# HG changeset patch # User Chris Cannam # Date 1571230206 -3600 # Node ID 9ca6872a5d0fe5d8fc0a699c20d35317963c1d82 # Parent 8036dd41f3aae7cca39f5b1e2471b964af2e0d6b Rework deployment scripts with a separate package/notarize step diff -r 8036dd41f3aa -r 9ca6872a5d0f deploy/osx/deploy-and-package.sh --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/deploy/osx/deploy-and-package.sh Wed Oct 16 13:50:06 2019 +0100 @@ -0,0 +1,74 @@ +#!/bin/bash + +set -eu + +app="Sonic Visualiser" + +version=`perl -p -e 's/^[^"]*"([^"]*)".*$/$1/' version.h` + +source="$app.app" +volume="$app"-"$version" +target="$volume"/"$app".app +dmg="$app"-"$version".dmg + +if [ -d "$volume" ]; then + echo "Target directory $volume already exists, not overwriting" + exit 2 +fi + +if [ -f "$dmg" ]; then + echo "Target disc image $dmg already exists, not overwriting" + exit 2 +fi + +echo +echo "(Re-)running deploy script..." + +deploy/osx/deploy.sh "$app" || exit 1 + +echo +echo "Making target tree." + +mkdir "$volume" || exit 1 + +ln -s /Applications "$volume"/Applications +cp README.md "$volume/README.txt" +cp README.OSC "$volume/README-OSC.txt" +cp COPYING "$volume/COPYING.txt" +cp CHANGELOG "$volume/CHANGELOG.txt" +cp CITATION "$volume/CITATION.txt" +cp -rp "$source" "$target" + +# update file timestamps so as to make the build date apparent +find "$volume" -exec touch \{\} \; + +echo "Done" + +echo +echo "Code-signing volume..." + +deploy/osx/sign.sh "$volume" || exit 1 + +echo "Done" + +echo +echo "Making dmg..." + +rm -f "$dmg" + +hdiutil create -srcfolder "$volume" "$dmg" -volname "$volume" -fs HFS+ && + rm -r "$volume" + +echo "Done" + +echo +echo "Signing dmg..." + +codesign -s "Developer ID Application: Chris Cannam" -fv "$dmg" + +echo +echo "Submitting dmg for notarization..." + +deploy/osx/notarize.sh "$dmg" || exit 1 + +echo "Done" diff -r 8036dd41f3aa -r 9ca6872a5d0f deploy/osx/deploy.sh --- a/deploy/osx/deploy.sh Wed Oct 16 13:05:51 2019 +0100 +++ b/deploy/osx/deploy.sh Wed Oct 16 13:50:06 2019 +0100 @@ -3,20 +3,23 @@ set -e # Execute this from the top-level directory of the project (the one -# that contains the .app bundle). Supply the name of the .app bundle -# as argument (the target will use $app.app regardless, but we need -# to know the source) +# that contains the .app bundle). Supply the name of the application +# as argument. +# +# This now performs *only* the app deployment step - copying in +# libraries and setting up paths etc. It does not create a +# package. Use deploy-and-package.sh for that. -source="$1" -dmg="$2" -if [ -z "$source" ] || [ ! -d "$source" ] || [ -z "$dmg" ]; then - echo "Usage: $0 " - echo " e.g. $0 MyApplication.app MyApplication" - echo " Version number and .dmg will be appended automatically," - echo " but the .app name must include .app" +app="$1" +source="$app.app" + +if [ -z "$app" ] || [ ! -d "$source" ] || [ -n "$2" ]; then + echo "Usage: $0 " + echo " e.g. $0 MyApplication" + echo " The app bundle must exist in ./.app." + echo " Version number will be extracted from version.h." exit 2 fi -app=`basename "$source" .app` set -u @@ -54,6 +57,10 @@ cp piper-vamp-simple-server "$source"/Contents/MacOS/ echo +echo "Copying in lproj directories containing InfoPlist.strings translation files." +cp -r i18n/*.lproj "$source"/Contents/Resources/ + +echo echo "Writing version $bundleVersion in to bundle." echo "(This should be a three-part number: major.minor.point)" @@ -61,49 +68,3 @@ > "$source"/Contents/Info.plist echo "Done: check $source/Contents/Info.plist for sanity please" - -echo -echo "Copying in lproj directories containing InfoPlist.strings translation files." -cp -r i18n/*.lproj "$source"/Contents/Resources/ - -echo -echo "Making target tree." - -volume="$app"-"$version" -target="$volume"/"$app".app -dmg="$dmg"-"$version".dmg - -mkdir "$volume" || exit 1 - -ln -s /Applications "$volume"/Applications -cp README.md "$volume/README.txt" -cp README.OSC "$volume/README-OSC.txt" -cp COPYING "$volume/COPYING.txt" -cp CHANGELOG "$volume/CHANGELOG.txt" -cp CITATION "$volume/CITATION.txt" -cp -rp "$source" "$target" - -# update file timestamps so as to make the build date apparent -find "$volume" -exec touch \{\} \; - -echo "Done" - -echo -echo "Code-signing volume..." - -deploy/osx/sign.sh "$volume" || exit 1 - -echo "Done" - -echo -echo "Making dmg..." - -hdiutil create -srcfolder "$volume" "$dmg" -volname "$volume" -fs HFS+ && - rm -r "$volume" - -echo -echo "Signing dmg..." - -codesign -s "Developer ID Application: Chris Cannam" -fv "$dmg" - -echo "Done" diff -r 8036dd41f3aa -r 9ca6872a5d0f deploy/osx/notarize.sh --- a/deploy/osx/notarize.sh Wed Oct 16 13:05:51 2019 +0100 +++ b/deploy/osx/notarize.sh Wed Oct 16 13:50:06 2019 +0100 @@ -1,36 +1,77 @@ #!/bin/bash -# This is just a scrapbook for the mo - -## Before this, we need to open Application Loader and log in to the -## right iTunes Connect account - -## Looks like the workflow has changed to using app-specific -## passwords, for 2FA reasons. See -## https://developer.apple.com/documentation/xcode/notarizing_your_app_before_distribution/customizing_the_notarization_workflow?language=objc - ## The following assumes we have generated an app password at ## appleid.apple.com and then stored it to keychain id "altool" using ## e.g. ## security add-generic-password -a "cannam+apple@all-day-breakfast.com" \ ## -w "generated-app-password" -s "altool" -## todo: script this +## NB to verify: +# spctl -a -v "/Applications/Application.app" -# xcrun altool --notarize-app -f "Sonic Visualiser-4.0-pre2.dmg" --primary-bundle-id org.sonicvisualiser.SonicVisualiser -u "cannam+apple@all-day-breakfast.com" -p @keychain:altool +user="cannam+apple@all-day-breakfast.com" +bundleid="org.sonicvisualiser.SonicVisualiser" -## That churns for a while and then dumps out a UUID +set -e -# xcrun altool --notarization-info UUID -u "cannam+apple@all-day-breakfast.com" -p @keychain:altool +dmg="$1" -## Returns "in progress" at first, then eventually a failure report -## with a URL that can be retrieved as JSON payload using wget. An -## email is also sent to the iTunes Connect account holder when it -## completes +if [ ! -f "$dmg" ] || [ -n "$2" ]; then + echo "Usage: $0 " + echo " e.g. $0 MyApplication-1.0.dmg" + exit 2 +fi -# xcrun stapler staple -v "Sonic Visualiser-3.2.dmg" +set -u -# spctl -a -v "/Applications/Sonic Visualiser.app" +echo +echo "Uploading for notarization..." +uuidfile=.notarization-uuid +rm -f "$uuidfile" +xcrun altool --notarize-app \ + -f "$dmg" \ + --primary-bundle-id "$bundleid" \ + -u "$user" \ + -p @keychain:altool 2>&1 | tee "$uuidfile" +uuid=$(cat "$uuidfile" | grep RequestUUID | awk '{ print $3; }') + +if [ -z "$uuid" ]; then + echo + echo "Failed (no UUID returned, check output)" + exit 1 +fi + +echo "Done, UUID is $uuid" + +echo +echo "Waiting and checking for completion..." + +while true ; do + sleep 30 + status=$(xcrun altool --notarization-info "$uuid" -u "$user" -p @keychain:altool 2>&1) + if echo "$status" | grep -q 'Package Approved' ; then + echo + echo "Approved! Status output is:" + echo "$status" + break + elif echo "$status" | grep -q 'in progress' ; then + echo + echo "Still in progress... Status output is:" + echo "$status" + echo "Waiting..." + else + echo + echo "Failure or unknown status in output:" + echo "$status" + exit 2 + fi +done + +echo +echo "Stapling to package..." + +xcrun stapler staple "$dmg" || exit 1 + diff -r 8036dd41f3aa -r 9ca6872a5d0f deploy/osx/sign.sh --- a/deploy/osx/sign.sh Wed Oct 16 13:05:51 2019 +0100 +++ b/deploy/osx/sign.sh Wed Oct 16 13:50:06 2019 +0100 @@ -23,8 +23,5 @@ done codesign -s "Developer ID Application: Chris Cannam" -fv --deep "$app/Contents/MacOS/Sonic Visualiser" codesign -s "Developer ID Application: Chris Cannam" -fv --deep "$app" -# codesign -s "Developer ID Application: Chris Cannam" -fv --deep \ -# --requirements '=designated => identifier "org.sonicvisualiser.SonicVisualiser" and ( (anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] ) or (anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "M2H8666U82"))' \ -# "$app" done