Merge pull request #911 from mwiencek/codesigning

macOS codesigning

.gitignore

@@ -1,5 +1,7 @@
+appledev.p12
 build
 build.cfg
+dist
 .pydevproject
 .project
 .idea

scripts/package-osx.sh

@@ -12,15 +12,37 @@ python3 setup.py build_locales
 pip3 install pyinstaller
 pyinstaller picard.spec
 
+codesign=0
+
+if [ -n "$encrypted_be5fb2212036_key" ] && [ -n "$encrypted_be5fb2212036_iv" ]; then
+    openssl aes-256-cbc -K "$encrypted_be5fb2212036_key" -iv "$encrypted_be5fb2212036_iv" -in scripts/appledev.p12.enc -out scripts/appledev.p12 -d
+fi
+
+if [ -f scripts/appledev.p12 ] && [ -n "$appledev_p12_password" ]; then
+    security create-keychain -p picard picard.keychain
+    security unlock-keychain -p picard picard.keychain
+    security list-keychains -d user -s picard.keychain
+    security default-keychain -s picard.keychain
+    # The line below may become necessary when building on Sierra.
+    # See https://stackoverflow.com/q/39868578
+    # security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k picard picard.keychain
+    security import scripts/appledev.p12 -k picard.keychain -P "$appledev_p12_password" -T /usr/bin/codesign
+    security find-identity -p codesigning # For debugging
+    codesign=1
+fi
+
 cd dist
 ditto -rsrc --arch x86_64 'MusicBrainz Picard.app' 'MusicBrainz Picard.tmp'
 rm -r 'MusicBrainz Picard.app'
 mv 'MusicBrainz Picard.tmp' 'MusicBrainz Picard.app'
-hdiutil create -volname "MusicBrainz Picard $VERSION" -srcfolder 'MusicBrainz Picard.app' -ov -format UDBZ "MusicBrainz Picard $VERSION.dmg"
+[ "$codesign" = '1' ] && codesign --keychain picard.keychain --verify --verbose --deep --sign 'Developer ID Application: MetaBrainz Foundation Inc.' 'MusicBrainz Picard.app'
+dmg="MusicBrainz Picard $VERSION.dmg"
+hdiutil create -volname "MusicBrainz Picard $VERSION" -srcfolder 'MusicBrainz Picard.app' -ov -format UDBZ "$dmg"
+[ "$codesign" = '1' ] && codesign --keychain picard.keychain --verify --verbose --sign 'Developer ID Application: MetaBrainz Foundation Inc.' "$dmg"
 if [ -n "$UPLOAD_OSX" ]
 then
-    curl --upload-file "MusicBrainz Picard $VERSION.dmg" https://transfer.sh/
+    curl --upload-file "$dmg" https://transfer.sh/
     # Required for a newline between the outputs
     echo -e "\n"
-    md5 -r "MusicBrainz Picard $VERSION.dmg"
-fi
+    md5 -r "$dmg"
+fi

scripts/setup-osx.sh

@@ -1,11 +1,10 @@
 #!/usr/bin/env bash
 brew update
-brew tap samj1912/core
-brew tap-pin samj1912/core
-brew install python3
-brew link python3 --force
 brew install gettext
 brew link gettext --force
+wget "https://www.python.org/ftp/python/3.6.6/python-3.6.6-macosx10.9.pkg"
+sudo installer -pkg python-3.6.6-macosx10.9.pkg -target /
+sudo python3 -m ensurepip
 wget "ftp://ftp.musicbrainz.org/pub/musicbrainz/libdiscid/libdiscid-$DISCID_VERSION.tar.gz"
 tar -xf "libdiscid-$DISCID_VERSION.tar.gz"
 cd "libdiscid-$DISCID_VERSION"
@@ -18,4 +17,4 @@ tar -xf "chromaprint-fpcalc-$FPCALC_VERSION-macos-x86_64.tar.gz"
 cp "chromaprint-fpcalc-$FPCALC_VERSION-macos-x86_64/fpcalc" .
 pip3 install --upgrade pip setuptools wheel
 pip3 install virtualenv
-virtualenv -p python3 .
+python3 -m virtualenv -p python3 .