v1.2.0: added utilities for macOS notarizing

2022-02-03 18:26:54 -05:00 · 2022-02-03 18:26:54 -05:00 · 6e6a97fddc
commit 6e6a97fddc
parent 5c8dbd69a4
4 changed files with 88 additions and 3 deletions
--- a/desktop/build.gradle
+++ b/desktop/build.gradle
@ -23,7 +23,7 @@ task debug(type: JavaExec) {

 task release(type: Jar) {
    //FIXME this is now needed as of gradle 7.0, due to our weird sourceSets setup. Should see if there's a better way to do this
-    setDuplicatesStrategy(DuplicatesStrategy.INCLUDE)
+    setDuplicatesStrategy(DuplicatesStrategy.EXCLUDE)
    from sourceSets.main.output
    dependsOn configurations.runtimeClasspath
    from { configurations.runtimeClasspath.findAll { it.name.endsWith('jar') }.collect { zipTree(it) } }
@ -93,7 +93,11 @@ runtime {
            javaHome = file("./build/jdks/mac/jdk-16.0.1+9/Contents/Home/").getAbsolutePath()
            jpackage {
                jpackageHome = file("./build/jdks/mac/jdk-16.0.1+9/Contents/Home/")
-                imageOptions = ["--icon", file("./src/main/assets/icons/mac.icns"), "--java-options", "-XstartOnFirstThread"]
+                imageOptions = ["--icon", file("./src/main/assets/icons/mac.icns"),
+                                "--java-options", "-XstartOnFirstThread",
+                                //append .apple because com.shatteredpixel.shatteredpixeldungeon was taken =(
+                                "--mac-package-identifier", appPackageName + ".apple",
+                                "--mac-package-name", "ShattererdPD"]

                installerType = "dmg"
                installerName = appName
--- a/desktop/macos-entitlements.plist
+++ b/desktop/macos-entitlements.plist
@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.cs.allow-jit</key>
+	<true/>
+	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+	<true/>
+	<key>com.apple.security.cs.disable-library-validation</key>
+	<true/>
+	<key>com.apple.security.cs.allow-dyld-environment-variables</key>
+	<true/>
+</dict>
+</plist>
--- a/desktop/notarize.sh
+++ b/desktop/notarize.sh
@ -0,0 +1,67 @@
+#!/bin/sh
+
+# This shell script helps automate the process of notarizing
+# It is based on the guide found here: https://www.joelotter.com/2020/08/14/macos-java-notarization.html
+# requires xcode tools, script may take a minute or two to run as it uploads results to apple
+
+# usage is: "notarize.sh <path-to-.app> <path-to-entitlements-.plist> <certificate-name> <apple-id> <app-password>"
+# There is no input validation to check your arguments!
+APP="$1"
+PLIST=`PWD`"/$2" #need absolute path
+CERT="$3"
+USER="$4"
+PASS="$5"
+
+#first sign the naked dylib in /Contents/runtime/Contents/MacOS/libjli.dylib
+codesign --force --options runtime --timestamp --sign "$CERT" \
+	 		--entitlements "$PLIST" "${APP}/Contents/runtime/Contents/MacOS/libjli.dylib"
+
+#then iterate over each jar and sign all .dylib files within it
+# to do this we have to unzip each JAR, sign the files and re-zip =/
+# several commands are piped to dev/null to cut down on console spam
+pushd "${APP}"/Contents/app/ > /dev/null
+rm -rf jar/
+for JAR in *.jar; do
+
+	mkdir jar
+	mv "$JAR" jar/
+	pushd jar/ > /dev/null
+	unzip "${JAR}" > /dev/null
+	rm "${JAR}"
+
+	for LIB in `find . -name '*.dylib'`; do
+		codesign --force --options runtime --timestamp --sign "$CERT" \
+			--entitlements "$PLIST" "${LIB}"
+	done
+
+	zip -r "../${JAR}" * > /dev/null
+	popd > /dev/null
+	rm -rf jar/
+
+done
+popd > /dev/null
+
+#finally do one more deep sign on the whole .app
+codesign --deep --force --options runtime --timestamp --sign "$CERT" \
+			--entitlements "$PLIST" "${APP}"
+
+#zip it up and send it to apple!
+rm -rf "${APP}".zip
+zip -r "${APP}".zip "${APP}" > /dev/null
+
+echo "Uploading to apple, this may take a minute."
+
+xcrun altool -t osx -f "${APP}".zip \
+  --primary-bundle-id com.shatteredpixel.shatteredpixeldungeon.apple --notarize-app \
+  --username "$USER" \
+  --password "$PASS"
+
+rm -rf "${APP}".zip
+
+echo "Upload finished, if it worked, wait for an email and then run: xcrun stapler staple \"${APP}\""
+
+# If notarizing failed, you can run this command to get info:
+# xcrun altool --notarization-info <UUID that this script printed> \
+#  --username "$USER" \
+#  --password "$PASS"
+
--- a/ios/build.gradle
+++ b/ios/build.gradle
@ -25,7 +25,7 @@ task updateRoboVMProps(){
    //parse out just #.#.# from version name, this is an apple requirement
    props.setProperty ('appShortVersionName', (appVersionName =~ /\d+\.\d+\.\d+/)[0])

-    props.setProperty ('appMainclass', "com.shatteredpixel.shatteredpixeldungeon.ios.IOSLauncher")
+    props.setProperty ('appMainclass', appPackageName + ".ios.IOSLauncher")
    props.setProperty ('appExecutable', "IOSLauncher")

    file("robovm.properties").withWriter { props.store(it, "Dynamically generated, do not commit to version control!") }