Adds signing and notarising of macOS installer (#168)

Author: StephenNneji

.github/workflows/build_installer.yml

@@ -60,22 +60,51 @@ jobs:
       - uses: actions/checkout@v4
       - uses: conda-incubator/setup-miniconda@v3
         with:
-            activate-environment: sscanss
-            environment-file: environment.yaml
-            auto-activate-base: false
-      - name: Make installer
+          activate-environment: sscanss
+          environment-file: environment.yaml
+          auto-activate-base: false
+      - name: Build executable
         shell: bash -el {0}
         run: |
           conda init bash
           conda activate sscanss
           python make.py --build-sscanss --build-editor
-          brew install create-dmg
+      - name: Build and Sign Installer
+        run: |
           cd installer/macos
-          chmod +x build_dmg.sh
-          ./build_dmg.sh
+          # create variables
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          
+          # create temporary keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+          # import certificate to keychain
+          echo -n $CODE_SIGNING_CERTIFICATE_BASE64 | base64 -d -o   ./dev_id_app_certificate.p12
+          security import dev_id_app_certificate.p12 -A -t cert -f pkcs12 -k $KEYCHAIN_PATH -P "$CODE_SIGNING_PASSWORD" -T /usr/bin/codesign
+          echo -n $PKG_SIGNING_CERTIFICATE_BASE64 | base64 -d -o  ./dev_id_install_certificate.p12
+          security import dev_id_install_certificate.p12 -A -t cert -f pkcs12 -k $KEYCHAIN_PATH -P "$PKG_SIGNING_PASSWORD" -T /usr/bin/codesign
+          security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
+
+          echo -n $API_CONNECT_KEY | base64 -d -o  ./auth_key.p8
+          chmod 777 make.sh
+          ./make.sh $GITHUB_REF_NAME $DEV_TEAM_ID $API_CONNECT_ISSUER $API_CONNECT_KEY_ID
+        env:
+          CODE_SIGNING_CERTIFICATE_BASE64: ${{ secrets.CODE_SIGNING_CERTIFICATE_BASE64 }}
+          CODE_SIGNING_PASSWORD: ${{ secrets.CODE_SIGNING_PASSWORD }}
+          PKG_SIGNING_CERTIFICATE_BASE64: ${{ secrets.PKG_SIGNING_CERTIFICATE_BASE64 }}
+          PKG_SIGNING_PASSWORD: ${{ secrets.PKG_SIGNING_PASSWORD }}
+          API_CONNECT_KEY_ID: ${{ secrets.API_CONNECT_KEY_ID }}
+          API_CONNECT_KEY: ${{ secrets.API_CONNECT_KEY }}
+          API_CONNECT_ISSUER: ${{ secrets.API_CONNECT_ISSUER }}
+          DEV_TEAM_ID: ${{ secrets.DEV_TEAM_ID }}
+          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+
       - name: Upload installer
         uses: actions/upload-artifact@v4
         with:
           name: macos installer
-          path: installer/macos/*.dmg
+          path: installer/macos/sscanss2.pkg
           if-no-files-found: error

docs/calibration.rst

@@ -113,7 +113,7 @@ Positioning Table Example
 This example will be showing calibration of positioning table. The table has z stage, rotation stage, y stage and
 x stage arranged in the given order. The measurements proceed similar to the previous example, starting at the z stage
 and ending at the x stage. The measured data is available in a  calibration file "table.txt" which can be found in the
-examples/calibration folder of the install directory (can also be download from the github repository).
+examples/calibration folder of the install directory (can also be download from the GitHub repository).
 The calibration file can be loaded and model generated in the calibration tool as described above.
 
 .. image:: images/calib_result_table.png

docs/introduction.rst

@@ -76,20 +76,21 @@ requirements (lower specification than minimum might still work but higher is ty
 Issues
 ******
 After a new version of SScanSS 2 has been released, feedback is necessary to improve performance if you experience
-any crashes or unexpected behaviours, do not hesitate to |issues| on the github.
+any crashes or unexpected behaviours, do not hesitate to |issues| on the GitHub.
 
 ****************
 Citing SScanSS 2
 ****************
 1. J.A. James, J. R. Santisteban, L. Edwards and M. R. Daymond, “A virtual laboratory for neutron and synchrotron
 strain scanning,” Physica B: Condensed Matter, vol. 350, no. 1-3, p. 743–746, 2004.
+
 2. Nneji Stephen, Buchanan Rob, Farooq Rabiya, Sharp Paul, Zavileiskii Timofei, & Cooper Joshaniel FK. (2024).
 SScanSS 2—a redesigned strain scanning simulation software (Version 2.2.0). |doi|.
 
 
 .. |github| raw:: html
 
-   <a href="https://github.com/ISISNeutronMuon/SScanSS-2/" target="_blank">github</a>
+   <a href="https://github.com/ISISNeutronMuon/SScanSS-2/" target="_blank">GitHub</a>
 
 .. |release| raw:: html
 

installer/macos/build_dmg.sh

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<installer-gui-script minSpecVersion="2">
+    <title>SScanSS-2 @VERSION_NAME@</title>
+    <license file="LICENSE" mime-type="text/plain"/>
+    <pkg-ref id="com.sscanss2.pkg.sscanss"/>
+    <pkg-ref id="com.sscanss2.pkg.editor"/>
+    <options customize="allow" require-scripts="false" rootVolumeOnly="true" hostArchitectures="arm64,x86_64"/>
+    <choices-outline>
+        <line choice="com.sscanss2.pkg.sscanss"/>
+        <line choice="com.sscanss2.pkg.editor"/>
+    </choices-outline>
+    <choice id="com.sscanss2.pkg.sscanss" title="SScanSS 2" enabled="false" start_selected="true">
+        <pkg-ref id="com.sscanss2.pkg.sscanss" version="@VERSION@" onConclusion="none">sscanss.pkg</pkg-ref>
+    </choice>
+    <choice id="com.sscanss2.pkg.editor" title="Instrument Editor" start_selected="false">
+        <pkg-ref id="com.sscanss2.pkg.editor" version="@VERSION@" onConclusion="none">editor.pkg</pkg-ref>
+    </choice>
+    </installer-gui-script>

installer/macos/distribution.xml.in

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+        <!-- These are required for binaries built by PyInstaller -->
+        <key>com.apple.security.cs.allow-jit</key>
+        <true/>
+        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+        <true/>
+        <key>com.apple.security.cs.disable-library-validation</key>
+        <true/>
+</dict>
+</plist>

installer/macos/entitlements.plist

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+SSCANSS_PATH="../bundle/app/sscanss.app"
+EDITOR_PATH="../bundle/editor.app"
+VER_NAME=$1
+VER=$VER_NAME
+DEV_TEAM_ID=$2
+API_CONNECT_ISSUER=$3
+API_CONNECT_KEY_ID=$4
+
+if [[ ${VER_NAME:0:1} == 'v' ]]; then
+    VER=${VER:1}
+fi
+
+# Sign code
+codesign -v --deep --force --options=runtime --entitlements ./entitlements.plist --sign ${DEV_TEAM_ID} --timestamp ${EDITOR_PATH}/Contents/Resources/*.dylib
+codesign -v --deep --force --options=runtime --entitlements ./entitlements.plist --sign ${DEV_TEAM_ID} --timestamp ${EDITOR_PATH}
+codesign -v --deep --force --options=runtime --entitlements ./entitlements.plist --sign ${DEV_TEAM_ID} --timestamp ${SSCANSS_PATH}/Contents/Resources/*.dylib
+codesign -v --deep --force --options=runtime --entitlements ./entitlements.plist --sign ${DEV_TEAM_ID} --timestamp ${SSCANSS_PATH}
+
+# Build Pkg
+sed -e "s/@VERSION_NAME@/${VER_NAME}/g" -e "s/@VERSION@/${VER}/g" distribution.xml.in > distribution.xml
+pkgbuild --root ${EDITOR_PATH} --identifier com.sscanss2.editor.pkg --version ${VER} --install-location "/Applications/sscanss-editor.app" editor.pkg
+pkgbuild --root ${SSCANSS_PATH} --identifier com.sscanss2.sscanss.pkg --version ${VER} --install-location "/Applications/sscanss.app" sscanss.pkg
+productbuild --sign ${DEV_TEAM_ID} --timestamp --distribution distribution.xml --resources . sscanss2.pkg
+
+# Notarise and staple
+xcrun notarytool submit --issuer ${API_CONNECT_ISSUER} --key-id ${API_CONNECT_KEY_ID} --key ./auth_key.p8 --wait sscanss2.pkg 
+xcrun stapler staple sscanss2.pkg

installer/macos/make.sh

@@ -115,7 +115,7 @@ def onImportFailed(self, exception):
 
 
 class InsertVolumeFromFile(QtGui.QUndoCommand):
-    """Creates command to load volume data from an nexus file or stack of TIFF files to the project
+    """Creates command to load volume data from a nexus file or stack of TIFF files to the project
 
     :param presenter: main window presenter instance
     :type presenter: MainWindowPresenter