Merge pull request #581 from saalfeldlab/fix/build

This PR fixes a few major issues:
- the previous update from paintera 1.13.0 to 1.13.1 include version bumps of a few dependencies. Unfortunately the onnxruntime dependency for windows was built against a different version of VC++ redist, and this was failing to load the dll at runtime. This effectively stopped SAM from working. This version builds against `zulu-fx` instead of `liberica-fx` which seems to have build against a compatible VC++ on windows
- fix an issue with the splash screen not showing on first startup
- introduce self-signed mac installers. It's not an official developer application signature, so it will still warn the user, but it will allow the application to be run 
- add `macos-14`  installer, and plan to install the most recent 2 versions here on out

Author: cmhulbert

.github/workflows/build-installers.yml

@@ -8,16 +8,11 @@ on:
   pull_request:
     branches: [master]
 
-env:
-  DEV_IDENTITY: BXPZTQZ35S # Your Apple Dev identity, something like BXPZTQZ35S
-  PRIMARY_BUNDLE_ID: org.janelia.saalfeldlab.Paintera # Unique to your app, often the launcher class
-
 jobs:
   build:
     strategy:
       matrix:
-        # currently macos-14 is M1 and macos-13 is intel
-        os: [ubuntu-22.04, ubuntu-24.04, windows-latest, macos-latest, macos-15-intel]
+        os: [ubuntu-22.04, ubuntu-24.04, windows-latest, macos-14, macos-15, macos-15-intel]
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout
@@ -29,38 +24,60 @@ jobs:
           echo "VERSION=$short_version" >> $GITHUB_ENV
       - name: Download Wix
         uses: i3h/download-release-asset@v1
-        if: matrix.os == 'windows-latest'
+        if: runner.os == 'Windows'
         with:
           owner: wixtoolset
           repo: wix3
           tag: wix3112rtm
           file: wix311-binaries.zip
       - name: Decompress Wix
         uses: DuckSoft/extract-7z-action@v1.0
-        if: matrix.os == 'windows-latest'
+        if: runner.os == 'Windows'
         with:
           pathSource: wix311-binaries.zip
           pathTarget: ./target/wix
       - name: Add Wix to Path
         run: echo "$HOME/target/wix" >> $GITHUB_PATH
-        if: matrix.os == 'windows-latest'
-      - uses: actions/checkout@v6
+        if: runner.os == 'Windows'
       - name: Set up JDK
         uses: actions/setup-java@v5
         with:
           java-version: 25
-          distribution: 'liberica'
+          distribution: 'zulu'
           java-package: jdk+fx
           cache: 'maven'
       - name: "Build with Maven"
-        if: matrix.os != 'macos-13' && matrix.os != 'macos-14'
-        run: mvn -B clean install -DskipTests -Pbuild-installer "-Dmatrix.os=${{ matrix.os }}" --file pom.xml
-      - name: "Build with Maven (macOS No Signing)"
+        if: runner.os != 'MacOS'
+        run: mvn -B clean install -DskipTests -Pbuild-installer "-Dmatrix.os=${{ matrix.os }}" --file pom.xml --no-transfer-progress
+      - name: "Setup MacOS Signing"
+        if: runner.os == 'MacOS'
         env:
-          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
-          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
-        if: ${{ env.MACOS_CERTIFICATE == null && (matrix.os == 'macos-13' || matrix.os == 'macos-14') }}
-        run: mvn -B clean install -DskipTests -Pbuild-installer -Djavafx.platform=mac "-Dmatrix.os=${{ matrix.os }}" --file pom.xml
+          BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
+          P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
+        run: |
+          # Create variables
+          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          KEYCHAIN_PASSWORD="temp-keychain-password"
+          
+          # Import certificate and create keychain
+          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode --output $CERTIFICATE_PATH
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          
+          # Import certificate to keychain
+          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
+      - name: "Build with Maven"
+        if: runner.os == 'MacOS'
+        run: mvn -B clean install -DskipTests -Pbuild-installer -Pmacos-sign -Djavafx.platform=mac "-Dmatrix.os=${{ matrix.os }}" --file pom.xml --no-transfer-progress
+      - name: "Verify Signature"
+        if: runner.os == 'MacOS'
+        run: |
+          codesign -dv --verbose=2 target/installer-work/image/Paintera.app 2>&1
+          codesign -dv --verbose=2 target/installer-work/image/Paintera.app 2>&1 | grep -q "Authority=Developer ID Application: PainteraSelfSignedCert" || (echo "ERROR: App is not signed with expected certificate" && exit 1)
 
       - name: Upload Installers
         uses: actions/upload-artifact@v4

.github/workflows/publish-installers.yml

@@ -10,12 +10,6 @@ on:
       - "prerelease-*"
   workflow_dispatch:
 
-
-
-env:
-  DEV_IDENTITY: BXPZTQZ35S # Your Apple Dev identity, something like BXPZTQZ35S
-  PRIMARY_BUNDLE_ID: org.janelia.saalfeldlab.Paintera # Unique to your app, often the launcher class
-
 jobs:
   build_installers:
     name: Build Installers
@@ -58,8 +52,9 @@ jobs:
           mv Paintera-windows-latest-*/*.msi Paintera-${{ env.VERSION }}-Windows.msi
           mv Paintera-ubuntu-22.04-*/*.deb Paintera-${{ env.VERSION }}-ubuntu-22.04_x86_64.deb
           mv Paintera-ubuntu-24.04-*/*.deb Paintera-${{ env.VERSION }}-ubuntu-24.04_x86_64.deb
-          mv Paintera-macos-*-intel-*/*.dmg Paintera-${{ env.VERSION }}-MacOS-Intel.dmg
-          mv Paintera-macos-latest-*/*.dmg Paintera-${{ env.VERSION }}-MacOS-AppleSilicon.dmg
+          mv Paintera-macos-15-intel-*/*.dmg Paintera-${{ env.VERSION }}-MacOS-15-Intel.dmg
+          mv Paintera-macos-14-*/*.dmg Paintera-${{ env.VERSION }}-MacOS-14-AppleSilicon.dmg
+          mv Paintera-macos-15-*/*.dmg Paintera-${{ env.VERSION }}-MacOS-15-AppleSilicon.dmg
       - name: Create Release
         uses: softprops/action-gh-release@v2
         with:
@@ -71,5 +66,6 @@ jobs:
             Paintera-${{ env.VERSION }}-Windows.msi
             Paintera-${{ env.VERSION }}-ubuntu-22.04_x86_64.deb
             Paintera-${{ env.VERSION }}-ubuntu-24.04_x86_64.deb
-            Paintera-${{ env.VERSION }}-MacOS-Intel.dmg
-            Paintera-${{ env.VERSION }}-MacOS-AppleSilicon.dmg
+            Paintera-${{ env.VERSION }}-MacOS-15-Intel.dmg
+            Paintera-${{ env.VERSION }}-MacOS-14-AppleSilicon.dmg
+            Paintera-${{ env.VERSION }}-MacOS-15-AppleSilicon.dmg

pom.xml

@@ -33,8 +33,14 @@
 		<!--package properties -->
 		<package-name>org.janelia.saalfeldlab.paintera</package-name>
 		<main-class>org.janelia.saalfeldlab.paintera.Paintera</main-class>
+		<preloader-class>org.janelia.saalfeldlab.paintera.ui.PainteraSplashScreen</preloader-class>
 		<license.licenseName>GNU General Public License v2.0</license.licenseName>
 		<license.copyrightOwners>Philipp Hanslovsky, Stephan Saalfeld</license.copyrightOwners>
+		<!--macos signing default (empty unless -Pmacos-sign)-->
+		<macos.sign/>
+		<macos.sign.identity/>
+		<macos.sign.prefix/>
+		<macos.sign.entitlements/>
 
 		<!-- NB: Deploy releases to the SciJava Maven repository. -->
 		<releaseProfiles>sign,deploy-to-scijava</releaseProfiles>
@@ -757,6 +763,7 @@
 						<configuration>
 							<mainClass>${main-class}</mainClass>
 							<options>
+								<option>-Djavafx.preloader=org.janelia.saalfeldlab.paintera.ui.PainteraSplashScreen</option>
 								<option>--add-opens=javafx.base/javafx.util=ALL-UNNAMED</option>
 								<option>--add-opens=javafx.base/javafx.event=ALL-UNNAMED</option>
 								<option>--add-opens=javafx.base/javafx.beans.property=ALL-UNNAMED</option>
@@ -952,7 +959,7 @@
 										<arg>--no-header-files</arg>
 										<arg>--strip-debug</arg>
 										<arg>--no-man-pages</arg>
-										<arg>--compress=2</arg>
+										<arg>--compress=zip-6</arg>
 									</args>
 								</configuration>
 							</execution>
@@ -991,16 +998,16 @@
 		These properties are then use to build the directory paths to the platform specific resources.
 		It would be great if Maven automatically added the os family as a property by default
 		 -->
-
 		<profile>
 			<id>macos-sign</id>
 			<activation>
 				<activeByDefault>false</activeByDefault>
 			</activation>
 			<properties>
 				<macos.sign>--mac-sign</macos.sign>
-				<!-- You will have to replace this with your own dev information from your Apple identity -->
-				<macos.sign.identity>--mac-signing-key-user-name "Company Name, Inc. (BXPXTXC35S)"</macos.sign.identity>
+				<macos.sign.identity>--mac-signing-key-user-name "PainteraSelfSignedCert"</macos.sign.identity>
+				<macos.sign.prefix>--mac-package-signing-prefix "org.janelia.saalfeldlab.paintera."</macos.sign.prefix>
+				<macos.sign.entitlements>--mac-entitlements "${project.build.directory}/packaging/${os.detected.name}/entitlements.plist"</macos.sign.entitlements>
 			</properties>
 		</profile>
 

src/main/java/org/janelia/saalfeldlab/paintera/serialization/SourceInfoSerializer.java

@@ -11,8 +11,8 @@
 import gnu.trove.set.hash.TIntHashSet;
 import net.imglib2.exception.IncompatibleTypeException;
 import org.janelia.saalfeldlab.paintera.Paintera;
-import org.janelia.saalfeldlab.paintera.SplashScreenUpdateNotification;
-import org.janelia.saalfeldlab.paintera.SplashScreenUpdateNumItemsNotification;
+import org.janelia.saalfeldlab.paintera.ui.SplashScreenUpdateNotification;
+import org.janelia.saalfeldlab.paintera.ui.SplashScreenUpdateNumItemsNotification;
 import org.janelia.saalfeldlab.paintera.serialization.sourcestate.SourceStateSerialization;
 import org.janelia.saalfeldlab.paintera.state.SourceInfo;
 import org.janelia.saalfeldlab.paintera.state.SourceState;

src/main/kotlin/org/janelia/saalfeldlab/paintera/Paintera.kt

@@ -33,6 +33,10 @@ import org.janelia.saalfeldlab.paintera.Paintera.Companion.paintableRunnables
 import org.janelia.saalfeldlab.paintera.config.ScreenScalesConfig
 import org.janelia.saalfeldlab.paintera.data.mask.MaskedSource
 import org.janelia.saalfeldlab.paintera.state.label.ConnectomicsLabelState
+import org.janelia.saalfeldlab.paintera.ui.PainteraSplashScreen
+import org.janelia.saalfeldlab.paintera.ui.SplashScreenFinishPreloader
+import org.janelia.saalfeldlab.paintera.ui.SplashScreenUpdateNotification
+import org.janelia.saalfeldlab.paintera.ui.SplashScreenUpdateNumItemsNotification
 import org.janelia.saalfeldlab.paintera.ui.dialogs.PainteraAlerts
 import org.janelia.saalfeldlab.paintera.util.debug.DebugModeProperty
 import org.janelia.saalfeldlab.paintera.util.logging.LogUtils

src/main/kotlin/org/janelia/saalfeldlab/paintera/ui/PainteraSplashScreen.kt

@@ -1,4 +1,4 @@
-package org.janelia.saalfeldlab.paintera
+package org.janelia.saalfeldlab.paintera.ui
 
 import javafx.animation.*
 import javafx.application.Preloader

src/packaging/mvn-jpackage.properties

@@ -4,8 +4,6 @@ app.version=${parsedVersion.majorVersion}.${parsedVersion.minorVersion}.${parsed
 
 
 windows.upgrade.uuid=f918b6f9-8685-4b50-9fbd-9be7a1209249
-macos.sign=
-macos.sign.identity=
 
 jvm.modules=javafx.base,\
   javafx.controls,\
@@ -19,6 +17,7 @@ jvm.modules=javafx.base,\
   java.sql
 
 jpackage.java-options=-XX:MaxRAMPercentage=75 \
+  -Djavafx.preloader=${preloader-class} \
   --add-opens=javafx.base/javafx.util=ALL-UNNAMED \
   --add-opens=javafx.base/javafx.event=ALL-UNNAMED \
   --add-opens=javafx.base/javafx.beans.property=ALL-UNNAMED \

src/packaging/osx/entitlements.plist

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <!-- this is needed until we have a proper apple developer ID -->
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+</dict>
+</plist>

src/packaging/osx/jpackage.txt

@@ -7,6 +7,7 @@
 --runtime-image "${project.build.directory}/jvm-image"
 --temp "${project.build.directory}/installer-work"
 --java-options "${jpackage.java-options}"
-
 ${macos.sign}
 ${macos.sign.identity}
+${macos.sign.prefix}
+${macos.sign.entitlements}