native macOS codings agent orchestrator
Discover nested code during release re-signing
+64
-27
+61
.github/scripts/resign_exported_app.sh
+61
.github/scripts/resign_exported_app.sh
···
1
+
#!/usr/bin/env bash
2
+
set -euo pipefail
3
+
4
+
: "${DEVELOPER_ID_IDENTITY_SHA:?}"
5
+
6
+
export_root=${1:?}
7
+
app_path=$(find "$export_root" -maxdepth 3 -name 'supacode.app' -print -quit)
8
+
if [ -z "$app_path" ]; then
9
+
echo "::error::supacode.app not found under $export_root"
10
+
exit 1
11
+
fi
12
+
13
+
sign_path() {
14
+
local path=$1
15
+
local -a args=(-f -s "$DEVELOPER_ID_IDENTITY_SHA" -o runtime --timestamp -v)
16
+
17
+
case "$path" in
18
+
*.app|*.appex|*.xpc)
19
+
args+=(--preserve-metadata=entitlements,requirements,flags)
20
+
;;
21
+
esac
22
+
23
+
codesign "${args[@]}" "$path"
24
+
}
25
+
26
+
code_roots=(
27
+
"$app_path/Contents/Frameworks"
28
+
"$app_path/Contents/PlugIns"
29
+
"$app_path/Contents/XPCServices"
30
+
"$app_path/Contents/Library/LoginItems"
31
+
)
32
+
33
+
code_paths=()
34
+
for root in "${code_roots[@]}"; do
35
+
if [ ! -d "$root" ]; then
36
+
continue
37
+
fi
38
+
39
+
while IFS= read -r -d '' path; do
40
+
code_paths+=("$path")
41
+
done < <(
42
+
find "$root" \
43
+
\( -type d \( -name '*.app' -o -name '*.appex' -o -name '*.framework' -o -name '*.xpc' \) \
44
+
-o -type f \( -name '*.dylib' -o -perm -111 \) \) \
45
+
-print0
46
+
)
47
+
done
48
+
49
+
if [ "${#code_paths[@]}" -gt 0 ]; then
50
+
while IFS=$'\t' read -r _ path; do
51
+
sign_path "$path"
52
+
done < <(
53
+
for path in "${code_paths[@]}"; do
54
+
slash_count=${path//[^\/]/}
55
+
printf '%s\t%s\n' "${#slash_count}" "$path"
56
+
done | sort -rn -k1,1
57
+
)
58
+
fi
59
+
60
+
codesign -f -s "$DEVELOPER_ID_IDENTITY_SHA" -o runtime --timestamp --preserve-metadata=entitlements,requirements,flags -v "$app_path"
61
+
codesign -vvv --deep --strict "$app_path"
+1
-13
.github/workflows/release-tip.yml
+1
-13
.github/workflows/release-tip.yml
···
123
123
run: |
124
124
set -ex
125
125
APP_PATH="$(find build/export -name "supacode.app" -maxdepth 3 -print -quit)"
126
-
SPARKLE="$APP_PATH/Contents/Frameworks/Sparkle.framework/Versions/B"
127
-
128
-
codesign -f -s "$DEVELOPER_ID_IDENTITY_SHA" -o runtime --timestamp -v "$SPARKLE/XPCServices/Installer.xpc"
129
-
codesign -f -s "$DEVELOPER_ID_IDENTITY_SHA" -o runtime --timestamp --preserve-metadata=entitlements -v "$SPARKLE/XPCServices/Downloader.xpc"
130
-
codesign -f -s "$DEVELOPER_ID_IDENTITY_SHA" -o runtime --timestamp -v "$SPARKLE/Updater.app"
131
-
codesign -f -s "$DEVELOPER_ID_IDENTITY_SHA" -o runtime --timestamp -v "$SPARKLE/Autoupdate"
132
-
codesign -f -s "$DEVELOPER_ID_IDENTITY_SHA" -o runtime --timestamp -v "$SPARKLE/Sparkle"
133
-
codesign -f -s "$DEVELOPER_ID_IDENTITY_SHA" -o runtime --timestamp -v "$APP_PATH/Contents/Frameworks/Sparkle.framework"
134
-
SENTRY_FRAMEWORK="$APP_PATH/Contents/Frameworks/Sentry.framework"
135
-
codesign -f -s "$DEVELOPER_ID_IDENTITY_SHA" -o runtime --timestamp -v "$SENTRY_FRAMEWORK/Versions/A/Sentry"
136
-
codesign -f -s "$DEVELOPER_ID_IDENTITY_SHA" -o runtime --timestamp -v "$SENTRY_FRAMEWORK"
137
-
codesign -f -s "$DEVELOPER_ID_IDENTITY_SHA" -o runtime --timestamp --preserve-metadata=entitlements,requirements,flags -v "$APP_PATH"
126
+
bash ./.github/scripts/resign_exported_app.sh build/export
138
127
139
128
codesign -d --entitlements - "$APP_PATH/Contents/MacOS/supacode" 2>&1 | tee /tmp/supacode-entitlements.txt
140
129
grep -q "com.apple.security.device.audio-input" /tmp/supacode-entitlements.txt
141
130
142
-
codesign -vvv --deep --strict "$APP_PATH"
143
131
- name: Store notarization credentials
144
132
run: |
145
133
echo "$APPLE_NOTARIZATION_KEY" > notarization_key.p8
+2
-14
.github/workflows/release.yml
+2
-14
.github/workflows/release.yml
···
111
111
</plist>
112
112
EOF
113
113
make export-archive
114
-
- name: Re-sign Sparkle framework
114
+
- name: Re-sign frameworks
115
115
run: |
116
116
set -ex
117
117
APP_PATH="$(find build/export -name "supacode.app" -maxdepth 3 -print -quit)"
118
118
SPARKLE="$APP_PATH/Contents/Frameworks/Sparkle.framework/Versions/B"
119
-
120
-
echo "Using identity: $DEVELOPER_ID_IDENTITY"
121
-
codesign -f -s "$DEVELOPER_ID_IDENTITY_SHA" -o runtime --timestamp -v "$SPARKLE/XPCServices/Installer.xpc"
122
-
codesign -f -s "$DEVELOPER_ID_IDENTITY_SHA" -o runtime --timestamp --preserve-metadata=entitlements -v "$SPARKLE/XPCServices/Downloader.xpc"
123
-
codesign -f -s "$DEVELOPER_ID_IDENTITY_SHA" -o runtime --timestamp -v "$SPARKLE/Updater.app"
124
-
codesign -f -s "$DEVELOPER_ID_IDENTITY_SHA" -o runtime --timestamp -v "$SPARKLE/Autoupdate"
125
-
codesign -f -s "$DEVELOPER_ID_IDENTITY_SHA" -o runtime --timestamp -v "$SPARKLE/Sparkle"
126
-
codesign -f -s "$DEVELOPER_ID_IDENTITY_SHA" -o runtime --timestamp -v "$APP_PATH/Contents/Frameworks/Sparkle.framework"
127
-
SENTRY_FRAMEWORK="$APP_PATH/Contents/Frameworks/Sentry.framework"
128
-
codesign -f -s "$DEVELOPER_ID_IDENTITY_SHA" -o runtime --timestamp -v "$SENTRY_FRAMEWORK/Versions/A/Sentry"
129
-
codesign -f -s "$DEVELOPER_ID_IDENTITY_SHA" -o runtime --timestamp -v "$SENTRY_FRAMEWORK"
130
-
codesign -f -s "$DEVELOPER_ID_IDENTITY_SHA" -o runtime --timestamp --preserve-metadata=entitlements,requirements,flags -v "$APP_PATH"
119
+
bash ./.github/scripts/resign_exported_app.sh build/export
131
120
132
121
codesign -d --entitlements - "$APP_PATH/Contents/MacOS/supacode" 2>&1 | tee /tmp/supacode-entitlements.txt
133
122
grep -q "com.apple.security.device.audio-input" /tmp/supacode-entitlements.txt
134
123
135
-
codesign -vvv --deep --strict "$APP_PATH"
136
124
codesign -dv --verbose=4 "$APP_PATH" 2>&1 | grep -E "Authority=Developer ID Application|Timestamp="
137
125
codesign -dv --verbose=4 "$APP_PATH/Contents/MacOS/supacode" 2>&1 | grep -E "Authority=Developer ID Application|Timestamp="
138
126
codesign -dv --verbose=4 "$SPARKLE/Updater.app/Contents/MacOS/Updater" 2>&1 | grep -E "Authority=Developer ID Application|Timestamp="