11#! /bin/bash
2- set -eo pipefail
2+ set -euo pipefail
33
44CERTIFICATE_BASE64=" ${SIGNING_CERTIFICATE} "
55P12_PASSWORD=" ${CERTIFICATE_PASSWORD} "
@@ -10,10 +10,37 @@ DIST_DIR="${DIST_DIR:-dist}"
1010CERTIFICATE_PATH=" ./build_certificate.p12"
1111KEYCHAIN_PATH=" ./my-signing.keychain-db"
1212
13+ # Basic env validation to fail fast
14+ require_env () {
15+ local name=" $1 " " $2 "
16+ if [[ -z " $value " ; then
17+ echo " ❌ Missing required environment variable: $name " >&2
18+ exit 1
19+ fi
20+ }
21+
22+ require_env " SIGNING_CERTIFICATE" " ${CERTIFICATE_BASE64} "
23+ require_env " CERTIFICATE_PASSWORD" " ${P12_PASSWORD} "
24+ require_env " SIGNING_IDENTITY" " ${SIGNING_IDENTITY} "
25+ require_env " KEYCHAIN_PASSWORD" " ${KEYCHAIN_PASSWORD} "
26+ require_env " NOTARIZATION_APPLE_ID" " ${NOTARIZATION_APPLE_ID:- } "
27+ require_env " NOTARIZATION_APP_PASSWORD" " ${NOTARIZATION_APP_PASSWORD:- } "
28+ require_env " NOTARIZATION_TEAM_ID" " ${NOTARIZATION_TEAM_ID:- } "
29+
30+
31+ cleanup () {
32+ echo " 🧹 Cleaning up keychain and certificate..."
33+ # Attempt to delete the temporary keychain
34+ security delete-keychain " $KEYCHAIN_PATH " || true
35+ # Remove certificate file
36+ rm -f " $CERTIFICATE_PATH " || true
37+ }
38+ trap cleanup EXIT
39+
1340echo " 🔐 Setting up certificate and keychain..."
1441
15- # Decode the certificate
16- echo " $CERTIFICATE_BASE64 " | base64 --decode -o " $CERTIFICATE_PATH "
42+ # Decode the certificate (macOS-only)
43+ echo " $CERTIFICATE_BASE64 " | /usr/bin/ base64 -D > " $CERTIFICATE_PATH "
1744
1845# Create temporary keychain
1946security create-keychain -p " $KEYCHAIN_PASSWORD " " $KEYCHAIN_PATH "
@@ -22,16 +49,44 @@ security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
2249
2350# Import certificate into keychain
2451security import " $CERTIFICATE_PATH " " $P12_PASSWORD " " $KEYCHAIN_PATH "
25- security set-key-partition-list -S apple-tool:,apple: -k " $KEYCHAIN_PASSWORD " " $KEYCHAIN_PATH "
26- security list-keychain -d user -s " $KEYCHAIN_PATH "
52+ security set-key-partition-list -S apple-tool:,apple: -s -k " $KEYCHAIN_PASSWORD " " $KEYCHAIN_PATH "
53+
54+ # Show available signing identities for visibility
55+ echo " 🔎 Available signing identities (codesigning):"
56+ security find-identity -v -p codesigning " $KEYCHAIN_PATH " || true
2757
2858# Find and sign all macOS binaries dynamically
2959echo " 🔎 Searching for macOS binaries in $DIST_DIR ..."
3060
31- find " $DIST_DIR " \( -name " phrase_macosx_*" ! -name " *.tar.gz" \) | while read -r binary; do
61+ find " $DIST_DIR " \( -name " phrase_macosx_*" ! -name " *.tar.gz" \) -print0 | while IFS= read -r -d ' ' ; do
3262 echo " 🔏 Signing $binary ..."
33- codesign --timestamp --options runtime --sign " $SIGNING_IDENTITY " " $binary "
34- codesign --verify --verbose=2 " $binary "
63+ codesign --timestamp --options runtime --keychain " $KEYCHAIN_PATH " " $SIGNING_IDENTITY " " $binary "
64+ codesign --verify --verbose=2 --keychain " $KEYCHAIN_PATH " " $binary "
65+ done
66+
67+ echo " ✅ All macOS binaries signed successfully."
68+
69+ # --- Zip artifacts for notarization ---
70+ echo " 📦 Zipping macOS binaries for notarization..."
71+ shopt -s nullglob
72+ for bin in " $DIST_DIR " * ; do
73+ [[ " $bin " == * .tar.gz ]] && continue
74+ zip_name=" ${bin} .zip"
75+ echo " Creating ${zip_name} "
76+ /usr/bin/zip -j -o " $zip_name " " $bin "
77+ done
78+
79+ # --- Notarization via Apple notarytool (Apple ID + app-specific password) ---
80+ echo " 📝 Notarizing zipped binaries with Apple Notary (Apple ID)..."
81+ for zip in " $DIST_DIR " * .zip; do
82+ [[ -e " $zip " || continue
83+ echo " Submitting $zip to Apple Notary..."
84+ xcrun notarytool submit " $zip "
85+ --apple-id " $NOTARIZATION_APPLE_ID "
86+ --password " $NOTARIZATION_APP_PASSWORD "
87+ --team-id " $NOTARIZATION_TEAM_ID "
88+ --wait
89+ echo " ℹ️ Notarization complete for $zip ."
3590done
3691
37- echo " ✅ All macOS binaries signed successfully ."
92+ echo " 🎉 Signing and notarization finished ."
0 commit comments