package signing again

Author: ttscoff

.gitignore

@@ -13,3 +13,4 @@ package
 .gitsecret/keys/random_seed
 !*.secret
 gather
+tag_message.txt

.gitsecret/paths/mapping.cfg

@@ -1 +1 @@
-buildnotes.md:f40b30c2fcc3dd898720f3b4a5fe36b5f48bbdbc8322639cbe2e5c5ecb639993
+buildnotes.md:5cc23a769ac033f097cd36898a616de8fa6e8648146265d1afa666a7a392cd1f

CHANGELOG.md

@@ -1,3 +1,9 @@
+## 2.1.11
+
+#### FIXED
+
+- PKG signing
+
 ## 2.1.10
 
 ## 2.1.9

README.md

@@ -3,7 +3,7 @@
 ![Howzit banner image](https://cdn3.brettterpstra.com/uploads/2022/08/gatherheader-rb.webp)
 
 
-Current version: 2.1.10
+Current version: 2.1.11
 
 This project is the successor to read2text, which was a Python based tool that used Arc90 Readability and html2text to convert web URLs to Markdown documents, ready to store in your notes. It takes its name from another of my similar projects that I've since retired. It was this, but with a GUI, and this is infinitely more scriptable and is designed to nestle into your favorite tools and projects.
 

Sources/gather/gather.swift

@@ -5,7 +5,7 @@ import Foundation
 import HTML2Text
 import Readability
 import Yams
-var VERSION = "2.1.10"
+var VERSION = "2.1.11"
 
 var acceptedAnswerOnly = false
 var disableReadability = false

scripts/package.sh

@@ -38,59 +38,83 @@ notarizefile() { # $1: path to file to notarize, $2: identifier
 	filepath=${1:?"need a filepath"}
 	identifier=${2:?"need an identifier"}
 
-	# upload file
+	# upload file and wait for completion
 	echo "## uploading $filepath for notarization"
-	requestUUID=$(xcrun notarytool submit --wait \
+	SUBMIT_OUTPUT=$(xcrun notarytool submit --wait \
 		--keychain-profile "$dev_keychain_label" \
-		"$filepath" 2>&1 |
-		awk '/  id:/ { print $NF; }' | tail -n 1)
+		"$filepath" 2>&1)
 
-	echo "Notarization RequestUUID: $requestUUID"
+	echo "$SUBMIT_OUTPUT"
+
+	# Extract the request UUID
+	requestUUID=$(echo "$SUBMIT_OUTPUT" | awk '/  id:/ { print $NF; }' | tail -n 1)
 
 	if [[ $requestUUID == "" ]]; then
-		echo "could not upload for notarization"
-		exit 1
+		echo "## Error: could not get notarization request UUID"
+		return 1
 	fi
 
-	# # wait for status to be not "in progress" any more
-	# request_status="In Progress"
-
-	# while [[ "$request_status" == "In Progress" ]]; do
-	#     echo -n "waiting... "
-	#     sleep 10
-	#     request_status=$(requeststatus "$requestUUID")
-	#     echo "$request_status"
-	# done
+	echo "Notarization RequestUUID: $requestUUID"
 
-	# print status information
-	xcrun notarytool info \
+	# Get detailed status
+	echo "## Checking notarization status..."
+	STATUS_OUTPUT=$(xcrun notarytool info \
 		--keychain-profile "$dev_keychain_label" \
-		"$requestUUID"
-	echo
+		"$requestUUID" 2>&1)
 
-	# if [[ $request_status != "success" ]]; then
-	#     echo "## could not notarize $filepath"
-	#     exit 1
-	# fi
+	echo "$STATUS_OUTPUT"
 
+	# Extract status
+	request_status=$(echo "$STATUS_OUTPUT" | awk -F ': ' '/status:/ { print $2; }' | head -1 | tr -d ' ')
+
+	if [[ "$request_status" == "Accepted" ]]; then
+		echo "## ✓ Notarization succeeded!"
+		return 0
+	else
+		echo "## ✗ Notarization failed with status: $request_status"
+		echo "## Getting notarization logs..."
+		xcrun notarytool log \
+			--keychain-profile "$dev_keychain_label" \
+			"$requestUUID" 2>&1 | head -50
+		return 1
+	fi
 }
 
 # Build the binary
 xcrun swift build -c release --arch arm64 --arch x86_64
 bindir=$(xcrun swift build -c release --arch arm64 --arch x86_64 --show-bin-path)
 
 # Determine signing identity for binary (allow override via environment variable)
-# Default to 3rd Party Mac Developer Application (for Mac App Store) or Developer ID Application (for direct distribution)
-APP_SIGNING_IDENTITY="${APP_SIGNING_IDENTITY:-3rd Party Mac Developer Application: Brett Terpstra (47TRS7H4BH)}"
+# Try Developer ID Application first (for notarization), fall back to 3rd Party Mac Developer Application
+if [ -z "$APP_SIGNING_IDENTITY" ]; then
+	# Try Developer ID Application first
+	if security find-identity -v -p codesigning | grep -q "Developer ID Application: Brett Terpstra (47TRS7H4BH)"; then
+		APP_SIGNING_IDENTITY="Developer ID Application: Brett Terpstra (47TRS7H4BH)"
+	else
+		# Fall back to 3rd Party Mac Developer Application
+		APP_SIGNING_IDENTITY="3rd Party Mac Developer Application: Brett Terpstra (47TRS7H4BH)"
+	fi
+fi
 
 # Initialize notarization flag - will be set based on PKG signing success
 SKIP_NOTARIZATION=true
 
 # Check if the identity exists, if not use ad-hoc signing
 if security find-identity -v -p codesigning | grep -q "$APP_SIGNING_IDENTITY"; then
 	echo "## Signing binary with: $APP_SIGNING_IDENTITY"
-	codesign --force --verbose --sign "$APP_SIGNING_IDENTITY" -o runtime --timestamp $bindir/$executable
-	codesign --verify -vvvv $bindir/$executable
+	if codesign --force --verbose --sign "$APP_SIGNING_IDENTITY" -o runtime --timestamp $bindir/$executable 2>&1; then
+		codesign --verify -vvvv $bindir/$executable
+		# Check if we're using Developer ID Application (required for notarization)
+		if [[ "$APP_SIGNING_IDENTITY" == *"Developer ID Application"* ]]; then
+			echo "## ✓ Binary signed with Developer ID Application (ready for notarization)"
+		else
+			echo "## Note: Using 3rd Party certificate - notarization will be skipped"
+		fi
+	else
+		echo "## Warning: Failed to sign with '$APP_SIGNING_IDENTITY', trying ad-hoc signing"
+		codesign --force --verbose --sign "-" $bindir/$executable
+		codesign --verify -vvvv $bindir/$executable
+	fi
 else
 	echo "## Warning: Identity '$APP_SIGNING_IDENTITY' not found, using ad-hoc signing for binary"
 	codesign --force --verbose --sign "-" $bindir/$executable
@@ -117,7 +141,13 @@ if [ -n "$INSTALLER_SIGNATURE" ] && [ "$INSTALLER_SIGNATURE" != "-" ]; then
 		"$pkgpath" 2>&1; then
 		echo "## ✓ PKG signed successfully"
 		# PKG is signed with Developer ID Installer, can be notarized
-		SKIP_NOTARIZATION=false
+		# BUT: Binary must also be signed with Developer ID Application for notarization to succeed
+		if [[ "$APP_SIGNING_IDENTITY" == *"Developer ID Application"* ]]; then
+			SKIP_NOTARIZATION=false
+		else
+			echo "## Note: Binary not signed with Developer ID Application - notarization will be skipped"
+			SKIP_NOTARIZATION=true
+		fi
 	else
 		PKG_BUILD_EXIT=$?
 		echo "## Warning: Failed to sign with '$INSTALLER_SIGNATURE' (exit code: $PKG_BUILD_EXIT), building unsigned pkg"
@@ -143,11 +173,20 @@ if [ "$SKIP_NOTARIZATION" = "false" ]; then
 	# upload for notarization
 	echo "Path: $pkgpath"
 	echo "Identifier $identifier"
-	notarizefile "$pkgpath" "$identifier"
-
-	# staple result
-	echo "## Stapling $pkgpath"
-	xcrun stapler staple "$pkgpath"
+	if notarizefile "$pkgpath" "$identifier"; then
+		# Only staple if notarization succeeded
+		echo "## Stapling $pkgpath"
+		xcrun stapler staple "$pkgpath"
+		if [ $? -eq 0 ]; then
+			echo "## ✓ Package stapled successfully"
+		else
+			echo "## Warning: Stapling failed"
+		fi
+	else
+		echo "## Error: Notarization failed, skipping stapling"
+		echo "## The PKG is signed but not notarized. You may need to fix signing issues."
+		exit 1
+	fi
 else
 	echo "## Skipping notarization (ad-hoc or unsigned build)"
 fi