CI: Add Package Signing support

.github/workflows/build-app-wxpython.yml

@@ -13,35 +13,56 @@ jobs:
     if: github.repository_owner == 'dortania'
 
     env:
+      # GitHub Information
       branch: ${{ github.ref }}
       commiturl: ${{ github.event.head_commit.url }}${{ github.event.release.html_url }}
       commitdate: ${{ github.event.head_commit.timestamp }}${{ github.event.release.published_at }}
-      MAC_CODESIGN_IDENTITY: ${{ secrets.MAC_CODESIGN_IDENTITY }}
+
-      MAC_CODESIGN_CERT: ${{ secrets.MAC_CODESIGN_CERT }}
+      # Analytics
-      MAC_NOTARIZATION_USERNAME: ${{ secrets.MAC_NOTARIZATION_USERNAME }}
-      MAC_NOTARIZATION_PASSWORD: ${{ secrets.MAC_NOTARIZATION_PASSWORD }}
-      MAC_NOTARIZATION_TEAM_ID: ${{ secrets.MAC_NOTARIZATION_TEAM_ID }}
       ANALYTICS_KEY: ${{ secrets.ANALYTICS_KEY }}
       ANALYTICS_SITE: ${{ secrets.ANALYTICS_SITE }}
 
+      # App Signing
+      ORG_MAC_DEVELOPER_ID_APPLICATION_IDENTITY: ${{ secrets.ORG_MAC_DEVELOPER_ID_APPLICATION_IDENTITY }}
+
+      # PKG Signing
+      ORG_MAC_DEVELOPER_ID_INSTALLER_IDENTITY: ${{ secrets.ORG_MAC_DEVELOPER_ID_INSTALLER_IDENTITY }}
+
+      # Notarization
+      ORG_MAC_NOTARIZATION_TEAM_ID: ${{ secrets.ORG_MAC_NOTARIZATION_TEAM_ID }}
+      ORG_MAC_NOTARIZATION_APPLE_ID: ${{ secrets.ORG_MAC_NOTARIZATION_APPLE_ID }}
+      ORG_MAC_NOTARIZATION_PASSWORD: ${{ secrets.ORG_MAC_NOTARIZATION_PASSWORD }}
+
     steps:
       - uses: actions/checkout@v4
 
-      # - name: Import Certificate
+      # - name: Import Application Signing Certificate
-      #   if: (!security find-certificate -c "${{ env.MAC_CODESIGN_IDENTITY }}")
+      #   uses: dhinakg/import-codesign-certs@master
-      #   uses: apple-actions/import-codesign-certs@v2
       #   with:
-      #     p12-file-base64: ${{ secrets.MAC_CODESIGN_CERT }}
+      #     p12-file-base64: ${{ secrets.ORG_MAC_DEVELOPER_ID_APPLICATION_CERT_P12_BASE64 }}
-      #     p12-password: ${{ secrets.MAC_NOTARIZATION_PASSWORD }}
+      #     p12-password: ${{ secrets.ORG_MAC_DEVELOPER_ID_APPLICATION_CERT_P12_PASSWORD }}
+
+      # - name: Import Installer Signing Certificate
+      #   uses: dhinakg/import-codesign-certs@master
+      #   with:
+      #     p12-file-base64: ${{ secrets.ORG_MAC_DEVELOPER_ID_INSTALLER_CERT_P12_BASE64 }}
+      #     p12-password: ${{ secrets.ORG_MAC_DEVELOPER_ID_INSTALLER_CERT_P12_PASSWORD }}
 
       - name: Install Dependencies
         run: /Library/Frameworks/Python.framework/Versions/3.11/bin/python3 -m pip install -r requirements.txt
 
+      # - name: Force Universal2 charset for Python
+      #   run: |
+      #     /Library/Frameworks/Python.framework/Versions/3.11/bin/python3 -m pip uninstall -y charset_normalizer
+      #     /Library/Frameworks/Python.framework/Versions/3.11/bin/python3 -m pip download --platform macosx_10_9_universal2 --only-binary=:all: charset-normalizer
+      #     /Library/Frameworks/Python.framework/Versions/3.11/bin/python3 -m pip install charset_normalizer-*-macosx_10_9_universal2.whl
+
       - name: Build Binary
         run: >
           /Library/Frameworks/Python.framework/Versions/3.11/bin/python3 Build-Suite.command
-          --application-signing-identity "${{ env.MAC_CODESIGN_IDENTITY }}"
+          --application-signing-identity "${{ env.ORG_MAC_DEVELOPER_ID_APPLICATION_IDENTITY }}"
-          --notarization-apple-id "${{ env.MAC_NOTARIZATION_USERNAME }}" --notarization-password "${{ env.MAC_NOTARIZATION_PASSWORD }}" --notarization-team-id "${{ env.MAC_NOTARIZATION_TEAM_ID }}"
+          --installer-signing-identity "${{ env.ORG_MAC_DEVELOPER_ID_INSTALLER_IDENTITY }}"
+          --notarization-apple-id "${{ env.ORG_MAC_NOTARIZATION_APPLE_ID }}" --notarization-password "${{ env.ORG_MAC_NOTARIZATION_PASSWORD }}" --notarization-team-id "${{ env.ORG_MAC_NOTARIZATION_TEAM_ID }}"
           --git-branch "${{ env.branch }}" --git-commit-url "${{ env.commiturl }}" --git-commit-date "${{ env.commitdate }}"
           --reset-dmg-cache --reset-pyinstaller-cache
           --analytics-key "${{ env.ANALYTICS_KEY }}" --analytics-endpoint "${{ env.ANALYTICS_SITE }}"

Build-Suite.command

@@ -24,38 +24,26 @@ def main() -> None:
 
     parser = argparse.ArgumentParser(description="Build OpenCore Legacy Patcher Suite")
 
-    # Code Signing Parameters
+    # Signing Parameters
-    # - Application Signing Identity
-    # - Installer Signing Identity
     parser.add_argument("--application-signing-identity", type=str, help="Application Signing Identity")
     parser.add_argument("--installer-signing-identity", type=str, help="Installer Signing Identity")
 
 
     # Notarization Parameters
-    # - Notarization Apple ID
-    # - Notarization Password
-    # - Notarization Team ID
     parser.add_argument("--notarization-apple-id", type=str, help="Notarization Apple ID", default=None)
     parser.add_argument("--notarization-password", type=str, help="Notarization Password", default=None)
     parser.add_argument("--notarization-team-id", type=str, help="Notarization Team ID", default=None)
 
     # GitHub Actions CI/CD Parameters
-    # - Git Branch
-    # - Git Commit
-    # - Git Commit Date
     parser.add_argument("--git-branch", type=str, help="Git Branch", default=None)
     parser.add_argument("--git-commit-url", type=str, help="Git Commit URL", default=None)
     parser.add_argument("--git-commit-date", type=str, help="Git Commit Date", default=None)
 
     # Local Build Parameters
-    # - Reset payloads.dmg
-    # - Clean PyInstaller Cache
     parser.add_argument("--reset-dmg-cache", action="store_true", help="Redownload PatcherSupportPkg.dmg and regenerate payloads.dmg", default=False)
     parser.add_argument("--reset-pyinstaller-cache", action="store_true", help="Clean PyInstaller Cache", default=False)
 
     # Analytics Parameters
-    # - Key
-    # - Site
     parser.add_argument("--analytics-key", type=str, help="Analytics Key", default=None)
     parser.add_argument("--analytics-endpoint", type=str, help="Analytics Endpoint", default=None)
 

ci_tooling/build_module/sign_notarize.py

@@ -1,7 +1,10 @@
 import mac_signing_buddy
+import macos_pkg_builder
 
 from pathlib import Path
 
+import macos_pkg_builder.utilities.signing
+
 
 class SignAndNotarize:
 
@@ -26,6 +29,12 @@ class SignAndNotarize:
             return
 
         print(f"Signing {self._path.name}")
+        if self._path.name.endswith(".pkg"):
+            macos_pkg_builder.utilities.signing.SignPackage(
+                identity=self._signing_identity,
+                pkg=self._path,
+            ).sign()
+        else:
             mac_signing_buddy.Sign(
                 identity=self._signing_identity,
                 file=self._path,