [[ "${isFailure}" != "" ]]; then
+    echo "${statusCheckResponse}"
+    echo "Notarization failed"
+    exit 1
+  fi
+
+  echo "Notarization not finished yet, sleep 2m then check again..."
+  for num in {1..12}
+  do
+    sleep 10
+    echo "Elapsed: ${num}0 sec"
+  done
+done
+
+echo "--> Start verify signing process"
+codesign -dv --verbose=4 "${APP_NAME}.dmg"