501 lines
16 KiB
Bash
Executable File
501 lines
16 KiB
Bash
Executable File
#!/bin/bash
|
|
set -e
|
|
|
|
# Load environment variables from .env file
|
|
if [ -f .env ]; then
|
|
export $(grep -v '^#' .env | xargs)
|
|
fi
|
|
|
|
# Validate required code signing and notarization credentials
|
|
echo "🔐 Validating credentials..."
|
|
MISSING_CREDS=()
|
|
|
|
if [ -z "$DEVELOPER_ID_APPLICATION" ]; then
|
|
MISSING_CREDS+=("DEVELOPER_ID_APPLICATION")
|
|
fi
|
|
|
|
if [ -z "$NOTARY_KEYCHAIN_PROFILE" ]; then
|
|
MISSING_CREDS+=("NOTARY_KEYCHAIN_PROFILE")
|
|
fi
|
|
|
|
if [ -z "$APPLE_TEAM_ID" ]; then
|
|
MISSING_CREDS+=("APPLE_TEAM_ID")
|
|
fi
|
|
|
|
if [ ${#MISSING_CREDS[@]} -gt 0 ]; then
|
|
echo "❌ ERROR: Missing required credentials in .env file:"
|
|
for cred in "${MISSING_CREDS[@]}"; do
|
|
echo " - $cred"
|
|
done
|
|
echo ""
|
|
echo "Required environment variables:"
|
|
echo " DEVELOPER_ID_APPLICATION='Developer ID Application: Your Name (TEAM_ID)'"
|
|
echo " APPLE_TEAM_ID='XXXXXXXXXX'"
|
|
echo " NOTARY_KEYCHAIN_PROFILE='notary-profile'"
|
|
echo ""
|
|
echo "Setup instructions:"
|
|
echo " 1. Find your Developer ID certificate:"
|
|
echo " security find-identity -v -p codesigning"
|
|
echo ""
|
|
echo " 2. Store notarization credentials in keychain (one-time setup):"
|
|
echo " xcrun notarytool store-credentials \"notary-profile\" \\"
|
|
echo " --apple-id \"your@email.com\" \\"
|
|
echo " --team-id \"TEAM_ID\""
|
|
echo ""
|
|
echo " You'll be prompted for an app-specific password."
|
|
echo " Generate one at: https://appleid.apple.com/account/manage"
|
|
echo ""
|
|
echo " 3. Set NOTARY_KEYCHAIN_PROFILE='notary-profile' in .env"
|
|
exit 1
|
|
fi
|
|
|
|
# Verify keychain profile exists
|
|
echo "🔍 Verifying keychain profile..."
|
|
if ! xcrun notarytool history --keychain-profile "$NOTARY_KEYCHAIN_PROFILE" &>/dev/null; then
|
|
echo "❌ ERROR: Keychain profile '$NOTARY_KEYCHAIN_PROFILE' not found or invalid"
|
|
echo ""
|
|
echo "Create the profile with:"
|
|
echo " xcrun notarytool store-credentials \"$NOTARY_KEYCHAIN_PROFILE\" \\"
|
|
echo " --apple-id \"your@email.com\" \\"
|
|
echo " --team-id \"$APPLE_TEAM_ID\""
|
|
exit 1
|
|
fi
|
|
|
|
echo "✅ All credentials validated"
|
|
|
|
# Extract version from Xcode project (Release configuration)
|
|
PROJECT_FILE="Gaze.xcodeproj/project.pbxproj"
|
|
VERSION=$(grep -A 1 "MARKETING_VERSION" "$PROJECT_FILE" | grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+' | head -1)
|
|
BUILD_NUMBER=$(grep -A 1 "CURRENT_PROJECT_VERSION" "$PROJECT_FILE" | grep -o '[0-9]\+' | head -1)
|
|
|
|
# Fallback to manual values if extraction fails
|
|
if [ -z "$VERSION" ]; then
|
|
echo "⚠️ Could not extract MARKETING_VERSION from project, using fallback"
|
|
VERSION="0.2.0"
|
|
fi
|
|
|
|
if [ -z "$BUILD_NUMBER" ]; then
|
|
echo "⚠️ Could not extract CURRENT_PROJECT_VERSION from project, using fallback"
|
|
BUILD_NUMBER="1"
|
|
fi
|
|
|
|
echo "📦 Building Gaze v${VERSION} (build ${BUILD_NUMBER}) for distribution"
|
|
|
|
RELEASES_DIR="./releases"
|
|
ARCHIVE_PATH="./build/Gaze.xcarchive"
|
|
EXPORT_PATH="./build/export"
|
|
APPCAST_OUTPUT="${RELEASES_DIR}/appcast.xml"
|
|
FEED_URL="https://freno.me/api/Gaze/appcast.xml"
|
|
DOWNLOAD_URL_PREFIX="https://freno.me/api/downloads/"
|
|
DMG_NAME="Gaze-${VERSION}.dmg"
|
|
|
|
# Find Sparkle generate_appcast tool
|
|
SPARKLE_BIN=$(find ~/Library/Developer/Xcode/DerivedData/Gaze-* -path "*/artifacts/sparkle/Sparkle/bin" -type d 2>/dev/null | head -1)
|
|
if [ -z "$SPARKLE_BIN" ]; then
|
|
echo "⚠️ Warning: Sparkle bin directory not found"
|
|
echo "Appcast generation will be skipped"
|
|
SPARKLE_BIN=""
|
|
fi
|
|
|
|
# Create build and releases directories
|
|
mkdir -p "$RELEASES_DIR"
|
|
mkdir -p "$(dirname "$ARCHIVE_PATH")"
|
|
|
|
# Clean previous builds
|
|
echo ""
|
|
echo "🧹 Cleaning previous builds..."
|
|
rm -rf "$ARCHIVE_PATH"
|
|
rm -rf "$EXPORT_PATH"
|
|
rm -f "$DMG_NAME"
|
|
|
|
# Step 1: Archive the application
|
|
echo ""
|
|
echo "📦 Creating archive..."
|
|
xcodebuild archive \
|
|
-project Gaze.xcodeproj \
|
|
-scheme Gaze \
|
|
-configuration Release \
|
|
-archivePath "$ARCHIVE_PATH" \
|
|
CODE_SIGN_IDENTITY="$DEVELOPER_ID_APPLICATION" \
|
|
CODE_SIGN_STYLE=Manual \
|
|
DEVELOPMENT_TEAM="$APPLE_TEAM_ID" \
|
|
| xcpretty || xcodebuild archive \
|
|
-project Gaze.xcodeproj \
|
|
-scheme Gaze \
|
|
-configuration Release \
|
|
-archivePath "$ARCHIVE_PATH" \
|
|
CODE_SIGN_IDENTITY="$DEVELOPER_ID_APPLICATION" \
|
|
CODE_SIGN_STYLE=Manual \
|
|
DEVELOPMENT_TEAM="$APPLE_TEAM_ID"
|
|
|
|
if [ ! -d "$ARCHIVE_PATH" ]; then
|
|
echo "❌ ERROR: Archive creation failed"
|
|
exit 1
|
|
fi
|
|
|
|
echo "✅ Archive created successfully"
|
|
|
|
# Step 2: Create exportOptions.plist
|
|
echo ""
|
|
echo "📝 Creating export options..."
|
|
cat > /tmp/exportOptions.plist <<EOF
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
|
<plist version="1.0">
|
|
<dict>
|
|
<key>method</key>
|
|
<string>developer-id</string>
|
|
<key>signingStyle</key>
|
|
<string>manual</string>
|
|
<key>teamID</key>
|
|
<string>$APPLE_TEAM_ID</string>
|
|
<key>signingCertificate</key>
|
|
<string>Developer ID Application</string>
|
|
<key>stripSwiftSymbols</key>
|
|
<true/>
|
|
<key>uploadSymbols</key>
|
|
<true/>
|
|
</dict>
|
|
</plist>
|
|
EOF
|
|
|
|
# Step 3: Export the archive
|
|
echo ""
|
|
echo "📤 Exporting signed application..."
|
|
xcodebuild -exportArchive \
|
|
-archivePath "$ARCHIVE_PATH" \
|
|
-exportPath "$EXPORT_PATH" \
|
|
-exportOptionsPlist /tmp/exportOptions.plist \
|
|
| xcpretty || xcodebuild -exportArchive \
|
|
-archivePath "$ARCHIVE_PATH" \
|
|
-exportPath "$EXPORT_PATH" \
|
|
-exportOptionsPlist /tmp/exportOptions.plist
|
|
|
|
if [ ! -d "$EXPORT_PATH/Gaze.app" ]; then
|
|
echo "❌ ERROR: Export failed - Gaze.app not found"
|
|
exit 1
|
|
fi
|
|
|
|
echo "✅ Application exported and signed"
|
|
|
|
# Step 4: Verify code signature
|
|
echo ""
|
|
echo "🔍 Verifying code signature..."
|
|
codesign --verify --deep --strict --verbose=2 "$EXPORT_PATH/Gaze.app"
|
|
if [ $? -eq 0 ]; then
|
|
echo "✅ Code signature valid"
|
|
else
|
|
echo "❌ ERROR: Code signature verification failed"
|
|
exit 1
|
|
fi
|
|
|
|
# Show signature details
|
|
echo ""
|
|
echo "📋 Signature details:"
|
|
codesign -dv --verbose=4 "$EXPORT_PATH/Gaze.app" 2>&1 | grep -E "Authority|TeamIdentifier|Identifier"
|
|
|
|
# Step 5: Create ZIP archive for notarization
|
|
echo ""
|
|
echo "📦 Creating ZIP archive for notarization..."
|
|
APP_ZIP="/tmp/Gaze-notarize.zip"
|
|
rm -f "$APP_ZIP"
|
|
ditto -c -k --keepParent "$EXPORT_PATH/Gaze.app" "$APP_ZIP"
|
|
|
|
if [ ! -f "$APP_ZIP" ]; then
|
|
echo "❌ ERROR: Failed to create ZIP archive"
|
|
exit 1
|
|
fi
|
|
|
|
echo "✅ ZIP archive created"
|
|
|
|
# Step 6: Notarize the application
|
|
echo ""
|
|
echo "🔐 Submitting application for notarization..."
|
|
NOTARIZE_OUTPUT=$(xcrun notarytool submit "$APP_ZIP" \
|
|
--keychain-profile "$NOTARY_KEYCHAIN_PROFILE" \
|
|
--wait \
|
|
--timeout 30m 2>&1)
|
|
|
|
echo "$NOTARIZE_OUTPUT"
|
|
|
|
if echo "$NOTARIZE_OUTPUT" | grep -q "status: Accepted"; then
|
|
echo "✅ Application notarization accepted"
|
|
|
|
# Extract submission ID for logging
|
|
SUBMISSION_ID=$(echo "$NOTARIZE_OUTPUT" | grep "id:" | head -1 | awk '{print $2}')
|
|
echo " Submission ID: $SUBMISSION_ID"
|
|
else
|
|
echo "❌ ERROR: Application notarization failed"
|
|
echo ""
|
|
echo "Notarization output:"
|
|
echo "$NOTARIZE_OUTPUT"
|
|
exit 1
|
|
fi
|
|
|
|
# Clean up temporary ZIP
|
|
rm -f "$APP_ZIP"
|
|
|
|
# Step 7: Staple notarization ticket to app
|
|
echo ""
|
|
echo "📎 Stapling notarization ticket to application..."
|
|
xcrun stapler staple "$EXPORT_PATH/Gaze.app"
|
|
if [ $? -eq 0 ]; then
|
|
echo "✅ Notarization ticket stapled to application"
|
|
else
|
|
echo "❌ ERROR: Failed to staple notarization ticket"
|
|
exit 1
|
|
fi
|
|
|
|
# Step 8: Verify with Gatekeeper
|
|
echo ""
|
|
echo "🔍 Verifying Gatekeeper acceptance..."
|
|
spctl --assess --type execute --verbose=4 "$EXPORT_PATH/Gaze.app" 2>&1
|
|
if [ $? -eq 0 ]; then
|
|
echo "✅ Application passes Gatekeeper verification"
|
|
else
|
|
echo "⚠️ Warning: Gatekeeper assessment returned non-zero status"
|
|
echo " This may be expected for some configurations"
|
|
fi
|
|
|
|
# Step 9: Create DMG from notarized app
|
|
echo ""
|
|
echo "💿 Creating DMG..."
|
|
create-dmg \
|
|
--volname "Gaze Installer" \
|
|
--eula "./LICENSE" \
|
|
--window-pos 200 120 \
|
|
--window-size 600 400 \
|
|
--icon-size 100 \
|
|
--background "./dmg_background.png" \
|
|
--icon "Gaze.app" 160 200 \
|
|
--app-drop-link 440 200 \
|
|
"$DMG_NAME" \
|
|
"$EXPORT_PATH/Gaze.app"
|
|
|
|
if [ ! -f "$DMG_NAME" ]; then
|
|
echo "❌ ERROR: DMG creation failed"
|
|
exit 1
|
|
fi
|
|
|
|
echo "✅ DMG created successfully"
|
|
|
|
# Step 10: Sign the DMG
|
|
echo ""
|
|
echo "🔏 Signing DMG..."
|
|
codesign --sign "$DEVELOPER_ID_APPLICATION" \
|
|
--timestamp \
|
|
--options runtime \
|
|
--force \
|
|
"$DMG_NAME"
|
|
|
|
if [ $? -eq 0 ]; then
|
|
echo "✅ DMG signed successfully"
|
|
else
|
|
echo "❌ ERROR: DMG signing failed"
|
|
exit 1
|
|
fi
|
|
|
|
# Verify DMG signature
|
|
codesign --verify --deep --strict --verbose=2 "$DMG_NAME"
|
|
if [ $? -eq 0 ]; then
|
|
echo "✅ DMG signature valid"
|
|
else
|
|
echo "❌ ERROR: DMG signature verification failed"
|
|
exit 1
|
|
fi
|
|
|
|
# Step 11: Notarize the DMG
|
|
echo ""
|
|
echo "🔐 Submitting DMG for notarization..."
|
|
DMG_NOTARIZE_OUTPUT=$(xcrun notarytool submit "$DMG_NAME" \
|
|
--keychain-profile "$NOTARY_KEYCHAIN_PROFILE" \
|
|
--wait \
|
|
--timeout 30m 2>&1)
|
|
|
|
echo "$DMG_NOTARIZE_OUTPUT"
|
|
|
|
if echo "$DMG_NOTARIZE_OUTPUT" | grep -q "status: Accepted"; then
|
|
echo "✅ DMG notarization accepted"
|
|
|
|
# Extract submission ID for logging
|
|
DMG_SUBMISSION_ID=$(echo "$DMG_NOTARIZE_OUTPUT" | grep "id:" | head -1 | awk '{print $2}')
|
|
echo " Submission ID: $DMG_SUBMISSION_ID"
|
|
else
|
|
echo "❌ ERROR: DMG notarization failed"
|
|
echo ""
|
|
echo "Notarization output:"
|
|
echo "$DMG_NOTARIZE_OUTPUT"
|
|
exit 1
|
|
fi
|
|
|
|
# Step 12: Staple notarization ticket to DMG
|
|
echo ""
|
|
echo "📎 Stapling notarization ticket to DMG..."
|
|
xcrun stapler staple "$DMG_NAME"
|
|
if [ $? -eq 0 ]; then
|
|
echo "✅ Notarization ticket stapled to DMG"
|
|
else
|
|
echo "❌ ERROR: Failed to staple notarization ticket to DMG"
|
|
exit 1
|
|
fi
|
|
|
|
# Step 13: Final verification
|
|
echo ""
|
|
echo "🔍 Final DMG verification..."
|
|
spctl --assess --type open --context context:primary-signature --verbose=4 "$DMG_NAME" 2>&1
|
|
if [ $? -eq 0 ]; then
|
|
echo "✅ DMG passes all Gatekeeper checks"
|
|
else
|
|
echo "⚠️ Warning: Gatekeeper assessment returned non-zero status"
|
|
echo " This may be expected for disk images"
|
|
fi
|
|
|
|
# Copy DMG to releases directory
|
|
echo "Moving DMG to releases directory..."
|
|
mv "$DMG_NAME" "$RELEASES_DIR/"
|
|
|
|
# Generate appcast if Sparkle tools are available
|
|
if [ -n "$SPARKLE_BIN" ] && [ -d "$SPARKLE_BIN" ]; then
|
|
echo ""
|
|
echo "Generating appcast..."
|
|
|
|
# Check for private key (Keychain or file)
|
|
PRIVATE_KEY_FILE="$HOME/sparkle_private_key_backup.pem"
|
|
KEY_OPTION=""
|
|
|
|
if [ -f "$PRIVATE_KEY_FILE" ]; then
|
|
echo "Using private key from: $PRIVATE_KEY_FILE"
|
|
KEY_OPTION="--ed-key-file $PRIVATE_KEY_FILE"
|
|
else
|
|
echo "Using private key from Keychain (account: ed25519)"
|
|
KEY_OPTION="--account ed25519"
|
|
fi
|
|
|
|
# Generate appcast with download URL prefix and key
|
|
"$SPARKLE_BIN/generate_appcast" \
|
|
--download-url-prefix "$DOWNLOAD_URL_PREFIX" \
|
|
$KEY_OPTION \
|
|
"$RELEASES_DIR"
|
|
|
|
# Verify appcast was generated
|
|
if [ -f "$APPCAST_OUTPUT" ]; then
|
|
echo "✅ Appcast generated successfully"
|
|
echo "📋 Appcast location: $APPCAST_OUTPUT"
|
|
|
|
# Check for signature - if missing, add it manually
|
|
if grep -q "edSignature" "$APPCAST_OUTPUT"; then
|
|
echo "✅ EdDSA signature verified in appcast"
|
|
else
|
|
echo "⚠️ No signature found, generating manually with sign_update..."
|
|
|
|
# Get signature for the DMG
|
|
SIGNATURE_OUTPUT=$("$SPARKLE_BIN/sign_update" "$RELEASES_DIR/$DMG_NAME" 2>&1)
|
|
|
|
if echo "$SIGNATURE_OUTPUT" | grep -q "edSignature"; then
|
|
# Extract the signature
|
|
ED_SIGNATURE=$(echo "$SIGNATURE_OUTPUT" | grep -o 'sparkle:edSignature="[^"]*"' | sed 's/sparkle:edSignature="\([^"]*\)"/\1/')
|
|
FILE_LENGTH=$(echo "$SIGNATURE_OUTPUT" | grep -o 'length="[^"]*"' | sed 's/length="\([^"]*\)"/\1/')
|
|
|
|
echo "✅ Generated signature: ${ED_SIGNATURE:0:20}..."
|
|
|
|
# Add signature to appcast XML
|
|
# Find the enclosure line and add sparkle:edSignature attribute
|
|
sed -i '' "s|<enclosure url=\"${DOWNLOAD_URL_PREFIX}$DMG_NAME\" length=\"[0-9]*\"|<enclosure url=\"${DOWNLOAD_URL_PREFIX}$DMG_NAME\" sparkle:edSignature=\"$ED_SIGNATURE\" length=\"$FILE_LENGTH\"|g" "$APPCAST_OUTPUT"
|
|
|
|
# Verify signature was added
|
|
if grep -q "edSignature" "$APPCAST_OUTPUT"; then
|
|
echo "✅ EdDSA signature added to appcast"
|
|
else
|
|
echo "❌ ERROR: Failed to add signature to appcast!"
|
|
exit 1
|
|
fi
|
|
else
|
|
echo "❌ ERROR: Failed to generate signature with sign_update"
|
|
echo "Output: $SIGNATURE_OUTPUT"
|
|
exit 1
|
|
fi
|
|
fi
|
|
else
|
|
echo "❌ Failed to generate appcast"
|
|
exit 1
|
|
fi
|
|
else
|
|
echo ""
|
|
echo "⚠️ Skipping appcast generation (Sparkle tools not found)"
|
|
echo "To generate appcast manually, run:"
|
|
echo " ./generate_appcast --ed-key-file ~/sparkle_private_key_backup.pem --download-url-prefix '$DOWNLOAD_URL_PREFIX' '$RELEASES_DIR'"
|
|
fi
|
|
|
|
# Upload to AWS S3 if environment variables are set
|
|
if [ -n "$AWS_ACCESS_KEY_ID" ] && [ -n "$AWS_SECRET_ACCESS_KEY" ] && [ -n "$AWS_BUCKET_NAME" ] && [ -n "$AWS_REGION" ]; then
|
|
echo ""
|
|
echo "Uploading to S3 bucket: $AWS_BUCKET_NAME..."
|
|
|
|
# Export AWS credentials for aws-cli
|
|
export AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID"
|
|
export AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY"
|
|
export AWS_DEFAULT_REGION="$AWS_REGION"
|
|
|
|
# Upload all DMG files in releases directory
|
|
echo "Uploading DMG files..."
|
|
for dmg_file in "$RELEASES_DIR"/*.dmg; do
|
|
if [ -f "$dmg_file" ]; then
|
|
dmg_basename=$(basename "$dmg_file")
|
|
echo " Uploading $dmg_basename..."
|
|
aws s3 cp "$dmg_file" "s3://$AWS_BUCKET_NAME/downloads/$dmg_basename" --region "$AWS_REGION"
|
|
fi
|
|
done
|
|
|
|
# Upload all delta files in releases directory
|
|
echo "Uploading delta files..."
|
|
for delta_file in "$RELEASES_DIR"/*.delta; do
|
|
if [ -f "$delta_file" ]; then
|
|
delta_basename=$(basename "$delta_file")
|
|
echo " Uploading $delta_basename..."
|
|
aws s3 cp "$delta_file" "s3://$AWS_BUCKET_NAME/downloads/$delta_basename" --region "$AWS_REGION"
|
|
fi
|
|
done
|
|
|
|
# Upload appcast if it exists
|
|
if [ -f "$APPCAST_OUTPUT" ]; then
|
|
echo "Uploading appcast..."
|
|
aws s3 cp "$APPCAST_OUTPUT" "s3://$AWS_BUCKET_NAME/api/Gaze/appcast.xml" --region "$AWS_REGION"
|
|
echo "✅ Appcast uploaded to S3"
|
|
fi
|
|
|
|
echo "✅ Upload complete!"
|
|
echo " DMG files: s3://$AWS_BUCKET_NAME/downloads/*.dmg"
|
|
echo " Delta files: s3://$AWS_BUCKET_NAME/downloads/*.delta"
|
|
echo " Appcast: s3://$AWS_BUCKET_NAME/api/Gaze/appcast.xml"
|
|
else
|
|
echo ""
|
|
echo "⚠️ Skipping S3 upload - AWS credentials not found in .env"
|
|
fi
|
|
|
|
echo ""
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
echo "✅ Release build complete and notarized!"
|
|
echo ""
|
|
echo "Release artifacts:"
|
|
echo " 📦 DMG: $RELEASES_DIR/$DMG_NAME"
|
|
if [ -f "$APPCAST_OUTPUT" ]; then
|
|
echo " 📋 Appcast: $APPCAST_OUTPUT"
|
|
fi
|
|
echo " 🏗️ Archive: $ARCHIVE_PATH"
|
|
echo " 📁 Export: $EXPORT_PATH/Gaze.app"
|
|
echo ""
|
|
echo "Verification:"
|
|
echo " ✅ Application code signed with Developer ID"
|
|
echo " ✅ Application notarized by Apple"
|
|
echo " ✅ DMG signed with Developer ID"
|
|
echo " ✅ DMG notarized by Apple"
|
|
echo " ✅ Gatekeeper approved"
|
|
echo ""
|
|
echo "Next steps:"
|
|
echo " 1. Upload DMG to: ${DOWNLOAD_URL_PREFIX}$DMG_NAME"
|
|
echo " 2. Upload appcast to: $FEED_URL"
|
|
echo " 3. Verify appcast is accessible and valid"
|
|
echo " 4. Test installation on clean macOS system"
|
|
echo " 5. Test update from previous version"
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|