From af44dcef8ee2dc2fb724e4faf72cfaad3a29a722 Mon Sep 17 00:00:00 2001
From: Mykola Grymalyuk <khronokernel@icloud.com>
Date: Tue, 21 May 2024 13:44:53 -0600
Subject: [PATCH] CI: Add Package Signing support

---
 .github/workflows/build-app-wxpython.yml | 45 +++++++++++++++++-------
 Build-Suite.command                      | 14 +-------
 ci_tooling/build_module/sign_notarize.py | 19 +++++++---
 3 files changed, 48 insertions(+), 30 deletions(-)

diff --git a/.github/workflows/build-app-wxpython.yml b/.github/workflows/build-app-wxpython.yml
index 439f4b916..0e93405c6 100644
--- a/.github/workflows/build-app-wxpython.yml
+++ b/.github/workflows/build-app-wxpython.yml
@@ -13,35 +13,56 @@ jobs:
     if: github.repository_owner == 'dortania'
 
     env:
+      # GitHub Information
       branch: ${{ github.ref }}
       commiturl: ${{ github.event.head_commit.url }}${{ github.event.release.html_url }}
       commitdate: ${{ github.event.head_commit.timestamp }}${{ github.event.release.published_at }}
-      MAC_CODESIGN_IDENTITY: ${{ secrets.MAC_CODESIGN_IDENTITY }}
-      MAC_CODESIGN_CERT: ${{ secrets.MAC_CODESIGN_CERT }}
-      MAC_NOTARIZATION_USERNAME: ${{ secrets.MAC_NOTARIZATION_USERNAME }}
-      MAC_NOTARIZATION_PASSWORD: ${{ secrets.MAC_NOTARIZATION_PASSWORD }}
-      MAC_NOTARIZATION_TEAM_ID: ${{ secrets.MAC_NOTARIZATION_TEAM_ID }}
+
+      # Analytics
       ANALYTICS_KEY: ${{ secrets.ANALYTICS_KEY }}
       ANALYTICS_SITE: ${{ secrets.ANALYTICS_SITE }}
 
+      # App Signing
+      ORG_MAC_DEVELOPER_ID_APPLICATION_IDENTITY: ${{ secrets.ORG_MAC_DEVELOPER_ID_APPLICATION_IDENTITY }}
+
+      # PKG Signing
+      ORG_MAC_DEVELOPER_ID_INSTALLER_IDENTITY: ${{ secrets.ORG_MAC_DEVELOPER_ID_INSTALLER_IDENTITY }}
+
+      # Notarization
+      ORG_MAC_NOTARIZATION_TEAM_ID: ${{ secrets.ORG_MAC_NOTARIZATION_TEAM_ID }}
+      ORG_MAC_NOTARIZATION_APPLE_ID: ${{ secrets.ORG_MAC_NOTARIZATION_APPLE_ID }}
+      ORG_MAC_NOTARIZATION_PASSWORD: ${{ secrets.ORG_MAC_NOTARIZATION_PASSWORD }}
+
     steps:
       - uses: actions/checkout@v4
 
-      # - name: Import Certificate
-      #   if: (!security find-certificate -c "${{ env.MAC_CODESIGN_IDENTITY }}")
-      #   uses: apple-actions/import-codesign-certs@v2
+      # - name: Import Application Signing Certificate
+      #   uses: dhinakg/import-codesign-certs@master
       #   with:
-      #     p12-file-base64: ${{ secrets.MAC_CODESIGN_CERT }}
-      #     p12-password: ${{ secrets.MAC_NOTARIZATION_PASSWORD }}
+      #     p12-file-base64: ${{ secrets.ORG_MAC_DEVELOPER_ID_APPLICATION_CERT_P12_BASE64 }}
+      #     p12-password: ${{ secrets.ORG_MAC_DEVELOPER_ID_APPLICATION_CERT_P12_PASSWORD }}
+
+      # - name: Import Installer Signing Certificate
+      #   uses: dhinakg/import-codesign-certs@master
+      #   with:
+      #     p12-file-base64: ${{ secrets.ORG_MAC_DEVELOPER_ID_INSTALLER_CERT_P12_BASE64 }}
+      #     p12-password: ${{ secrets.ORG_MAC_DEVELOPER_ID_INSTALLER_CERT_P12_PASSWORD }}
 
       - name: Install Dependencies
         run: /Library/Frameworks/Python.framework/Versions/3.11/bin/python3 -m pip install -r requirements.txt
 
+      # - name: Force Universal2 charset for Python
+      #   run: |
+      #     /Library/Frameworks/Python.framework/Versions/3.11/bin/python3 -m pip uninstall -y charset_normalizer
+      #     /Library/Frameworks/Python.framework/Versions/3.11/bin/python3 -m pip download --platform macosx_10_9_universal2 --only-binary=:all: charset-normalizer
+      #     /Library/Frameworks/Python.framework/Versions/3.11/bin/python3 -m pip install charset_normalizer-*-macosx_10_9_universal2.whl
+
       - name: Build Binary
         run: >
           /Library/Frameworks/Python.framework/Versions/3.11/bin/python3 Build-Suite.command
-          --application-signing-identity "${{ env.MAC_CODESIGN_IDENTITY }}"
-          --notarization-apple-id "${{ env.MAC_NOTARIZATION_USERNAME }}" --notarization-password "${{ env.MAC_NOTARIZATION_PASSWORD }}" --notarization-team-id "${{ env.MAC_NOTARIZATION_TEAM_ID }}"
+          --application-signing-identity "${{ env.ORG_MAC_DEVELOPER_ID_APPLICATION_IDENTITY }}"
+          --installer-signing-identity "${{ env.ORG_MAC_DEVELOPER_ID_INSTALLER_IDENTITY }}"
+          --notarization-apple-id "${{ env.ORG_MAC_NOTARIZATION_APPLE_ID }}" --notarization-password "${{ env.ORG_MAC_NOTARIZATION_PASSWORD }}" --notarization-team-id "${{ env.ORG_MAC_NOTARIZATION_TEAM_ID }}"
           --git-branch "${{ env.branch }}" --git-commit-url "${{ env.commiturl }}" --git-commit-date "${{ env.commitdate }}"
           --reset-dmg-cache --reset-pyinstaller-cache
           --analytics-key "${{ env.ANALYTICS_KEY }}" --analytics-endpoint "${{ env.ANALYTICS_SITE }}"
diff --git a/Build-Suite.command b/Build-Suite.command
index 539bbcf4f..d14c85de9 100644
--- a/Build-Suite.command
+++ b/Build-Suite.command
@@ -24,38 +24,26 @@ def main() -> None:
 
     parser = argparse.ArgumentParser(description="Build OpenCore Legacy Patcher Suite")
 
-    # Code Signing Parameters
-    # - Application Signing Identity
-    # - Installer Signing Identity
+    # Signing Parameters
     parser.add_argument("--application-signing-identity", type=str, help="Application Signing Identity")
     parser.add_argument("--installer-signing-identity", type=str, help="Installer Signing Identity")
 
 
     # Notarization Parameters
-    # - Notarization Apple ID
-    # - Notarization Password
-    # - Notarization Team ID
     parser.add_argument("--notarization-apple-id", type=str, help="Notarization Apple ID", default=None)
     parser.add_argument("--notarization-password", type=str, help="Notarization Password", default=None)
     parser.add_argument("--notarization-team-id", type=str, help="Notarization Team ID", default=None)
 
     # GitHub Actions CI/CD Parameters
-    # - Git Branch
-    # - Git Commit
-    # - Git Commit Date
     parser.add_argument("--git-branch", type=str, help="Git Branch", default=None)
     parser.add_argument("--git-commit-url", type=str, help="Git Commit URL", default=None)
     parser.add_argument("--git-commit-date", type=str, help="Git Commit Date", default=None)
 
     # Local Build Parameters
-    # - Reset payloads.dmg
-    # - Clean PyInstaller Cache
     parser.add_argument("--reset-dmg-cache", action="store_true", help="Redownload PatcherSupportPkg.dmg and regenerate payloads.dmg", default=False)
     parser.add_argument("--reset-pyinstaller-cache", action="store_true", help="Clean PyInstaller Cache", default=False)
 
     # Analytics Parameters
-    # - Key
-    # - Site
     parser.add_argument("--analytics-key", type=str, help="Analytics Key", default=None)
     parser.add_argument("--analytics-endpoint", type=str, help="Analytics Endpoint", default=None)
 
diff --git a/ci_tooling/build_module/sign_notarize.py b/ci_tooling/build_module/sign_notarize.py
index b0ce51ea0..198cbaf6d 100644
--- a/ci_tooling/build_module/sign_notarize.py
+++ b/ci_tooling/build_module/sign_notarize.py
@@ -1,7 +1,10 @@
 import mac_signing_buddy
+import macos_pkg_builder
 
 from pathlib import Path
 
+import macos_pkg_builder.utilities.signing
+
 
 class SignAndNotarize:
 
@@ -26,11 +29,17 @@ class SignAndNotarize:
             return
 
         print(f"Signing {self._path.name}")
-        mac_signing_buddy.Sign(
-            identity=self._signing_identity,
-            file=self._path,
-            **({"entitlements": self._entitlements} if self._entitlements else {}),
-        ).sign()
+        if self._path.name.endswith(".pkg"):
+            macos_pkg_builder.utilities.signing.SignPackage(
+                identity=self._signing_identity,
+                pkg=self._path,
+            ).sign()
+        else:
+            mac_signing_buddy.Sign(
+                identity=self._signing_identity,
+                file=self._path,
+                **({"entitlements": self._entitlements} if self._entitlements else {}),
+            ).sign()
 
         print(f"Notarizing {self._path.name}")
         mac_signing_buddy.Notarize(