From 8d8e8c186cfc4c4737666830b0801c1c471d5065 Mon Sep 17 00:00:00 2001 From: Philipp Wolfer Date: Mon, 2 Nov 2020 08:21:56 +0100 Subject: [PATCH 1/5] Create separate builds for macOS 10.12+ and 10.14+ --- .github/workflows/package.yml | 9 ++++++--- requirements-macos.txt => requirements-macos-10.12.txt | 0 requirements-macos-10.14.txt | 7 +++++++ scripts/package/macos-package-app.sh | 6 +++--- 4 files changed, 16 insertions(+), 6 deletions(-) rename requirements-macos.txt => requirements-macos-10.12.txt (100%) create mode 100644 requirements-macos-10.14.txt diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index dab788552..b3fe5d1d9 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -24,11 +24,14 @@ on: jobs: package-macos: runs-on: macos-10.15 + strategy: + matrix: + macos-deployment-version: [10.12, 10.14] env: DISCID_VERSION: 0.6.2 FPCALC_VERSION: 1.5.0 PYTHON_VERSION: 3.7.6 - MACOSX_DEPLOYMENT_TARGET: 10.12 + MACOSX_DEPLOYMENT_TARGET: ${{ matrix.macos-deployment-version }} steps: - uses: actions/checkout@v2 with: @@ -57,7 +60,7 @@ jobs: run: | python3 -m pip install --upgrade pip setuptools wheel pip3 install -r requirements-build.txt - pip3 install -r requirements-macos.txt + pip3 install -r requirements-macos-${MACOSX_DEPLOYMENT_TARGET}.txt - name: Run tests run: | python3 setup.py test @@ -86,7 +89,7 @@ jobs: - name: Archive production artifacts uses: actions/upload-artifact@v1 with: - name: macos-app + name: macos-app-${{ matrix.macos-deployment-version }} path: artifacts/ package-windows: diff --git a/requirements-macos.txt b/requirements-macos-10.12.txt similarity index 100% rename from requirements-macos.txt rename to requirements-macos-10.12.txt diff --git a/requirements-macos-10.14.txt b/requirements-macos-10.14.txt new file mode 100644 index 000000000..c92cd4385 --- /dev/null +++ b/requirements-macos-10.14.txt @@ -0,0 +1,7 @@ +python-dateutil==2.8.1 +discid==1.2.0 +markdown==3.2.2 +mutagen==1.45.1 +pyobjc-core==6.2.2 +pyobjc-framework-Cocoa==6.2.2 +PyQt5==5.15.2 diff --git a/scripts/package/macos-package-app.sh b/scripts/package/macos-package-app.sh index ff564b730..ea2198262 100755 --- a/scripts/package/macos-package-app.sh +++ b/scripts/package/macos-package-app.sh @@ -76,10 +76,10 @@ LIBDISCID_REGEX="libdiscid [0-9]+\.[0-9]+\.[0-9]+" "MusicBrainz Picard.app/Contents/MacOS/fpcalc" -version # Package app bundle into DMG image -if [ -n "$TRAVIS_OSX_IMAGE" ]; then - DMG="MusicBrainz-Picard-${VERSION}_macOS-$MACOS_VERSION_MAJOR.$MACOS_VERSION_MINOR.dmg" +if [ -n "$MACOSX_DEPLOYMENT_TARGET" ]; then + DMG="MusicBrainz-Picard-${VERSION}-macOS-${MACOSX_DEPLOYMENT_TARGET}.dmg" else - DMG="MusicBrainz-Picard-$VERSION.dmg" + DMG="MusicBrainz-Picard-${VERSION}.dmg" fi mkdir staging mv "MusicBrainz Picard.app" staging/ From 09aa1b7467fda2b9540d21a456b50e1090ebd6f1 Mon Sep 17 00:00:00 2001 From: Philipp Wolfer Date: Fri, 18 Dec 2020 09:22:31 +0100 Subject: [PATCH 2/5] macos: verify notarization and code signature --- scripts/package/macos-package-app.sh | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/scripts/package/macos-package-app.sh b/scripts/package/macos-package-app.sh index ea2198262..0b08a7c0e 100755 --- a/scripts/package/macos-package-app.sh +++ b/scripts/package/macos-package-app.sh @@ -47,33 +47,35 @@ fi cd dist # Create app bundle -ditto -rsrc --arch x86_64 'MusicBrainz Picard.app' 'MusicBrainz Picard.tmp' -rm -r 'MusicBrainz Picard.app' -mv 'MusicBrainz Picard.tmp' 'MusicBrainz Picard.app' +APP_BUNDLE="MusicBrainz Picard.app" +ditto -rsrc --arch x86_64 "$APP_BUNDLE" "$APP_BUNDLE.tmp" +rm -r "$APP_BUNDLE" +mv "$APP_BUNDLE.tmp" "$APP_BUNDLE" if [ "$CODESIGN" = '1' ]; then # Enable hardened runtime if app will get notarized if [ "$NOTARIZE" = "1" ]; then - codesign --verify --verbose --deep \ + codesign --verbose --deep \ --options runtime \ --entitlements ../scripts/package/entitlements.plist \ --keychain "$KEYCHAIN_PATH" --sign "$CERTIFICATE_NAME" \ - "MusicBrainz Picard.app" - ../scripts/package/macos-notarize-app.sh "MusicBrainz Picard.app" + "$APP_BUNDLE" + ../scripts/package/macos-notarize-app.sh "$APP_BUNDLE" + codesign --verbose --deep --verbose --strict=all --check-notarization "$APP_BUNDLE" else codesign --verify --verbose --deep \ --keychain "$KEYCHAIN_PATH" --sign "$CERTIFICATE_NAME" \ - "MusicBrainz Picard.app" + "$APP_BUNDLE" fi fi # Verify Picard executable works and required dependencies are bundled -VERSIONS=$("MusicBrainz Picard.app/Contents/MacOS/picard-run" --long-version) +VERSIONS=$("$APP_BUNDLE/Contents/MacOS/picard-run" --long-version) echo "$VERSIONS" ASTRCMP_REGEX="astrcmp C" [[ $VERSIONS =~ $ASTRCMP_REGEX ]] || (echo "Failed: Build does not include astrcmp C" && false) LIBDISCID_REGEX="libdiscid [0-9]+\.[0-9]+\.[0-9]+" [[ $VERSIONS =~ $LIBDISCID_REGEX ]] || (echo "Failed: Build does not include libdiscid" && false) -"MusicBrainz Picard.app/Contents/MacOS/fpcalc" -version +"$APP_BUNDLE/Contents/MacOS/fpcalc" -version # Package app bundle into DMG image if [ -n "$MACOSX_DEPLOYMENT_TARGET" ]; then @@ -82,7 +84,7 @@ else DMG="MusicBrainz-Picard-${VERSION}.dmg" fi mkdir staging -mv "MusicBrainz Picard.app" staging/ +mv "$APP_BUNDLE" staging/ # Offer a link to /Applications for easy installation ln -s /Applications staging/Applications hdiutil create -volname "MusicBrainz Picard $VERSION" \ From 293c2c730f0f258fbcdfe9da9b6108585ffd8cdd Mon Sep 17 00:00:00 2001 From: Philipp Wolfer Date: Fri, 18 Dec 2020 09:26:00 +0100 Subject: [PATCH 3/5] macos: build with Python 3.9.1 --- .github/workflows/package.yml | 2 +- requirements-build.txt | 2 +- scripts/package/macos-package-app.sh | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index b3fe5d1d9..1b88157d6 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -30,7 +30,7 @@ jobs: env: DISCID_VERSION: 0.6.2 FPCALC_VERSION: 1.5.0 - PYTHON_VERSION: 3.7.6 + PYTHON_VERSION: 3.9.1 MACOSX_DEPLOYMENT_TARGET: ${{ matrix.macos-deployment-version }} steps: - uses: actions/checkout@v2 diff --git a/requirements-build.txt b/requirements-build.txt index 2b71063cb..dc6d59ef0 100644 --- a/requirements-build.txt +++ b/requirements-build.txt @@ -1,3 +1,3 @@ Babel==2.6 -PyInstaller==4.0 +PyInstaller==4.1 setuptools<45.0.0 diff --git a/scripts/package/macos-package-app.sh b/scripts/package/macos-package-app.sh index 0b08a7c0e..cfa0c00f9 100755 --- a/scripts/package/macos-package-app.sh +++ b/scripts/package/macos-package-app.sh @@ -54,7 +54,7 @@ mv "$APP_BUNDLE.tmp" "$APP_BUNDLE" if [ "$CODESIGN" = '1' ]; then # Enable hardened runtime if app will get notarized if [ "$NOTARIZE" = "1" ]; then - codesign --verbose --deep \ + codesign --verbose --deep --force \ --options runtime \ --entitlements ../scripts/package/entitlements.plist \ --keychain "$KEYCHAIN_PATH" --sign "$CERTIFICATE_NAME" \ @@ -62,7 +62,7 @@ if [ "$CODESIGN" = '1' ]; then ../scripts/package/macos-notarize-app.sh "$APP_BUNDLE" codesign --verbose --deep --verbose --strict=all --check-notarization "$APP_BUNDLE" else - codesign --verify --verbose --deep \ + codesign --verify --verbose --deep --force \ --keychain "$KEYCHAIN_PATH" --sign "$CERTIFICATE_NAME" \ "$APP_BUNDLE" fi From 3c50b3ea4e4b183d7f62eaeb94c9369dbc21747f Mon Sep 17 00:00:00 2001 From: Philipp Wolfer Date: Sat, 26 Dec 2020 16:41:54 +0100 Subject: [PATCH 4/5] More verbose output in macOS build script --- scripts/package/macos-package-app.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/scripts/package/macos-package-app.sh b/scripts/package/macos-package-app.sh index cfa0c00f9..0e424dd76 100755 --- a/scripts/package/macos-package-app.sh +++ b/scripts/package/macos-package-app.sh @@ -12,6 +12,7 @@ MACOS_VERSION_MAJOR=${MACOS_VERSION_MAJOR%.*} MACOS_VERSION_MINOR=${MACOS_VERSION#*.} MACOS_VERSION_MINOR=${MACOS_VERSION_MINOR%.*} +echo "Building Picard..." rm -rf dist build locale python3 setup.py clean python3 setup.py build @@ -26,6 +27,7 @@ CERTIFICATE_NAME="MetaBrainz Foundation Inc." CERTIFICATE_FILE=scripts/package/appledev.p12 if [ -f $CERTIFICATE_FILE ] && [ -n "$CODESIGN_MACOS_P12_PASSWORD" ]; then + echo "Preparing code signing certificate..." security create-keychain -p $KEYCHAIN_PASSWORD $KEYCHAIN_PATH security unlock-keychain -p $KEYCHAIN_PASSWORD $KEYCHAIN_PATH security set-keychain-settings $KEYCHAIN_PATH # Ensure keychain stays unlocked @@ -46,7 +48,7 @@ fi cd dist -# Create app bundle +echo "Create and sign app bundle..." APP_BUNDLE="MusicBrainz Picard.app" ditto -rsrc --arch x86_64 "$APP_BUNDLE" "$APP_BUNDLE.tmp" rm -r "$APP_BUNDLE" @@ -68,7 +70,7 @@ if [ "$CODESIGN" = '1' ]; then fi fi -# Verify Picard executable works and required dependencies are bundled +echo "Verify Picard executable works and required dependencies are bundled..." VERSIONS=$("$APP_BUNDLE/Contents/MacOS/picard-run" --long-version) echo "$VERSIONS" ASTRCMP_REGEX="astrcmp C" @@ -77,7 +79,7 @@ LIBDISCID_REGEX="libdiscid [0-9]+\.[0-9]+\.[0-9]+" [[ $VERSIONS =~ $LIBDISCID_REGEX ]] || (echo "Failed: Build does not include libdiscid" && false) "$APP_BUNDLE/Contents/MacOS/fpcalc" -version -# Package app bundle into DMG image +echo "Package app bundle into DMG image..." if [ -n "$MACOSX_DEPLOYMENT_TARGET" ]; then DMG="MusicBrainz-Picard-${VERSION}-macOS-${MACOSX_DEPLOYMENT_TARGET}.dmg" else From 19bafa299902abcd251ae31c380a57d31dcb41a2 Mon Sep 17 00:00:00 2001 From: Philipp Wolfer Date: Sat, 26 Dec 2020 16:53:41 +0100 Subject: [PATCH 5/5] macOS: Only test package after build if it was codesigned Without code signing this will likely fail due to signature errors --- scripts/package/macos-package-app.sh | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/scripts/package/macos-package-app.sh b/scripts/package/macos-package-app.sh index 0e424dd76..9e5e62d5b 100755 --- a/scripts/package/macos-package-app.sh +++ b/scripts/package/macos-package-app.sh @@ -70,14 +70,17 @@ if [ "$CODESIGN" = '1' ]; then fi fi -echo "Verify Picard executable works and required dependencies are bundled..." -VERSIONS=$("$APP_BUNDLE/Contents/MacOS/picard-run" --long-version) -echo "$VERSIONS" -ASTRCMP_REGEX="astrcmp C" -[[ $VERSIONS =~ $ASTRCMP_REGEX ]] || (echo "Failed: Build does not include astrcmp C" && false) -LIBDISCID_REGEX="libdiscid [0-9]+\.[0-9]+\.[0-9]+" -[[ $VERSIONS =~ $LIBDISCID_REGEX ]] || (echo "Failed: Build does not include libdiscid" && false) -"$APP_BUNDLE/Contents/MacOS/fpcalc" -version +# Only test the app if it was codesigned, otherwise execution likely fails +if [ "$CODESIGN" = '1' ]; then + echo "Verify Picard executable works and required dependencies are bundled..." + VERSIONS=$("$APP_BUNDLE/Contents/MacOS/picard-run" --long-version) + echo "$VERSIONS" + ASTRCMP_REGEX="astrcmp C" + [[ $VERSIONS =~ $ASTRCMP_REGEX ]] || (echo "Failed: Build does not include astrcmp C" && false) + LIBDISCID_REGEX="libdiscid [0-9]+\.[0-9]+\.[0-9]+" + [[ $VERSIONS =~ $LIBDISCID_REGEX ]] || (echo "Failed: Build does not include libdiscid" && false) + "$APP_BUNDLE/Contents/MacOS/fpcalc" -version +fi echo "Package app bundle into DMG image..." if [ -n "$MACOSX_DEPLOYMENT_TARGET" ]; then