Clean up SLIP39.app signing, work toward macOS App Store deploy

o SLIP39.app seems to be properly signed now
o Remove some vertical size from the SLIP39.app for smaller screens

Author: pjkundert

.gitignore

@@ -24,5 +24,5 @@ dist/
 .vagrant
 .pytest_cache/
 .cache/
-*.spec
 .eggs
+private_keys

GNUmakefile

@@ -3,8 +3,9 @@
 # 
 
 # Change to your own Apple Developer ID, if you want to code-sign the resultant .app
-DEVID		?= Developer ID Application: Perry Kundert (ZD8TVTCXDS)
-#DEVID		?= 3rd Party Mac Developer Application: Perry Kundert (ZD8TVTCXDS)
+TEAMID		?= ZD8TVTCXDS
+DEVID		?= Developer ID Application: Perry Kundert ($(TEAMID))
+PKGID		?= 3rd Party Mac Developer Installer: Perry Kundert ($(TEAMID))
 BUNDLEID	?= ca.kundert.perry.SLIP39
 
 # PY[3] is the target Python interpreter.  It must have pytest installed.
@@ -19,7 +20,7 @@ PY3TEST		= $(PY3) -m pytest $(PYTESTOPTS)
 
 .PHONY: all help test doctest analyze pylint build-check build install upload clean FORCE
 
-all:		help
+all:			help
 
 help:
 	@echo "GNUmakefile for cpppo.  Targets:"
@@ -48,38 +49,87 @@ build-check:
 	    || ( echo "\n*** Missing Python modules; run:\n\n        $(PY3) -m pip install --upgrade pip setuptools wheel build\n" \
 	        && false )
 
-build:		clean wheel app
+build:			clean wheel app
 
-wheel:		dist/slip39-$(VERSION)-py3-none-any.whl
+wheel:			dist/slip39-$(VERSION)-py3-none-any.whl
 
 dist/slip39-$(VERSION)-py3-none-any.whl: build-check FORCE
 	$(PY3) -m build
 	@ls -last dist
 
 # Install from wheel, including all optional extra dependencies
-install:	dist/slip39-$(VERSION)-py3-none-any.whl FORCE
+install:		dist/slip39-$(VERSION)-py3-none-any.whl FORCE
 	$(PY3) -m pip install --force-reinstall $<[gui,serial,json]
 
-# Generate, Sign and Zip the macOS SLIP39.app GUI package
-app:		dist/SLIP39.app-$(VERSION).zip
+
+app:			dist/SLIP39.app
+
+# Generate, Sign and Zip the macOS SLIP39.app GUI package for local/manual installation
+app-zip:		dist/SLIP39-$(VERSION).app.zip
+
+# Generate, Sign and Pacakage the macOS SLIP39.app GUI package for App Store
+app-pkg:		dist/SLIP39-$(VERSION).pkg
+
+#
+# Build a deployable macOS App
+#     See: https://gist.github.com/txoof/0636835d3cc65245c6288b2374799c43
+#     See: https://wiki.lazarus.freepascal.org/Code_Signing_for_macOS
+app-upload:	dist/SLIP39-$(VERSION).app.zip
+	xcrun altool --validate-app -f $< -t osx --apiKey 5H98J7LKPC --apiIssuer 5f3b4519-83ae-4e01-8d31-f7db26f68290 \
+	&& xcrun altool --upload-app -f $< -t osx --apiKey 5H98J7LKPC --apiIssuer 5f3b4519-83ae-4e01-8d31-f7db26f68290 \
+
+dist/SLIP39-$(VERSION).pkg: dist/SLIP39.app FORCE
+	grep -q "CFBundleVersion" "$</Contents/Info.plist" || sed -i "" -e 's:<dict>:<dict>\n\t<key>CFBundleVersion</key>\n\t<string>0.0.0</string>:' "$</Contents/Info.plist"
+	sed -i "" -e "s:0.0.0:$(VERSION):" "$</Contents/Info.plist"
+	codesign --deep --force --options=runtime --timestamp \
+	    --entitlements ./SLIP39.metatdata/entitlements.plist \
+	    --sign "$(DEVID)" \
+	    $<
+	codesign -dv -r- $<
+	codesign -vv $<
+	xcrun altool --validate-app -f $< -t osx --apiKey 5H98J7LKPC --apiIssuer 5f3b4519-83ae-4e01-8d31-f7db26f68290
+	pkgbuild --install-location /Applications --component $< $@
+
+dist/SLIP39-$(VERSION)-signed.pkg:  dist/SLIP39-$(VERSION).pkg
+	productsign --timestamp --sign "$(PKGID)" $< $@
+	spctl -vv --assess --type install $@
+
 
 #(cd dist; zip -r SLIP39.app-$(VERSION).zip SLIP39.app)
 # Create a ZIP archive suitable for notarization.
-dist/SLIP39.app-$(VERSION).zip: dist/SLIP39.app
+dist/SLIP39-$(VERSION).app.zip: dist/SLIP39.app FORCE
 	rm -f $@
-	/usr/bin/ditto -c -k --keepParent "$(PWD)/$<" "$(PWD)/$@"
+	# grep -q "CFBundleVersion" "$</Contents/Info.plist" || sed -i "" -e 's:<dict>:<dict>\n\t<key>CFBundleVersion</key>\n\t<string>0.0.0</string>:' "$</Contents/Info.plist"
+	# sed -i "" -e "s:0.0.0:$(VERSION):" "$</Contents/Info.plist"
+	# cat $</Contents/Info.plist
+	# codesign -dv -r- $<
+	# codesign -vv $<
+	# codesign --deep --force --options=runtime --timestamp \
+	#     --entitlements ./SLIP39.metadata/entitlements.plist \
+	#     --sign "$(DEVID)" \
+	#     $<
+	codesign -dv -r- $<
+	codesign -vv $<
+	/usr/bin/ditto -c -k --keepParent "$<" "$@"
 	@ls -last dist
 
-# Rebuild the gui; ensure we discard any partial/prior build and gui artifacts
-#	--codesign-identity "$(DEVID)"     # Nope; must change CFBundleShottVersionString before signing?  Also different team IDs?
-dist/SLIP39.app: SLIP39.py FORCE
+# Rebuild the gui App; ensure we discard any partial/prior build and gui artifacts
+# The --onefile approach doesn't seem to work, as we need to sign things after packaging.
+# We need to customize the SLIP39.spec file (eg. for version), so we do not target SLIP39.py
+# 
+dist/SLIP39.app: SLIP39.spec
 	rm -rf build $@*
-	pyinstaller --noconfirm --windowed --onefile \
+	grep "version='$(VERSION)'" $< || sed -i "" -e "s/version='[0-9.]*'/version='$(VERSION)'/" $<
+	pyinstaller $<
+
+# Only used for initial creation of SLIP39.spec.  
+SLIP39.spec: SLIP39.py
+	pyinstaller --noconfirm --windowed \
+	    --codesign-identity "$(DEVID)" \
 	    --osx-bundle-identifier "$(BUNDLEID)" \
-	    --collect-data shamir_mnemonic $<
-	sed -i "" -e "s/0.0.0/$(VERSION)/" "$@/Contents/Info.plist"
-	cat $@/Contents/Info.plist
-	codesign --force -s "$(DEVID)" $@
+	    --osx-entitlements-file ./SLIP39.metadata/entitlements.plist \
+	    --collect-data shamir_mnemonic \
+		$<
 
 # Support uploading a new version of slip32 to pypi.  Must:
 #   o advance __version__ number in slip32/version.py

SLIP39.metadata/entitlements.plist

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+  </dict>
+</plist>

SLIP39.spec

@@ -0,0 +1,54 @@
+# -*- mode: python ; coding: utf-8 -*-
+from PyInstaller.utils.hooks import collect_data_files
+
+datas = []
+datas += collect_data_files('shamir_mnemonic')
+
+
+block_cipher = None
+
+
+a = Analysis(['SLIP39.py'],
+             pathex=[],
+             binaries=[],
+             datas=datas,
+             hiddenimports=[],
+             hookspath=[],
+             hooksconfig={},
+             runtime_hooks=[],
+             excludes=[],
+             win_no_prefer_redirects=False,
+             win_private_assemblies=False,
+             cipher=block_cipher,
+             noarchive=False)
+pyz = PYZ(a.pure, a.zipped_data,
+             cipher=block_cipher)
+
+exe = EXE(pyz,
+          a.scripts, 
+          [],
+          exclude_binaries=True,
+          name='SLIP39',
+          debug=False,
+          bootloader_ignore_signals=False,
+          strip=False,
+          upx=True,
+          console=False,
+          disable_windowed_traceback=False,
+          target_arch=None,
+          codesign_identity='Developer ID Application: Perry Kundert (ZD8TVTCXDS)',
+          entitlements_file=None )
+coll = COLLECT(exe,
+               a.binaries,
+               a.zipfiles,
+               a.datas, 
+               strip=False,
+               upx=True,
+               upx_exclude=[],
+               name='SLIP39')
+app = BUNDLE(coll,
+             name='SLIP39.app',
+             icon='images/SLIP39.icns',
+             bundle_identifier='ca.kundert.perry.SLIP39',
+             version='6.2.0',
+             )

slip39/gui/main.py

@@ -76,18 +76,16 @@ def groups_layout( names, group_threshold, groups, passphrase=None ):
                     sg.Input( sg.user_settings_get_entry( "-target folder-", ""),
                                                         key='-TARGET-',         size=inputs,    **I_kwds ),  # noqa: E127
                     sg.FolderBrowse( **B_kwds ),
+                    sg.Text( "Card size: ",                                                     **T_kwds ),
+                ] + [
+                    sg.Radio( f"{cs}", "CS",            key=f"-CS-{cs}", default=(cs == CARD),  **B_kwds )
+                    for cs in CARD_SIZES
                 ],
                 [
                     sg.Text( "Seed Name(s): ",                                  size=prefix,    **T_kwds ),
                     sg.Input( f"{', '.join( names )}",  key='-NAMES-',          size=inputs,    **I_kwds ),
                     sg.Text( "(default is 'SLIP39...'; comma-separated)",                       **T_kwds ),
                 ],
-                [
-                    sg.Text( "Card size: ",                                     size=prefix,    **T_kwds ),
-                ] + [
-                    sg.Radio( f"{card}", "CS",          key=f"-CS-{card}", default=(card == CARD), **B_kwds )
-                    for card in CARD_SIZES
-                ],
             ],                                                  key='-OUTPUT-F-',               **F_kwds ),
         ],
     ] + [
@@ -163,6 +161,7 @@ def groups_layout( names, group_threshold, groups, passphrase=None ):
                         [
                             sg.Text( "Requires recovery of at least: ",         size=prefix,    **T_kwds ),
                             sg.Input( f"{group_threshold}", key='-THRESHOLD-',  size=inputs,    **I_kwds ),
+                            sg.Button( '+', **B_kwds ),
                             sg.Text( f"(of {len(groups)} SLIP-39 Recovery Groups)",
                                                         key='-RECOVERY-',                       **T_kwds ),  # noqa: E127
                         ],
@@ -172,25 +171,21 @@ def groups_layout( names, group_threshold, groups, passphrase=None ):
                                                         key='-PASSPHRASE-',     size=inputs,    **I_kwds ),  # noqa: E127
                             sg.Text( "(NOT Trezor compatible, and must be saved separately!!)", **T_kwds ),
                         ],
-                        [
-                            sg.Button( '+', **B_kwds ),
-                        ],
                         group_body,
                     ] ),
                 ],
             ],                                          key='-GROUPS-F-',                       **F_kwds ),
         ],
     ] + [
         [
+            sg.Button( 'Save', **B_kwds ),
+            sg.Button( 'Exit', **B_kwds ),
             sg.Frame( 'Summary', [
                 [
                     sg.Text(                            key='-SUMMARY-',                        **T_kwds ),
                 ]
             ],                                          key='-SUMMARY-F-',                      **F_kwds ),
         ],
-        [
-            sg.Button( 'Save', **B_kwds ), sg.Button( 'Exit', **B_kwds ),
-        ],
         [
             sg.Frame( 'Status', [
                 [
@@ -202,7 +197,7 @@ def groups_layout( names, group_threshold, groups, passphrase=None ):
         [
             sg.Frame( 'SLIP39 Mnemonics Output', [
                 [
-                    sg.Multiline( "",                   key='-MNEMONICS-',      size=(190,10),   font=font_small )
+                    sg.Multiline( "",                   key='-MNEMONICS-',      size=(190,6),   font=font_small )
                 ]
             ], **F_kwds ),
         ],
@@ -575,7 +570,7 @@ def app(
                 card		= next( c for c in CARD_SIZES if values[f"-CS-{c}"] )
                 details		= write_pdfs(
                     names	= details,
-                    card	= card,	
+                    card	= card,
                 )
             except Exception as exc:
                 status		= f"Error saving PDF(s): {exc}"
@@ -618,7 +613,7 @@ def main( argv=None ):
                      help="A group name[[<require>/]<size>] (default: <size> = 1, <require> = half of <size>, rounded up, eg. 'Frens(3/5)' )." )
     ap.add_argument( '-c', '--cryptocurrency', action='append',
                      default=[],
-                     help="A crypto name and optional derivation path ('../<range>/<range>' allowed); defaults:" \
+                     help="A crypto name and optional derivation path ('../<range>/<range>' allowed); defaults:"
                      f" {', '.join( f'{c}:{Account.path_default(c)}' for c in Account.CRYPTOCURRENCIES)}" )
     ap.add_argument( '--passphrase',
                      default=None,

slip39/version.py

@@ -1,2 +1,2 @@
-__version_info__		= ( 6, 1, 0 )
+__version_info__		= ( 6, 2, 0 )
 __version__			= '.'.join( map( str, __version_info__ ))