From ea78f8d83ed8ca0cbda130f774881ec7d3ad2a1f Mon Sep 17 00:00:00 2001 From: halprin Date: Sat, 22 Feb 2025 17:04:16 -0700 Subject: [PATCH 01/19] Code sign the macOS binaries that go into d3-osx.hog --- scripts/CMakeLists.txt | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt index 039a64243..33b4fbaaf 100644 --- a/scripts/CMakeLists.txt +++ b/scripts/CMakeLists.txt @@ -87,6 +87,11 @@ foreach(SCRIPT ${SCRIPTS}) set_target_properties(${SCRIPT} PROPERTIES CXX_VISIBILITY_PRESET "hidden") if(CMAKE_SYSTEM_NAME STREQUAL "Darwin") set_target_properties(${SCRIPT} PROPERTIES SUFFIX ".dylib") + if(DEFINED CODESIGN_IDENTITY AND NOT "${CODESIGN_IDENTITY}" STREQUAL "") + message(STATUS "Code signing ${SCRIPT}") + add_custom_command(TARGET ${SCRIPT} POST_BUILD + COMMAND codesign --verbose --sign "${CODESIGN_IDENTITY}" --force --timestamp --deep -o runtime $) + endif() endif() endforeach() From 918343eb8394d19e3f4cbada914ff121000dff13 Mon Sep 17 00:00:00 2001 From: halprin Date: Sat, 22 Feb 2025 17:30:21 -0700 Subject: [PATCH 02/19] Code sign the netcon clients for macOS --- netcon/descent3onlineclient/CMakeLists.txt | 5 +++++ netcon/lanclient/CMakeLists.txt | 5 +++++ netcon/mtclient/CMakeLists.txt | 5 +++++ 3 files changed, 15 insertions(+) diff --git a/netcon/descent3onlineclient/CMakeLists.txt b/netcon/descent3onlineclient/CMakeLists.txt index d6262a7dd..b3697a6e9 100644 --- a/netcon/descent3onlineclient/CMakeLists.txt +++ b/netcon/descent3onlineclient/CMakeLists.txt @@ -27,6 +27,11 @@ target_link_libraries(Descent3_Online_TCP_IP PRIVATE target_include_directories(Descent3_Online_TCP_IP PRIVATE ${SDL3_INCLUDE_DIRS}) if(CMAKE_SYSTEM_NAME STREQUAL "Darwin") set_target_properties(Descent3_Online_TCP_IP PROPERTIES SUFFIX ".dylib") + if(DEFINED CODESIGN_IDENTITY AND NOT "${CODESIGN_IDENTITY}" STREQUAL "") + message(STATUS "Code signing Descent3_Online_TCP_IP") + add_custom_command(TARGET Descent3_Online_TCP_IP POST_BUILD + COMMAND codesign --verbose --sign "${CODESIGN_IDENTITY}" --force --timestamp --deep -o runtime $) + endif() endif() include(HogMaker) diff --git a/netcon/lanclient/CMakeLists.txt b/netcon/lanclient/CMakeLists.txt index 82ca3da64..4881a16e0 100644 --- a/netcon/lanclient/CMakeLists.txt +++ b/netcon/lanclient/CMakeLists.txt @@ -19,6 +19,11 @@ target_link_libraries(Direct_TCP_IP PRIVATE target_include_directories(Direct_TCP_IP PRIVATE ${SDL3_INCLUDE_DIRS}) if(CMAKE_SYSTEM_NAME STREQUAL "Darwin") set_target_properties(Direct_TCP_IP PROPERTIES SUFFIX ".dylib") + if(DEFINED CODESIGN_IDENTITY AND NOT "${CODESIGN_IDENTITY}" STREQUAL "") + message(STATUS "Code signing Direct_TCP_IP") + add_custom_command(TARGET Direct_TCP_IP POST_BUILD + COMMAND codesign --verbose --sign "${CODESIGN_IDENTITY}" --force --timestamp --deep -o runtime $) + endif() endif() include(HogMaker) diff --git a/netcon/mtclient/CMakeLists.txt b/netcon/mtclient/CMakeLists.txt index a1480164e..b82e7853e 100644 --- a/netcon/mtclient/CMakeLists.txt +++ b/netcon/mtclient/CMakeLists.txt @@ -29,6 +29,11 @@ target_link_libraries(Parallax_Online PRIVATE target_include_directories(Parallax_Online PRIVATE ${SDL3_INCLUDE_DIRS}) if(CMAKE_SYSTEM_NAME STREQUAL "Darwin") set_target_properties(Parallax_Online PROPERTIES SUFFIX ".dylib") + if(DEFINED CODESIGN_IDENTITY AND NOT "${CODESIGN_IDENTITY}" STREQUAL "") + message(STATUS "Code signing Parallax_Online") + add_custom_command(TARGET Parallax_Online POST_BUILD + COMMAND codesign --verbose --sign "${CODESIGN_IDENTITY}" --force --timestamp --deep -o runtime $) + endif() endif() include(HogMaker) From 5cbeb9a7641774d5de4721683140aaf3340938dd Mon Sep 17 00:00:00 2001 From: halprin Date: Sat, 22 Feb 2025 18:49:35 -0700 Subject: [PATCH 03/19] Update Build GitHub Action to support macOS signing, package, and notarization --- .github/workflows/build.yml | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5523bcc77..1ebdff09e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -103,12 +103,19 @@ jobs: cp ./arm64-osx.cmake ./community/universal-osx.cmake sed -i '' 's/^set(VCPKG_OSX_ARCHITECTURES.*$/set(VCPKG_OSX_ARCHITECTURES "arm64;x86_64")/' ./community/universal-osx.cmake + - name: Import macOS code signing certificate + if: ${{ matrix.os.preset == 'mac' }} + uses: apple-actions/import-codesign-certs@v3 + with: + p12-file-base64: ${{ secrets.MACOS_SIGNING_CERTIFICATE_P12 }} + p12-password: ${{ secrets.MACOS_SIGNING_CERTIFICATE_P12_PASSWORD }} + - name: Configure CMake if: ${{ matrix.os.preset != 'linux-cross-arm64' }} env: CC: ${{ matrix.os.cc }} CXX: ${{ matrix.os.cxx }} - run: cmake --preset ${{ matrix.os.preset }} -DBUILD_TESTING=ON -DENABLE_LOGGER=ON -DFORCE_PORTABLE_INSTALL=ON -DBUILD_EDITOR=ON -DUSE_EXTERNAL_PLOG=ON + run: cmake --preset ${{ matrix.os.preset }} -DCODESIGN_IDENTITY=${{ secrets.SIGNING_IDENTITY }} -DBUILD_TESTING=ON -DENABLE_LOGGER=ON -DFORCE_PORTABLE_INSTALL=ON -DBUILD_EDITOR=ON -DUSE_EXTERNAL_PLOG=ON - name: Build ${{ matrix.build_type }} run: cmake --build --preset ${{ matrix.os.preset }} --config ${{ matrix.build_type }} --verbose @@ -121,6 +128,19 @@ jobs: # There no cmake install presets so install in traditional way run: cmake --install builds/${{ matrix.os.preset }}/ --config ${{ matrix.build_type }} + - name: Sign, package, and notarize for macOS + if: ${{ matrix.os.preset == 'mac' }} + uses: halprin/macos-sign-package-notarize@053b57360594c2f0ca9fb85fe3ad75fcc6bd9596 + with: + path-to-binaries: builds/${{ matrix.os.preset }}/installed/Descent3.app builds/${{ matrix.os.preset }}/installed/netgames/anarchy.d3m builds/${{ matrix.os.preset }}/installed/netgames/co-op.d3m builds/${{ matrix.os.preset }}/installed/netgames/ctf.d3m builds/${{ matrix.os.preset }}/installed/netgames/entropy.d3m builds/${{ matrix.os.preset }}/installed/netgames/hoard.d3m builds/${{ matrix.os.preset }}/installed/netgames/hyper-anarchy.d3m builds/${{ matrix.os.preset }}/installed/netgames/monsterball.d3m builds/${{ matrix.os.preset }}/installed/netgames/robo-anarchy.d3m builds/${{ matrix.os.preset }}/installed/netgames/team\ anarchy.d3m + signing-identity: ${{ secrets.MACOS_SIGNING_IDENTITY }} + app-store-connect-key: ${{ secrets.MACOS_APP_STORE_CONNECT_KEY }} + app-store-connect-key-id: ${{ secrets.MACOS_APP_STORE_CONNECT_KEY_ID }} + app-store-connect-issuer-id: ${{ secrets.MACOS_APP_STORE_CONNECT_ISSUER_ID }} + archive-files: builds/${{ matrix.os.preset }}/installed/* + archive-disk-name: Descent 3 + archive-file-path: builds/${{ matrix.os.preset }}/installed//Descent3-${{ matrix.build_type }}-${{ matrix.os.name }}.dmg + - name: Upload Artifacts uses: actions/upload-artifact@v4 with: From b98276015a948512bbb9753cbe9a358760478863 Mon Sep 17 00:00:00 2001 From: halprin Date: Sat, 22 Feb 2025 18:50:27 -0700 Subject: [PATCH 04/19] Update secret name --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1ebdff09e..c1548dafd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -115,7 +115,7 @@ jobs: env: CC: ${{ matrix.os.cc }} CXX: ${{ matrix.os.cxx }} - run: cmake --preset ${{ matrix.os.preset }} -DCODESIGN_IDENTITY=${{ secrets.SIGNING_IDENTITY }} -DBUILD_TESTING=ON -DENABLE_LOGGER=ON -DFORCE_PORTABLE_INSTALL=ON -DBUILD_EDITOR=ON -DUSE_EXTERNAL_PLOG=ON + run: cmake --preset ${{ matrix.os.preset }} -DCODESIGN_IDENTITY=${{ secrets.MACOS_SIGNING_IDENTITY }} -DBUILD_TESTING=ON -DENABLE_LOGGER=ON -DFORCE_PORTABLE_INSTALL=ON -DBUILD_EDITOR=ON -DUSE_EXTERNAL_PLOG=ON - name: Build ${{ matrix.build_type }} run: cmake --build --preset ${{ matrix.os.preset }} --config ${{ matrix.build_type }} --verbose From fb34cc251d699b81e46509176812a4ea8ce63d6f Mon Sep 17 00:00:00 2001 From: halprin Date: Sat, 22 Feb 2025 19:41:59 -0700 Subject: [PATCH 05/19] try using glob syntax to sign everything in netgames --- .github/workflows/build.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c1548dafd..76a73d6bc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -130,16 +130,16 @@ jobs: - name: Sign, package, and notarize for macOS if: ${{ matrix.os.preset == 'mac' }} - uses: halprin/macos-sign-package-notarize@053b57360594c2f0ca9fb85fe3ad75fcc6bd9596 + uses: halprin/macos-sign-package-notarize@v2 with: - path-to-binaries: builds/${{ matrix.os.preset }}/installed/Descent3.app builds/${{ matrix.os.preset }}/installed/netgames/anarchy.d3m builds/${{ matrix.os.preset }}/installed/netgames/co-op.d3m builds/${{ matrix.os.preset }}/installed/netgames/ctf.d3m builds/${{ matrix.os.preset }}/installed/netgames/entropy.d3m builds/${{ matrix.os.preset }}/installed/netgames/hoard.d3m builds/${{ matrix.os.preset }}/installed/netgames/hyper-anarchy.d3m builds/${{ matrix.os.preset }}/installed/netgames/monsterball.d3m builds/${{ matrix.os.preset }}/installed/netgames/robo-anarchy.d3m builds/${{ matrix.os.preset }}/installed/netgames/team\ anarchy.d3m + path-to-binaries: builds/${{ matrix.os.preset }}/installed/Descent3.app builds/${{ matrix.os.preset }}/installed/netgames/* signing-identity: ${{ secrets.MACOS_SIGNING_IDENTITY }} app-store-connect-key: ${{ secrets.MACOS_APP_STORE_CONNECT_KEY }} app-store-connect-key-id: ${{ secrets.MACOS_APP_STORE_CONNECT_KEY_ID }} app-store-connect-issuer-id: ${{ secrets.MACOS_APP_STORE_CONNECT_ISSUER_ID }} archive-files: builds/${{ matrix.os.preset }}/installed/* archive-disk-name: Descent 3 - archive-file-path: builds/${{ matrix.os.preset }}/installed//Descent3-${{ matrix.build_type }}-${{ matrix.os.name }}.dmg + archive-file-path: builds/${{ matrix.os.preset }}/installed/Descent3-${{ matrix.build_type }}-${{ matrix.os.name }}.dmg - name: Upload Artifacts uses: actions/upload-artifact@v4 From b4827b410d8239fb126317059f4148cd6d307082 Mon Sep 17 00:00:00 2001 From: halprin Date: Sat, 22 Feb 2025 19:46:42 -0700 Subject: [PATCH 06/19] Clean the installed folder after making disk image and move disk image into installed folder --- .github/workflows/build.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 76a73d6bc..35752ccac 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -139,7 +139,13 @@ jobs: app-store-connect-issuer-id: ${{ secrets.MACOS_APP_STORE_CONNECT_ISSUER_ID }} archive-files: builds/${{ matrix.os.preset }}/installed/* archive-disk-name: Descent 3 - archive-file-path: builds/${{ matrix.os.preset }}/installed/Descent3-${{ matrix.build_type }}-${{ matrix.os.name }}.dmg + archive-file-path: builds/${{ matrix.os.preset }}/Descent3-${{ matrix.build_type }}-${{ matrix.os.name }}.dmg + + - name: Swap macOS DMG disk image into installed folder + if: ${{ matrix.os.preset == 'mac' }} + run: | + rm -rf builds/${{ matrix.os.preset }}/installed/* + mv builds/${{ matrix.os.preset }}/Descent3-${{ matrix.build_type }}-${{ matrix.os.name }}.dmg builds/${{ matrix.os.preset }}/installed/ - name: Upload Artifacts uses: actions/upload-artifact@v4 From c509705c741ccc6f7c6d57b8c2f3ff7613c06034 Mon Sep 17 00:00:00 2001 From: halprin Date: Sat, 22 Feb 2025 20:04:59 -0700 Subject: [PATCH 07/19] Remove all references to the macOS binary not being signed in USAGE.md readme --- USAGE.md | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/USAGE.md b/USAGE.md index 5d600356d..2e05307aa 100644 --- a/USAGE.md +++ b/USAGE.md @@ -63,12 +63,7 @@ conflicts. - On Linux, `cd` to `D3-open-source` and run `./Descent3`. Wayland users may need to set environment variable `SDL_VIDEODRIVER=wayland` before launching the game. - - On macOS, the `.app` bundle is currently not signed, so your operating - system will not let you run it by double-clicking it. To remediate that, - open your terminal and `cd` to `D3-open-source`. Run - `xattr -c ./Descent3.app`, `xattr -c ./netgames/*`, - `chmod +x ./Descent3.app/Contents/MacOS/Descent3`, and then run the game - using `./Descent3.app/Contents/MacOS/Descent3` + - On macOS, open the terminal, `cd` to `D3-open-source`, and run `./Descent3.app/Contents/MacOS/Descent3`. ## Troubleshooting From bfdf9f8eca628b7df429e8b2791a8adbd4cbf9f5 Mon Sep 17 00:00:00 2001 From: halprin Date: Sun, 23 Feb 2025 16:41:53 -0700 Subject: [PATCH 08/19] Split the PR workflow from the main build workflow to be explicit --- .github/workflows/build.yml | 34 +++++++++++++++++++++------------- .github/workflows/cd.yml | 23 +++++++++++++++++++++++ .github/workflows/ci.yml | 17 +++++++++++++++++ 3 files changed, 61 insertions(+), 13 deletions(-) create mode 100644 .github/workflows/cd.yml create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 35752ccac..f8335f2bb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,16 +1,21 @@ name: Descent 3 Build on: - workflow_dispatch: - push: - branches: [ "main" ] - paths-ignore: - - '**/*.md' - pull_request: - branches: [ "main" ] - paths-ignore: - - '**/README.md' - - '**/LICENSE' + workflow_call: + secrets: + MACOS_SIGNING_IDENTITY: + required: false + MACOS_SIGNING_CERTIFICATE_P12: + required: false + MACOS_SIGNING_CERTIFICATE_P12_PASSWORD: + required: false + MACOS_APP_STORE_CONNECT_KEY: + required: false + MACOS_APP_STORE_CONNECT_KEY_ID: + required: false + MACOS_APP_STORE_CONNECT_ISSUER_ID: + required: false + jobs: build: @@ -50,6 +55,9 @@ jobs: runs-on: ${{ matrix.os.runner }} + env: + MACOS_SIGNING: ${{ secrets.MACOS_SIGNING_IDENTITY != '' }} + steps: - uses: actions/checkout@v4 with: @@ -104,7 +112,7 @@ jobs: sed -i '' 's/^set(VCPKG_OSX_ARCHITECTURES.*$/set(VCPKG_OSX_ARCHITECTURES "arm64;x86_64")/' ./community/universal-osx.cmake - name: Import macOS code signing certificate - if: ${{ matrix.os.preset == 'mac' }} + if: ${{ matrix.os.preset == 'mac' && env.MACOS_SIGNING == 'true' }} uses: apple-actions/import-codesign-certs@v3 with: p12-file-base64: ${{ secrets.MACOS_SIGNING_CERTIFICATE_P12 }} @@ -129,7 +137,7 @@ jobs: run: cmake --install builds/${{ matrix.os.preset }}/ --config ${{ matrix.build_type }} - name: Sign, package, and notarize for macOS - if: ${{ matrix.os.preset == 'mac' }} + if: ${{ matrix.os.preset == 'mac' && env.MACOS_SIGNING == 'true' }} uses: halprin/macos-sign-package-notarize@v2 with: path-to-binaries: builds/${{ matrix.os.preset }}/installed/Descent3.app builds/${{ matrix.os.preset }}/installed/netgames/* @@ -142,7 +150,7 @@ jobs: archive-file-path: builds/${{ matrix.os.preset }}/Descent3-${{ matrix.build_type }}-${{ matrix.os.name }}.dmg - name: Swap macOS DMG disk image into installed folder - if: ${{ matrix.os.preset == 'mac' }} + if: ${{ matrix.os.preset == 'mac' && env.MACOS_SIGNING == 'true' }} run: | rm -rf builds/${{ matrix.os.preset }}/installed/* mv builds/${{ matrix.os.preset }}/Descent3-${{ matrix.build_type }}-${{ matrix.os.name }}.dmg builds/${{ matrix.os.preset }}/installed/ diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml new file mode 100644 index 000000000..8cf1b61bd --- /dev/null +++ b/.github/workflows/cd.yml @@ -0,0 +1,23 @@ +name: Continuous Delivery + + +on: + push: + branches: + - main + paths-ignore: + - '**/*.md' + + +jobs: + + build: + name: Build for main branch + uses: ./.github/workflows/build.yml + secrets: + MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }} + MACOS_SIGNING_CERTIFICATE_P12: ${{ secrets.MACOS_SIGNING_CERTIFICATE_P12 }} + MACOS_SIGNING_CERTIFICATE_P12_PASSWORD: ${{ secrets.MACOS_SIGNING_CERTIFICATE_P12_PASSWORD }} + MACOS_APP_STORE_CONNECT_KEY: ${{ secrets.MACOS_APP_STORE_CONNECT_KEY }} + MACOS_APP_STORE_CONNECT_KEY_ID: ${{ secrets.MACOS_APP_STORE_CONNECT_KEY_ID }} + MACOS_APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.MACOS_APP_STORE_CONNECT_ISSUER_ID }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 000000000..5461c948a --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,17 @@ +name: Continuous Integration + + +on: + pull_request: + branches: + - main + paths-ignore: + - '**/README.md' + - '**/LICENSE' + + +jobs: + + build: + name: Build for PR + uses: ./.github/workflows/build.yml \ No newline at end of file From b893489ccc0acba438e56ce7c75230189dcd84b5 Mon Sep 17 00:00:00 2001 From: halprin Date: Sun, 23 Feb 2025 16:57:03 -0700 Subject: [PATCH 09/19] Test passing in secrets into PR --- .github/workflows/ci.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5461c948a..5cb4f452b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,4 +14,11 @@ jobs: build: name: Build for PR - uses: ./.github/workflows/build.yml \ No newline at end of file + uses: ./.github/workflows/build.yml + secrets: + MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }} + MACOS_SIGNING_CERTIFICATE_P12: ${{ secrets.MACOS_SIGNING_CERTIFICATE_P12 }} + MACOS_SIGNING_CERTIFICATE_P12_PASSWORD: ${{ secrets.MACOS_SIGNING_CERTIFICATE_P12_PASSWORD }} + MACOS_APP_STORE_CONNECT_KEY: ${{ secrets.MACOS_APP_STORE_CONNECT_KEY }} + MACOS_APP_STORE_CONNECT_KEY_ID: ${{ secrets.MACOS_APP_STORE_CONNECT_KEY_ID }} + MACOS_APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.MACOS_APP_STORE_CONNECT_ISSUER_ID }} \ No newline at end of file From be9e6fa6385cd12128f783f0cdfe106a24939ec8 Mon Sep 17 00:00:00 2001 From: halprin Date: Sun, 23 Feb 2025 17:06:46 -0700 Subject: [PATCH 10/19] Remove test of putting secrets into PR workflow --- .github/workflows/build.yml | 2 ++ .github/workflows/ci.yml | 8 +------- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f8335f2bb..d0cf41b34 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,5 +1,6 @@ name: Descent 3 Build + on: workflow_call: secrets: @@ -18,6 +19,7 @@ on: jobs: + build: name: ${{ matrix.os.name }}, ${{ matrix.build_type }} strategy: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5cb4f452b..73fa2edac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,10 +15,4 @@ jobs: build: name: Build for PR uses: ./.github/workflows/build.yml - secrets: - MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }} - MACOS_SIGNING_CERTIFICATE_P12: ${{ secrets.MACOS_SIGNING_CERTIFICATE_P12 }} - MACOS_SIGNING_CERTIFICATE_P12_PASSWORD: ${{ secrets.MACOS_SIGNING_CERTIFICATE_P12_PASSWORD }} - MACOS_APP_STORE_CONNECT_KEY: ${{ secrets.MACOS_APP_STORE_CONNECT_KEY }} - MACOS_APP_STORE_CONNECT_KEY_ID: ${{ secrets.MACOS_APP_STORE_CONNECT_KEY_ID }} - MACOS_APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.MACOS_APP_STORE_CONNECT_ISSUER_ID }} \ No newline at end of file + # explicitly not passing secrets into the build From 301380c2f5da44444ccf3776e92cb5112b31e93f Mon Sep 17 00:00:00 2001 From: halprin Date: Tue, 25 Feb 2025 20:40:59 -0700 Subject: [PATCH 11/19] Try DescentDevelopers version of GitHub Actions --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d0cf41b34..0a2c2fa95 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -115,7 +115,7 @@ jobs: - name: Import macOS code signing certificate if: ${{ matrix.os.preset == 'mac' && env.MACOS_SIGNING == 'true' }} - uses: apple-actions/import-codesign-certs@v3 + uses: DescentDevelopers/import-codesign-certs@v1 with: p12-file-base64: ${{ secrets.MACOS_SIGNING_CERTIFICATE_P12 }} p12-password: ${{ secrets.MACOS_SIGNING_CERTIFICATE_P12_PASSWORD }} @@ -140,7 +140,7 @@ jobs: - name: Sign, package, and notarize for macOS if: ${{ matrix.os.preset == 'mac' && env.MACOS_SIGNING == 'true' }} - uses: halprin/macos-sign-package-notarize@v2 + uses: DescentDevelopers/macos-sign-package-notarize@v1 with: path-to-binaries: builds/${{ matrix.os.preset }}/installed/Descent3.app builds/${{ matrix.os.preset }}/installed/netgames/* signing-identity: ${{ secrets.MACOS_SIGNING_IDENTITY }} From 7dd02a440ba34e933eba3644e2ed5db08238e8d5 Mon Sep 17 00:00:00 2001 From: halprin Date: Tue, 25 Feb 2025 20:42:17 -0700 Subject: [PATCH 12/19] test fake secret to test --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 73fa2edac..61e2307a8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,4 +15,6 @@ jobs: build: name: Build for PR uses: ./.github/workflows/build.yml + secrets: + MACOS_SIGNING_IDENTITY: "asdf" # explicitly not passing secrets into the build From 6da8ddd29d8a5c61e92e710f5f1e4a3f60346a0d Mon Sep 17 00:00:00 2001 From: halprin Date: Tue, 25 Feb 2025 20:45:54 -0700 Subject: [PATCH 13/19] Remove fake secret, test was successful --- .github/workflows/ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 61e2307a8..73fa2edac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,6 +15,4 @@ jobs: build: name: Build for PR uses: ./.github/workflows/build.yml - secrets: - MACOS_SIGNING_IDENTITY: "asdf" # explicitly not passing secrets into the build From c1a84a3defd236be82ee948be5bcdbf5980e3021 Mon Sep 17 00:00:00 2001 From: halprin Date: Tue, 25 Feb 2025 21:11:09 -0700 Subject: [PATCH 14/19] Set CODESIGN_IDENTITY in the top level CMakeLists.txt --- BUILD.md | 1 + CMakeLists.txt | 2 ++ 2 files changed, 3 insertions(+) diff --git a/BUILD.md b/BUILD.md index ef4d0132a..335332e3b 100644 --- a/BUILD.md +++ b/BUILD.md @@ -205,3 +205,4 @@ cmake --preset linux -DENABLE_LOGGER=ON | `FORCE_PORTABLE_INSTALL` | Install all files into local directory defined by `CMAKE_INSTALL_PREFIX`. | `ON` | | `OFF` | | `USE_VCPKG` | Explicitly control whether or not to use vcpkg for dependency resolution. `ON` requires the environment variable `VCPKG_ROOT` to be set. | Determined by the existence of `VCPKG_ROOT` in the environment: If it exists, vcpkg is used. | +| `CODESIGN_IDENTITY` | Sets the macOS code signing identity. If set to something besides the empty string `""`, then the dynamic libraries put into the hog files will be signed using this identity. | The empty string, `""`. | diff --git a/CMakeLists.txt b/CMakeLists.txt index 59a0bafc3..ab3406d3f 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -5,6 +5,8 @@ if(NOT CMAKE_BUILD_TYPE AND NOT DEFINED ENV{CMAKE_BUILD_TYPE}) set(CMAKE_BUILD_TYPE "Debug" CACHE STRING "default build type") endif() +set(CODESIGN_IDENTITY "" CACHE STRING "Sets the macOS code signing identity. If set to something besides the empty string "", then the dynamic libraries put into the hog files will be signed using this identity.") + # toolchain setup for vcpkg must be done before the 'project' call set(USE_VCPKG "DEFAULT" CACHE STRING "Use vcpkg for dependency management. DEFAULT defers to existence of $VCPKG_ROOT environment variable.") set_property(CACHE USE_VCPKG PROPERTY STRINGS "DEFAULT" "ON" "OFF") From e1e8da49b891f9e3a0b5fa9fe7aaa1fa47bc351e Mon Sep 17 00:00:00 2001 From: halprin Date: Wed, 26 Feb 2025 14:44:00 -0700 Subject: [PATCH 15/19] Create macos_sign CMake function --- CMakeLists.txt | 9 ++++++++- netcon/descent3onlineclient/CMakeLists.txt | 6 +----- netcon/lanclient/CMakeLists.txt | 6 +----- netcon/mtclient/CMakeLists.txt | 6 +----- scripts/CMakeLists.txt | 6 +----- 5 files changed, 12 insertions(+), 21 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index ab3406d3f..43737294c 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -5,7 +5,14 @@ if(NOT CMAKE_BUILD_TYPE AND NOT DEFINED ENV{CMAKE_BUILD_TYPE}) set(CMAKE_BUILD_TYPE "Debug" CACHE STRING "default build type") endif() -set(CODESIGN_IDENTITY "" CACHE STRING "Sets the macOS code signing identity. If set to something besides the empty string "", then the dynamic libraries put into the hog files will be signed using this identity.") +set(CODESIGN_IDENTITY "" CACHE STRING "Sets the macOS code signing identity. If set to something besides the empty string, then the dynamic libraries put into the hog files will be signed using this identity.") +function (macos_sign target) + if(DEFINED CODESIGN_IDENTITY AND NOT "${CODESIGN_IDENTITY}" STREQUAL "") + message(STATUS "Code signing ${target}") + add_custom_command(TARGET ${target} POST_BUILD + COMMAND codesign --verbose --sign "${CODESIGN_IDENTITY}" --force --timestamp --deep -o runtime $) + endif() +endfunction() # toolchain setup for vcpkg must be done before the 'project' call set(USE_VCPKG "DEFAULT" CACHE STRING "Use vcpkg for dependency management. DEFAULT defers to existence of $VCPKG_ROOT environment variable.") diff --git a/netcon/descent3onlineclient/CMakeLists.txt b/netcon/descent3onlineclient/CMakeLists.txt index b3697a6e9..7f81572ba 100644 --- a/netcon/descent3onlineclient/CMakeLists.txt +++ b/netcon/descent3onlineclient/CMakeLists.txt @@ -27,11 +27,7 @@ target_link_libraries(Descent3_Online_TCP_IP PRIVATE target_include_directories(Descent3_Online_TCP_IP PRIVATE ${SDL3_INCLUDE_DIRS}) if(CMAKE_SYSTEM_NAME STREQUAL "Darwin") set_target_properties(Descent3_Online_TCP_IP PROPERTIES SUFFIX ".dylib") - if(DEFINED CODESIGN_IDENTITY AND NOT "${CODESIGN_IDENTITY}" STREQUAL "") - message(STATUS "Code signing Descent3_Online_TCP_IP") - add_custom_command(TARGET Descent3_Online_TCP_IP POST_BUILD - COMMAND codesign --verbose --sign "${CODESIGN_IDENTITY}" --force --timestamp --deep -o runtime $) - endif() + macos_sign(Descent3_Online_TCP_IP) endif() include(HogMaker) diff --git a/netcon/lanclient/CMakeLists.txt b/netcon/lanclient/CMakeLists.txt index 4881a16e0..799d60214 100644 --- a/netcon/lanclient/CMakeLists.txt +++ b/netcon/lanclient/CMakeLists.txt @@ -19,11 +19,7 @@ target_link_libraries(Direct_TCP_IP PRIVATE target_include_directories(Direct_TCP_IP PRIVATE ${SDL3_INCLUDE_DIRS}) if(CMAKE_SYSTEM_NAME STREQUAL "Darwin") set_target_properties(Direct_TCP_IP PROPERTIES SUFFIX ".dylib") - if(DEFINED CODESIGN_IDENTITY AND NOT "${CODESIGN_IDENTITY}" STREQUAL "") - message(STATUS "Code signing Direct_TCP_IP") - add_custom_command(TARGET Direct_TCP_IP POST_BUILD - COMMAND codesign --verbose --sign "${CODESIGN_IDENTITY}" --force --timestamp --deep -o runtime $) - endif() + macos_sign(Direct_TCP_IP) endif() include(HogMaker) diff --git a/netcon/mtclient/CMakeLists.txt b/netcon/mtclient/CMakeLists.txt index b82e7853e..72c04a41b 100644 --- a/netcon/mtclient/CMakeLists.txt +++ b/netcon/mtclient/CMakeLists.txt @@ -29,11 +29,7 @@ target_link_libraries(Parallax_Online PRIVATE target_include_directories(Parallax_Online PRIVATE ${SDL3_INCLUDE_DIRS}) if(CMAKE_SYSTEM_NAME STREQUAL "Darwin") set_target_properties(Parallax_Online PROPERTIES SUFFIX ".dylib") - if(DEFINED CODESIGN_IDENTITY AND NOT "${CODESIGN_IDENTITY}" STREQUAL "") - message(STATUS "Code signing Parallax_Online") - add_custom_command(TARGET Parallax_Online POST_BUILD - COMMAND codesign --verbose --sign "${CODESIGN_IDENTITY}" --force --timestamp --deep -o runtime $) - endif() + macos_sign(Parallax_Online) endif() include(HogMaker) diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt index 33b4fbaaf..d836ce5d1 100644 --- a/scripts/CMakeLists.txt +++ b/scripts/CMakeLists.txt @@ -87,11 +87,7 @@ foreach(SCRIPT ${SCRIPTS}) set_target_properties(${SCRIPT} PROPERTIES CXX_VISIBILITY_PRESET "hidden") if(CMAKE_SYSTEM_NAME STREQUAL "Darwin") set_target_properties(${SCRIPT} PROPERTIES SUFFIX ".dylib") - if(DEFINED CODESIGN_IDENTITY AND NOT "${CODESIGN_IDENTITY}" STREQUAL "") - message(STATUS "Code signing ${SCRIPT}") - add_custom_command(TARGET ${SCRIPT} POST_BUILD - COMMAND codesign --verbose --sign "${CODESIGN_IDENTITY}" --force --timestamp --deep -o runtime $) - endif() + macos_sign(${SCRIPT}) endif() endforeach() From 3a4ac891398ceaf16f042328d6965c0103254f17 Mon Sep 17 00:00:00 2001 From: halprin Date: Wed, 26 Feb 2025 14:47:06 -0700 Subject: [PATCH 16/19] Update BUILD.md wih the new description of CODESIGN_IDENTITY --- BUILD.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/BUILD.md b/BUILD.md index 335332e3b..4166207ef 100644 --- a/BUILD.md +++ b/BUILD.md @@ -205,4 +205,4 @@ cmake --preset linux -DENABLE_LOGGER=ON | `FORCE_PORTABLE_INSTALL` | Install all files into local directory defined by `CMAKE_INSTALL_PREFIX`. | `ON` | | `OFF` | | `USE_VCPKG` | Explicitly control whether or not to use vcpkg for dependency resolution. `ON` requires the environment variable `VCPKG_ROOT` to be set. | Determined by the existence of `VCPKG_ROOT` in the environment: If it exists, vcpkg is used. | -| `CODESIGN_IDENTITY` | Sets the macOS code signing identity. If set to something besides the empty string `""`, then the dynamic libraries put into the hog files will be signed using this identity. | The empty string, `""`. | +| `CODESIGN_IDENTITY` | Sets the macOS code signing identity. If set to something besides the empty string, then the dynamic libraries put into the hog files will be signed using this identity. | The empty string, `""`. | From 8d00e9ffed19939f6cd47bf4e4ff2073015226cf Mon Sep 17 00:00:00 2001 From: halprin Date: Wed, 26 Feb 2025 16:11:48 -0700 Subject: [PATCH 17/19] Test using a combined variable --- .github/workflows/build.yml | 8 ++++---- .github/workflows/ci.yml | 2 ++ 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0a2c2fa95..144a614fd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -58,7 +58,7 @@ jobs: runs-on: ${{ matrix.os.runner }} env: - MACOS_SIGNING: ${{ secrets.MACOS_SIGNING_IDENTITY != '' }} + MACOS_AND_CODE_SIGNING: ${{ matrix.os.preset == 'mac' && secrets.MACOS_SIGNING_IDENTITY != '' }} steps: - uses: actions/checkout@v4 @@ -114,7 +114,7 @@ jobs: sed -i '' 's/^set(VCPKG_OSX_ARCHITECTURES.*$/set(VCPKG_OSX_ARCHITECTURES "arm64;x86_64")/' ./community/universal-osx.cmake - name: Import macOS code signing certificate - if: ${{ matrix.os.preset == 'mac' && env.MACOS_SIGNING == 'true' }} + if: ${{ env.MACOS_AND_CODE_SIGNING == 'true' }} uses: DescentDevelopers/import-codesign-certs@v1 with: p12-file-base64: ${{ secrets.MACOS_SIGNING_CERTIFICATE_P12 }} @@ -139,7 +139,7 @@ jobs: run: cmake --install builds/${{ matrix.os.preset }}/ --config ${{ matrix.build_type }} - name: Sign, package, and notarize for macOS - if: ${{ matrix.os.preset == 'mac' && env.MACOS_SIGNING == 'true' }} + if: ${{ env.MACOS_AND_CODE_SIGNING == 'true' }} uses: DescentDevelopers/macos-sign-package-notarize@v1 with: path-to-binaries: builds/${{ matrix.os.preset }}/installed/Descent3.app builds/${{ matrix.os.preset }}/installed/netgames/* @@ -152,7 +152,7 @@ jobs: archive-file-path: builds/${{ matrix.os.preset }}/Descent3-${{ matrix.build_type }}-${{ matrix.os.name }}.dmg - name: Swap macOS DMG disk image into installed folder - if: ${{ matrix.os.preset == 'mac' && env.MACOS_SIGNING == 'true' }} + if: ${{ env.MACOS_AND_CODE_SIGNING == 'true' }} run: | rm -rf builds/${{ matrix.os.preset }}/installed/* mv builds/${{ matrix.os.preset }}/Descent3-${{ matrix.build_type }}-${{ matrix.os.name }}.dmg builds/${{ matrix.os.preset }}/installed/ diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 73fa2edac..61e2307a8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,4 +15,6 @@ jobs: build: name: Build for PR uses: ./.github/workflows/build.yml + secrets: + MACOS_SIGNING_IDENTITY: "asdf" # explicitly not passing secrets into the build From c4b20fecf6ada7110f44afff71fdc0f876a33cc2 Mon Sep 17 00:00:00 2001 From: halprin Date: Wed, 26 Feb 2025 16:13:26 -0700 Subject: [PATCH 18/19] Remove test secret --- .github/workflows/ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 61e2307a8..73fa2edac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,6 +15,4 @@ jobs: build: name: Build for PR uses: ./.github/workflows/build.yml - secrets: - MACOS_SIGNING_IDENTITY: "asdf" # explicitly not passing secrets into the build From 52724da09a50dfaa076b5b6de6c259544d93fb78 Mon Sep 17 00:00:00 2001 From: halprin Date: Wed, 26 Feb 2025 16:15:36 -0700 Subject: [PATCH 19/19] Indent only two spaces --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 144a614fd..6f33ff4b3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -58,7 +58,7 @@ jobs: runs-on: ${{ matrix.os.runner }} env: - MACOS_AND_CODE_SIGNING: ${{ matrix.os.preset == 'mac' && secrets.MACOS_SIGNING_IDENTITY != '' }} + MACOS_AND_CODE_SIGNING: ${{ matrix.os.preset == 'mac' && secrets.MACOS_SIGNING_IDENTITY != '' }} steps: - uses: actions/checkout@v4