From c9a82dba96b9c025b9e1508b1d081eb582845548 Mon Sep 17 00:00:00 2001 From: Beq Date: Wed, 27 Mar 2024 21:36:19 +0000 Subject: [PATCH 1/7] Migrate to notarytool --- indra/newview/installers/darwin/apple-notarize.sh | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/indra/newview/installers/darwin/apple-notarize.sh b/indra/newview/installers/darwin/apple-notarize.sh index ce012d84ed..ca62b79e5c 100755 --- a/indra/newview/installers/darwin/apple-notarize.sh +++ b/indra/newview/installers/darwin/apple-notarize.sh @@ -11,11 +11,11 @@ if [[ -f "$CONFIG_FILE" ]]; then zip_file=${app_file/app/zip} ditto -c -k --keepParent "$app_file" "$zip_file" if [[ -f "$zip_file" ]]; then - res=$(xcrun altool --notarize-app --primary-bundle-id "org.firestormviewer.firestorm" \ - --username $USERNAME \ - --password $PASSWORD \ - --asc-provider $ASC_PROVIDER \ - --file "$zip_file" 2>&1) + res=$(xcrun notarytool submit "$zip_file" \ + --keychain-profile viewer.keychain-db \ + --verbose \ + --asc-provider $ASC_PROVIDER \ + --wait 2>&1) echo $res requestUUID=$(echo $res | awk '/RequestUUID/ { print $NF; }') @@ -23,9 +23,8 @@ if [[ -f "$CONFIG_FILE" ]]; then in_progress=1 while [[ $in_progress -eq 1 ]]; do sleep 30 - res=$(xcrun altool --notarization-info "$requestUUID" \ - --username $USERNAME \ - --password $PASSWORD 2>&1) + res=$(xcrun notarytool info "$requestUUID" \ + --keychain-profile viewer.keychain-db 2>&1) if [[ $res != *"in progress"* ]]; then in_progress=0 fi From 35b746d43c8648852a6f454374c26376d623e422 Mon Sep 17 00:00:00 2001 From: Beq Date: Wed, 27 Mar 2024 23:50:08 +0000 Subject: [PATCH 2/7] ASC_PROVIDER not supported in notarytool --- indra/newview/installers/darwin/apple-notarize.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/indra/newview/installers/darwin/apple-notarize.sh b/indra/newview/installers/darwin/apple-notarize.sh index ca62b79e5c..c3732ce57c 100755 --- a/indra/newview/installers/darwin/apple-notarize.sh +++ b/indra/newview/installers/darwin/apple-notarize.sh @@ -14,7 +14,6 @@ if [[ -f "$CONFIG_FILE" ]]; then res=$(xcrun notarytool submit "$zip_file" \ --keychain-profile viewer.keychain-db \ --verbose \ - --asc-provider $ASC_PROVIDER \ --wait 2>&1) echo $res From edc8d6522e44f8261a1040a2c96bdc1899129a7a Mon Sep 17 00:00:00 2001 From: Beq Date: Thu, 28 Mar 2024 11:02:26 +0000 Subject: [PATCH 3/7] Add full credentials to keychain for notarytool --- indra/newview/installers/darwin/apple-notarize.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/indra/newview/installers/darwin/apple-notarize.sh b/indra/newview/installers/darwin/apple-notarize.sh index c3732ce57c..156f40155b 100755 --- a/indra/newview/installers/darwin/apple-notarize.sh +++ b/indra/newview/installers/darwin/apple-notarize.sh @@ -11,6 +11,11 @@ if [[ -f "$CONFIG_FILE" ]]; then zip_file=${app_file/app/zip} ditto -c -k --keepParent "$app_file" "$zip_file" if [[ -f "$zip_file" ]]; then + res=$(xcrun notarytool store-credentials \ + --keychain-profile viewer.keychain-db \ + --username $USERNAME \ + --password $PASSWORD 2>&1) + echo $res res=$(xcrun notarytool submit "$zip_file" \ --keychain-profile viewer.keychain-db \ --verbose \ From 2103a39f3dba0755f120d08c280159f64a22c049 Mon Sep 17 00:00:00 2001 From: Beq Date: Thu, 28 Mar 2024 17:36:20 +0000 Subject: [PATCH 4/7] use apple-id --- indra/newview/installers/darwin/apple-notarize.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/indra/newview/installers/darwin/apple-notarize.sh b/indra/newview/installers/darwin/apple-notarize.sh index 156f40155b..5466c65778 100755 --- a/indra/newview/installers/darwin/apple-notarize.sh +++ b/indra/newview/installers/darwin/apple-notarize.sh @@ -12,8 +12,9 @@ if [[ -f "$CONFIG_FILE" ]]; then ditto -c -k --keepParent "$app_file" "$zip_file" if [[ -f "$zip_file" ]]; then res=$(xcrun notarytool store-credentials \ - --keychain-profile viewer.keychain-db \ - --username $USERNAME \ + viewer.keychain-db \ + --verbose \ + --apple-id $USERNAME \ --password $PASSWORD 2>&1) echo $res res=$(xcrun notarytool submit "$zip_file" \ From adf35472f5d74684e6b6ae212e066f6e45e59133 Mon Sep 17 00:00:00 2001 From: Beq Date: Mon, 1 Apr 2024 22:44:32 +0100 Subject: [PATCH 5/7] remove conditional for a compiler we can no longer use. --- scripts/configure_firestorm.sh | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/scripts/configure_firestorm.sh b/scripts/configure_firestorm.sh index 6b2111506a..f576225d03 100755 --- a/scripts/configure_firestorm.sh +++ b/scripts/configure_firestorm.sh @@ -620,15 +620,9 @@ if [ $WANTS_BUILD -eq $TRUE ] ; then make -j $JOBS | tee -a $LOG fi elif [ $TARGET_PLATFORM == "windows" ] ; then - if [ "${AUTOBUILD_VSVER}" -ge 170 ] ; then - msbuild.exe Firestorm.sln -p:Configuration=${BTYPE} -flp:LogFile="logs\\FirestormBuild_win-${AUTOBUILD_ADDRSIZE}.log" \ - -flp1:"errorsonly;LogFile=logs\\FirestormBuild_win-${AUTOBUILD_ADDRSIZE}.err" -p:Platform=${AUTOBUILD_WIN_VSPLATFORM} -t:Build -p:useenv=true \ - -verbosity:normal -toolsversion:Current -p:"VCBuildAdditionalOptions= /incremental" - else - msbuild.exe Firestorm.sln -p:Configuration=${BTYPE} -flp:LogFile="logs\\FirestormBuild_win-${AUTOBUILD_ADDRSIZE}.log" \ - -flp1:"errorsonly;LogFile=logs\\FirestormBuild_win-${AUTOBUILD_ADDRSIZE}.err" -p:Platform=${AUTOBUILD_WIN_VSPLATFORM} -t:Build -p:useenv=true \ - -verbosity:normal -toolsversion:15.0 -p:"VCBuildAdditionalOptions= /incremental" - fi + msbuild.exe Firestorm.sln -p:Configuration=${BTYPE} -flp:LogFile="logs\\FirestormBuild_win-${AUTOBUILD_ADDRSIZE}.log" \ + -flp1:"errorsonly;LogFile=logs\\FirestormBuild_win-${AUTOBUILD_ADDRSIZE}.err" -p:Platform=${AUTOBUILD_WIN_VSPLATFORM} -t:Build -p:useenv=true \ + -verbosity:normal -toolsversion:Current -p:"VCBuildAdditionalOptions= /incremental" fi # Check the return code of the build command if [ $? -ne 0 ]; then From 9abf29e9955b2ca039482ca2cb3fcffbe7375175 Mon Sep 17 00:00:00 2001 From: Beq Date: Mon, 1 Apr 2024 22:45:17 +0100 Subject: [PATCH 6/7] A bunch more changes for notarising. fingers crossed. --- .github/workflows/build_viewer.yml | 2 + .../installers/darwin/apple-notarize.sh | 42 +++++-------------- 2 files changed, 13 insertions(+), 31 deletions(-) diff --git a/.github/workflows/build_viewer.yml b/.github/workflows/build_viewer.yml index bcacdc8789..803ec090c4 100644 --- a/.github/workflows/build_viewer.yml +++ b/.github/workflows/build_viewer.yml @@ -178,6 +178,8 @@ jobs: echo -n "$FS_CERT_PASS" >${build_secrets_checkout}/code-signing-osx/password.txt echo -n "$NOTARIZE_CREDS" | base64 --decode --output ${build_secrets_checkout}/code-signing-osx/notarize_creds.sh security create-keychain -p "$FS_KEYCHAIN_PASS" ~/Library/Keychains/viewer.keychain + # notarize tool uses a specific database keychain by default we need to override this to ours. + security default-keychain -s viewer.keychain security set-keychain-settings -lut 21600 ~/Library/Keychains/viewer.keychain security unlock-keychain -p "$FS_KEYCHAIN_PASS" ~/Library/Keychains/viewer.keychain security import ${build_secrets_checkout}/code-signing-osx/fs-cert.p12 -P "$FS_CERT_PASS" -A -t cert -f pkcs12 -k ~/Library/Keychains/viewer.keychain diff --git a/indra/newview/installers/darwin/apple-notarize.sh b/indra/newview/installers/darwin/apple-notarize.sh index 5466c65778..953ad5e093 100755 --- a/indra/newview/installers/darwin/apple-notarize.sh +++ b/indra/newview/installers/darwin/apple-notarize.sh @@ -12,46 +12,26 @@ if [[ -f "$CONFIG_FILE" ]]; then ditto -c -k --keepParent "$app_file" "$zip_file" if [[ -f "$zip_file" ]]; then res=$(xcrun notarytool store-credentials \ - viewer.keychain-db \ + viewer.profile \ --verbose \ - --apple-id $USERNAME \ - --password $PASSWORD 2>&1) echo $res res=$(xcrun notarytool submit "$zip_file" \ - --keychain-profile viewer.keychain-db \ + --apple-id $USERNAME \ + --password $PASSWORD \ --verbose \ --wait 2>&1) + echo "Notarytool submit:" echo $res - requestUUID=$(echo $res | awk '/RequestUUID/ { print $NF; }') - if [[ -n $requestUUID ]]; then - in_progress=1 - while [[ $in_progress -eq 1 ]]; do - sleep 30 - res=$(xcrun notarytool info "$requestUUID" \ - --keychain-profile viewer.keychain-db 2>&1) - if [[ $res != *"in progress"* ]]; then - in_progress=0 - fi - echo "." - done - # log results - echo $res + [[ "$res" =~ 'id: '([^[:space:]]+) ]] + match=$? - #remove temporary file - rm "$zip_file" - - if [[ $res == *"success"* ]]; then - xcrun stapler staple "$app_file" - exit 0 - elif [[ $res == *"invalid"* ]]; then - echo "Notarization error: failed to process the app file" - exit 1 - else - echo "Notarization error: unknown response status" - fi + if [[ ! $match -eq 0 ]]; then + echo "Running Stapler" + xcrun stapler staple "$app_file" + exit 0 else - echo "Notarization error: couldn't get request UUID" + echo "Notarization error" exit 1 fi else From d3501a0cecd73cb3ada4336938f29664adc968ca Mon Sep 17 00:00:00 2001 From: Beq Date: Tue, 2 Apr 2024 11:23:36 +0100 Subject: [PATCH 7/7] remove store-credentials as we should not need it now --- indra/newview/installers/darwin/apple-notarize.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/indra/newview/installers/darwin/apple-notarize.sh b/indra/newview/installers/darwin/apple-notarize.sh index 953ad5e093..b7006bf5cd 100755 --- a/indra/newview/installers/darwin/apple-notarize.sh +++ b/indra/newview/installers/darwin/apple-notarize.sh @@ -11,10 +11,10 @@ if [[ -f "$CONFIG_FILE" ]]; then zip_file=${app_file/app/zip} ditto -c -k --keepParent "$app_file" "$zip_file" if [[ -f "$zip_file" ]]; then - res=$(xcrun notarytool store-credentials \ - viewer.profile \ - --verbose \ - echo $res + # res=$(xcrun notarytool store-credentials \ + # viewer.profile \ + # --verbose 2>*1) + # echo $res res=$(xcrun notarytool submit "$zip_file" \ --apple-id $USERNAME \ --password $PASSWORD \