Rework macOS signing for Alchemy app layout and libs

Author: RyeMutt

sign-pkg-mac/action.yaml

@@ -1,6 +1,6 @@
 name: sign-pkg-mac
 description:
-  Sign and package the macOS Linden viewer.
+  Sign and package the macOS Alchemy viewer.
 
 inputs:
   imagename:
@@ -39,7 +39,7 @@ inputs:
     description: "setting for all steps"
     type: string
     required: false
-    default: "Second Life"
+    default: "Alchemy"
 
 runs:
   using: composite
@@ -161,6 +161,7 @@ runs:
     - name: Package the sparseimage as .dmg
       shell: bash
       run: |
+        barkbarkbarkbark
         set -x
         mkdir -p .installer
         installer=".installer/${{ inputs.imagename }}.dmg"

sign-pkg-mac/sign.sh

@@ -12,9 +12,6 @@
 mydir="$(dirname "$0")"
 app_path="$1"
 
-# shellcheck disable=SC1091
-. "$mydir/retry_loop"
-
 gotall=true
 for var in app_path cert_base64 cert_name cert_pass note_user note_pass note_team
 do
@@ -32,7 +29,6 @@ set -x -e
 # ****************************************************************************
 # The following is derived from
 # https://federicoterzi.com/blog/automatic-code-signing-and-notarization-for-macos-apps-using-github-actions/
-# shellcheck disable=SC2154
 base64 --decode > certificate.p12 <<< "$cert_base64"
 
 # We need to create a new keychain, otherwise using the certificate will prompt
@@ -47,54 +43,94 @@ sleep 1
 security create-keychain -p "$keychain_pass" viewer.keychain
 security default-keychain -s viewer.keychain
 security unlock-keychain -p "$keychain_pass" viewer.keychain
-# shellcheck disable=SC2154
-security import certificate.p12 -k viewer.keychain -P "$cert_pass" \
-         -T /usr/bin/codesign
-security set-key-partition-list -S 'apple-tool:,apple:,codesign:' -s \
-         -k "$keychain_pass" viewer.keychain
+security import certificate.p12 -k viewer.keychain -P "$cert_pass" -T /usr/bin/codesign
+security set-key-partition-list -S 'apple-tool:,apple:,codesign:' -s -k "$keychain_pass" viewer.keychain
 rm certificate.p12
 
-# ****************************************************************************
-#   sign executables
-# ****************************************************************************
-# arrange to retry signing, since empirically this is a
-# low-reliability operation
-retries=3
-signwait=15
-function signloop() {
-    # save +x / -x state and suppress
-    xtrace="$(set +o | grep xtrace)"
-    set +x
-    # shellcheck disable=SC2064
-    trap "$xtrace" RETURN
-
-    local exe
-    # we pass the executable to sign as the last argument
-    # shellcheck disable=SC1083
-    eval exe=\${$#}
-    exe="$(basename "$exe")"
-    retry_loop "$exe signing" $retries $signwait /usr/bin/codesign "$@"
-}
+# We sign from the inside out
+
+# Plugin bundle
+plugin_path="$app_path/Contents/Resources/SLPlugin.app"
+plugin_contents="$plugin_path/Contents"
+
+# VLC plugin
+for signee in \
+    "$plugin_contents"/Frameworks/libvlccore.dylib \
+    "$plugin_contents"/Frameworks/libvlccore.9.dylib \
+    "$plugin_contents"/Frameworks/libvlc.dylib \
+    "$plugin_contents"/Frameworks/libvlc.5.dylib \
+    "$plugin_contents"/Frameworks/plugins/*.dylib \
+    "$plugin_contents"/Frameworks/plugins/*.dat \
+    "$plugin_contents"/Frameworks/media_plugin_libvlc.dylib
+do
+    codesign --verbose --force --timestamp --keychain viewer.keychain \
+             --sign "$cert_name" "$signee"
+done
+
+# CEF plugin
+for signee in \
+    "$plugin_contents/Frameworks/Chromium Embedded Framework.framework/Libraries"/*.dylib \
+    "$plugin_contents/Frameworks/Chromium Embedded Framework.framework/Resources"/*.bin \
+    "$plugin_contents/Frameworks/Chromium Embedded Framework.framework" \
+    "$plugin_contents"/Frameworks/media_plugin_cef.dylib
+do
+    codesign --verbose --force --timestamp --keychain viewer.keychain \
+             --sign "$cert_name" "$signee"
+done
+
+# DullahanHelper and SLPlugin
+for signee in \
+    "$plugin_contents/Frameworks"/DullahanHelper*.app \
+    "$plugin_path"
+do
+    codesign --verbose --force \
+             --entitlements "$mydir/installer/slplugin.entitlements" \
+             --options runtime --keychain viewer.keychain \
+             --sign "$cert_name" "$signee"
+done
 
+# Resources
 resources="$app_path/Contents/Resources"
-# plain signing
+
+# SLVoice Libs
+for signee in \
+    "$resources"/libortp.dylib \
+    "$resources"/libvivoxsdk.dylib
+do
+    codesign --verbose --force --timestamp --keychain viewer.keychain \
+             --sign "$cert_name" "$signee"
+done
+
+# SLVoice binary
 for signee in \
-    "$resources"/*.dylib \
-    "$resources"/llplugin/*.dylib \
-    "$app_path/Contents/Frameworks/Chromium Embedded Framework.framework/Libraries"/*.dylib
+    "$resources/SLVoice"
 do
-    # shellcheck disable=SC2154
-    signloop --force --timestamp --keychain viewer.keychain \
+    codesign --verbose --force \
+             --entitlements "$mydir/installer/slplugin.entitlements" \
+             --options runtime --keychain viewer.keychain \
              --sign "$cert_name" "$signee"
 done
-# deep signing
+
+# App Frameworks
+frameworks="$app_path/Contents/Frameworks"
+for signee in \
+    "$frameworks"/libopenal.dylib \
+    "$frameworks"/libalut.dylib \
+    "$frameworks"/libfmod.dylib \
+    "$frameworks"/libdiscord_partner_sdk.dylib \
+    "$frameworks"/libndofdev.dylib \
+    "$frameworks"/libSDL3.dylib \
+    "$frameworks"/libllwebrtc.dylib
+do
+    codesign --verbose --force --timestamp --keychain viewer.keychain \
+             --sign "$cert_name" "$signee"
+done
+
+# App Signing
 for signee in \
-    "$resources/updater/SLVersionChecker" \
-    "$resources/SLPlugin.app/Contents/MacOS/SLPlugin" \
-    "$resources/SLVoice" \
     "$app_path"
 do
-    signloop --verbose --deep --force \
+    codesign --verbose --force \
              --entitlements "$mydir/installer/slplugin.entitlements" \
              --options runtime --keychain viewer.keychain \
              --sign "$cert_name" "$signee"
@@ -160,3 +196,5 @@ set -e
 # available.
 echo "Attach staple"
 xcrun stapler staple "$app_path"
+
+spctl -a -texec -vvvv "$app_path"