From 22acda7abc1c77c0e9c15d2eba1ad6688c1d3cc2 Mon Sep 17 00:00:00 2001
From: falkTX <falktx@falktx.com>
Date: Mon, 11 Mar 2024 09:03:31 +0100
Subject: [PATCH] Add codesign step

Signed-off-by: falkTX <falktx@falktx.com>
---
 .github/workflows/build.yml | 16 +++----
 src/mod-ui                  |  2 +-
 utils/macos/macos-dmg.sh    | 86 +++++++++++++++++++++++++++++++++++++
 utils/macos/macos-pkg.sh    | 27 ++++++++++++
 4 files changed, 121 insertions(+), 10 deletions(-)
 create mode 100755 utils/macos/macos-dmg.sh

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 402db29..a760e76 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -203,18 +203,14 @@ jobs:
     strategy:
       matrix:
         include:
-          - os: macos-11
-            target: macos-10.15
-          - os: macos-11
-            target: macos-universal-10.15
           - os: macos-12
             target: macos-10.15
           - os: macos-12
             target: macos-universal-10.15
-          - os: macos-13
-            target: macos-10.15
-          - os: macos-13
-            target: macos-universal-10.15
+          # - os: macos-13
+          #   target: macos-10.15
+          # - os: macos-13
+          #   target: macos-universal-10.15
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
@@ -222,6 +218,8 @@ jobs:
           submodules: recursive
       - name: Set up dependencies
         run: |
+          rm -f /usr/local/bin/2to3-3.11
+          brew uninstall azure-cli
           ./src/PawPaw/.github/workflows/bootstrap-deps.sh ${{ matrix.target }}
           brew install p7zip wget
       - name: Set up cache
@@ -241,7 +239,7 @@ jobs:
       - name: Validate plugins
         if: steps.cache.outputs.cache-hit == 'true'
         run: |
-          ./utils/plugin-builder/validate-plugins.sh ${{ matrix.target }}
+          # ./utils/plugin-builder/validate-plugins.sh ${{ matrix.target }}
           # FIXME dirty carla leaves temp folders around
           rm -rf *.tmp
       - name: Set version tag for release
diff --git a/src/mod-ui b/src/mod-ui
index 6615183..0595788 160000
--- a/src/mod-ui
+++ b/src/mod-ui
@@ -1 +1 @@
-Subproject commit 661518336c1222638d5ca4dbc79fb02dd40d1eef
+Subproject commit 0595788f54ade32e58b897d4292d865fd805b972
diff --git a/utils/macos/macos-dmg.sh b/utils/macos/macos-dmg.sh
new file mode 100755
index 0000000..3502aa3
--- /dev/null
+++ b/utils/macos/macos-dmg.sh
@@ -0,0 +1,86 @@
+#!/bin/bash
+
+set -e
+
+if [ ! -d build ]; then
+  echo "Please run this script from the root folder"
+  exit
+fi
+
+if [ "$(uname -m)" = "x86_64" ] && [ x"${1}" != x"macos-universal-10.15" ]; then
+    PAWPAW_PREFIX="${HOME}/PawPawBuilds/targets/macos-10.15"
+else
+    PAWPAW_PREFIX="${HOME}/PawPawBuilds/targets/macos-universal-10.15"
+fi
+
+rm -rf build/dmg build/*.dmg
+rm -rf mod-ui/mod/__pycache__
+rm -rf mod-ui/mod/communication/__pycache__
+rm -rf mod-ui/modtools/__pycache__
+./utils/pack-html.sh
+
+# create dmg dir for placing patched app bundle inside
+mkdir build/dmg
+gcp -rL "build/mod-desktop.app" "build/dmg/MOD Desktop.app"
+
+# patch rpath for Qt libs and jack tools
+pushd "build/dmg/MOD Desktop.app/Contents"
+
+rm -rf Frameworks/*/*.prl
+rm -rf Frameworks/*/Headers
+rm -rf Frameworks/*/Versions
+rm -rf MacOS/data
+
+QTLIBS=("Core" "Gui" "OpenGL" "PrintSupport" "Svg" "Widgets")
+
+for f in $(ls Frameworks/*/Qt* PlugIns/*/libq*.dylib); do
+    for q in "${QTLIBS[@]}"; do
+        install_name_tool -change "@rpath/Qt${q}.framework/Versions/5/Qt${q}" "@executable_path/../Frameworks/Qt${q}.framework/Qt${q}" "${f}"
+    done
+done
+
+for f in $(ls MacOS/lib/libmod_utils.so MacOS/libjack*.dylib); do
+    install_name_tool -change "${PAWPAW_PREFIX}/lib/libjack.0.1.0.dylib" "@executable_path/libjack.0.dylib" "${f}"
+    install_name_tool -change "${PAWPAW_PREFIX}/lib/libjackserver.0.1.0.dylib" "@executable_path/libjackserver.0.dylib" "${f}"
+done
+
+for f in $(ls MacOS/jackd MacOS/jack/*.so); do
+    install_name_tool -change "${PAWPAW_PREFIX}/lib/libjack.0.1.0.dylib" "@executable_path/libjackserver.0.dylib" "${f}"
+    install_name_tool -change "${PAWPAW_PREFIX}/lib/libjackserver.0.1.0.dylib" "@executable_path/libjackserver.0.dylib" "${f}"
+done
+
+popd
+
+# sign app bundle
+if [ -n "${CODESIGN_IDENTITY}" ]; then
+    security create-keychain -p dummypassword build.keychain
+    security unlock-keychain -p dummypassword build.keychain
+
+    echo "${CODESIGN_P12_CONTENTS}" | base64 -D -o codesign.p12
+    security import codesign.p12 -f pkcs12 -P "${CODESIGN_P12_PASSWORD}" -k build.keychain -T /usr/bin/codesign
+    rm codesign.p12
+
+    # security add-trusted-cert -d -r trustRoot -k build.keychain xyz.cer
+
+    # security set-key-partition-list -S apple-tool:,apple: -k dummypassword build.keychain
+    #  -s apple-tool:,apple:,codesign:
+    # security list-keychains -d user -s build.keychain
+    # security list-keychains -d user -s build.keychain login.keychain
+    # security find-identity -p codesigning
+
+    codesign -s "${CODESIGN_IDENTITY}" --deep --force --verbose --option=runtime build/dmg/*.app
+fi
+
+# create dmg
+hdiutil create "mod-desktop-$(cat VERSION)-macOS.dmg" -srcfolder build/dmg -volname "MOD Desktop" -fs HFS+ -ov
+
+if [ -n "${CODESIGN_IDENTITY}" ]; then
+    codesign -s "${MACOS_APP_DEV_ID}" --force --verbose --option=runtime "mod-desktop-$(cat VERSION)-macOS.dmg"
+    security delete-keychain build.keychain
+fi
+
+# cleanup
+rm -rf build/dmg
+
+# xcrun notarytool store-credentials build-notary --apple-id xyz --team-id xyz --password xyz
+# xcrun notarytool submit choptones-amps-macOS.pkg --keychain-profile "build-notary" --wait
diff --git a/utils/macos/macos-pkg.sh b/utils/macos/macos-pkg.sh
index a7fb3f8..c6552ec 100755
--- a/utils/macos/macos-pkg.sh
+++ b/utils/macos/macos-pkg.sh
@@ -51,12 +51,35 @@ done
 
 popd
 
+# sign app bundle
+if [ -n "${CODESIGN_IDENTITY}" ]; then
+    security create-keychain -p dummypassword build.keychain
+    security unlock-keychain -p dummypassword build.keychain
+
+    echo "${CODESIGN_P12_CONTENTS}" | base64 -D -o codesign.p12
+    security import codesign.p12 -f pkcs12 -P "${CODESIGN_P12_PASSWORD}" -k build.keychain -T /usr/bin/codesign
+    rm codesign.p12
+
+    # security add-trusted-cert -d -r trustRoot -k build.keychain xyz.cer
+
+    # security set-key-partition-list -S apple-tool:,apple: -k dummypassword build.keychain
+    #  -s apple-tool:,apple:,codesign:
+    # security list-keychains -d user -s build.keychain
+    # security list-keychains -d user -s build.keychain login.keychain
+    # security find-identity -p codesigning
+
+    codesign -s "${CODESIGN_IDENTITY}" --deep --force --verbose --option=runtime "build/pkg/MOD Desktop.app"
+
+    PKG_SIGN_ARGS=(--sign "${CODESIGN_IDENTITY}")
+fi
+
 # create base app pkg
 pkgbuild \
   --identifier "audio.mod.desktop-app" \
   --component-plist "utils/macos/build.plist" \
   --install-location "/Applications/" \
   --root "${PWD}/build/pkg/" \
+  "${PKG_SIGN_ARGS[@]}" \
   build/mod-desktop.pkg
 
 # create final pkg
@@ -68,7 +91,11 @@ productbuild \
   --identifier "audio.mod.desktop-app" \
   --package-path "${PWD}/build" \
   --version 0 \
+  "${PKG_SIGN_ARGS[@]}" \
   mod-desktop-$(cat VERSION)-macOS.pkg
 
 # cleanup
 rm -rf build/pkg
+[ -n "${CODESIGN_IDENTITY}" ] && security delete-keychain build.keychain
+
+exit 0