kotschak/qelectrotech-source-mirror
0
0
Fork 0
mirror of https://github.com/qelectrotech/qelectrotech-source-mirror.git synced 2026-05-15 07:09:58 +02:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Update MacQetDeploy_arm64.sh

Browse Source
This commit is contained in:
Laurent Trinques
2026-05-14 11:45:11 +02:00
committed by GitHub
parent 56f5a09737
commit c0ba961fb3
1 changed files with 63 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
misc/MacQetDeploy_arm64.sh
View File

@@ -25,6 +25,7 @@ export DEVELOPER_DIR=/Applications/Xcode_14.01.app/Contents/Developer
APPNAME='qelectrotech' APPNAME='qelectrotech'
BUNDLE=$APPNAME.app BUNDLE=$APPNAME.app
APPBIN="$BUNDLE/Contents/MacOS/$APPNAME" APPBIN="$BUNDLE/Contents/MacOS/$APPNAME"
IDENTITY="Developer ID Application: Laurent TRINQUES (Y73WZ6WZ5X)"
# Script location # Script location
current_dir=$(dirname "$0") current_dir=$(dirname "$0")
@@ -222,15 +223,41 @@ if [ -d "${QET_LICENSES_DIR}" ]; then
cp -R -L ${QET_LICENSES_DIR} $BUNDLE/Contents/Resources/licenses cp -R -L ${QET_LICENSES_DIR} $BUNDLE/Contents/Resources/licenses
fi fi
### Sign the bundle ################################################# ### Sign the bundle (without --deep, component by component) ########
# --deep is deprecated and can produce invalid signatures on nested
# binaries. We sign frameworks and plugins first, then the bundle.
echo echo
echo "______________________________________________________________" echo "______________________________________________________________"
echo "Code signing bundle:" echo "Code signing bundle (component by component):"
codesign --force --deep --sign --timestamp \ # Sign frameworks
-s "Developer ID Application: Laurent TRINQUES (Y73WZ6WZ5X)" \ find "$BUNDLE/Contents/Frameworks" -name "*.framework" -prune | while read fw; do
--options=runtime $BUNDLE codesign --force --sign "$IDENTITY" --timestamp --options=runtime "$fw"
done
# Sign plugins (.dylib and .so)
find "$BUNDLE/Contents/PlugIns" \( -name "*.dylib" -o -name "*.so" \) | while read lib; do
codesign --force --sign "$IDENTITY" --timestamp --options=runtime "$lib"
done
# Sign remaining dylibs at bundle root level
find "$BUNDLE/Contents/MacOS" -name "*.dylib" | while read lib; do
codesign --force --sign "$IDENTITY" --timestamp --options=runtime "$lib"
done
# Sign the bundle itself last
codesign --force --sign "$IDENTITY" --timestamp --options=runtime "$BUNDLE"
# Verify signature before proceeding
echo
echo "Verifying bundle signature..."
codesign --verify --deep --strict --verbose=2 "$BUNDLE"
if [ $? -ne 0 ]; then
echo "ERROR: bundle signature verification failed, aborting."
exit 1
fi
echo "Bundle signature OK."
### Create zip for notarization only ################################ ### Create zip for notarization only ################################
# This ZIP is temporary — used only to submit to notarytool. # This ZIP is temporary — used only to submit to notarytool.
@@ -241,7 +268,7 @@ echo "______________________________________________________________"
echo "Create temporary zip for notarization:" echo "Create temporary zip for notarization:"
NOTARIZE_ZIP="/tmp/${APPNAME}-$VERSION-r$HEAD-arm64-notarize.zip" NOTARIZE_ZIP="/tmp/${APPNAME}-$VERSION-r$HEAD-arm64-notarize.zip"
/usr/bin/ditto -c -k --keepParent $BUNDLE "$NOTARIZE_ZIP" /usr/bin/ditto -c -k --keepParent "$BUNDLE" "$NOTARIZE_ZIP"
### Notarize ######################################################## ### Notarize ########################################################
@@ -252,6 +279,11 @@ if [[ $a == "Y" || $a == "y" ]]; then
echo "______________________________________________________________" echo "______________________________________________________________"
echo "Notarizing:" echo "Notarizing:"
xcrun notarytool submit "$NOTARIZE_ZIP" --keychain-profile "org.qelectrotech" --wait xcrun notarytool submit "$NOTARIZE_ZIP" --keychain-profile "org.qelectrotech" --wait
if [ $? -ne 0 ]; then
echo "ERROR: notarization failed. Check the log with:"
echo " xcrun notarytool log <submission-id> --keychain-profile org.qelectrotech"
exit 1
fi
else else
echo -e "\033[1;33mExit.\033[m" echo -e "\033[1;33mExit.\033[m"
fi fi
@@ -265,11 +297,10 @@ rm -f "$NOTARIZE_ZIP"
echo -e "\033[1;31mWould you like to staple the app \"${APPNAME}-${VERSION}-r${HEAD}\", n/Y?\033[m" echo -e "\033[1;31mWould you like to staple the app \"${APPNAME}-${VERSION}-r${HEAD}\", n/Y?\033[m"
read a read a
if [[ $a == "Y" || $a == "y" ]]; then if [[ $a == "Y" || $a == "y" ]]; then
xcrun stapler staple -v $BUNDLE xcrun stapler staple -v "$BUNDLE"
# Verify staple is correctly applied
echo "Verifying staple..." echo "Verifying staple..."
xcrun stapler validate -v $BUNDLE xcrun stapler validate -v "$BUNDLE"
spctl -a -vv $BUNDLE spctl -a -vv "$BUNDLE"
else else
echo -e "\033[1;33mExit.\033[m" echo -e "\033[1;33mExit.\033[m"
fi fi
@@ -277,9 +308,10 @@ fi
### Create final DMG ################################################ ### Create final DMG ################################################
# A DMG is used instead of a ZIP because it correctly preserves the # A DMG is used instead of a ZIP because it correctly preserves the
# Gatekeeper staple when downloaded via Chrome or any other browser. # Gatekeeper staple when downloaded via Chrome or any other browser.
# ZIP extraction via Archive Utility can strip extended attributes, #
# causing Gatekeeper to block the app with an "unverified developer" # We create the DMG directly in UDZO (compressed read-only) format
# warning. A signed and notarized DMG does not have this issue. # to avoid the UDRW -> UDZO conversion step, which can alter file
# signatures and cause notarization to fail.
echo echo
echo "______________________________________________________________" echo "______________________________________________________________"
@@ -287,25 +319,23 @@ echo "Create final DMG (Gatekeeper-compatible with Chrome and Safari):"
mkdir -p "build-aux/mac-osx" mkdir -p "build-aux/mac-osx"
# Create a temporary writable DMG from the stapled .app bundle # Create compressed read-only DMG directly from the stapled .app bundle
hdiutil create \ hdiutil create \
-volname "QElectroTech $VERSION" \ -volname "QElectroTech $VERSION" \
-srcfolder "$BUNDLE" \ -srcfolder "$BUNDLE" \
-ov \ -ov \
-format UDRW \
-fs HFS+ \
"/tmp/qet_tmp.dmg"
# Convert to compressed read-only DMG
hdiutil convert "/tmp/qet_tmp.dmg" \
-format UDZO \ -format UDZO \
-o "$DMG_PATH" -fs HFS+ \
"$DMG_PATH"
rm -f "/tmp/qet_tmp.dmg" if [ $? -ne 0 ]; then
echo "ERROR: hdiutil failed to create DMG."
exit 1
fi
# Sign the DMG itself # Sign the DMG itself
codesign \ codesign \
--sign "Developer ID Application: Laurent TRINQUES (Y73WZ6WZ5X)" \ --sign "$IDENTITY" \
--timestamp \ --timestamp \
"$DMG_PATH" "$DMG_PATH"
@@ -320,9 +350,18 @@ if [[ $a == "Y" || $a == "y" ]]; then
echo "______________________________________________________________" echo "______________________________________________________________"
echo "Notarizing DMG:" echo "Notarizing DMG:"
xcrun notarytool submit "$DMG_PATH" --keychain-profile "org.qelectrotech" --wait xcrun notarytool submit "$DMG_PATH" --keychain-profile "org.qelectrotech" --wait
if [ $? -ne 0 ]; then
echo "ERROR: DMG notarization failed. Check the log with:"
echo " xcrun notarytool log <submission-id> --keychain-profile org.qelectrotech"
exit 1
fi
echo "Stapling notarization ticket to DMG..." echo "Stapling notarization ticket to DMG..."
xcrun stapler staple "$DMG_PATH" xcrun stapler staple "$DMG_PATH"
if [ $? -ne 0 ]; then
echo "ERROR: stapling DMG failed."
exit 1
fi
echo "DMG notarized and stapled OK." echo "DMG notarized and stapled OK."
else else
echo -e "\033[1;33mExit.\033[m" echo -e "\033[1;33mExit.\033[m"
@@ -331,7 +370,7 @@ fi
### Clean up bundle ################################################# ### Clean up bundle #################################################
echo "Cleaning up bundle..." echo "Cleaning up bundle..."
rm -rf $BUNDLE rm -rf "$BUNDLE"
### The end ######################################################### ### The end #########################################################