Merge f0e1ee342c985bc9fa42ef248d0c5543a6a87986 into 79b7e277f1f06f6b315e293b029423fe35e57431

2025-08-03 11:27:33 -04:00 · 2025-08-01 21:19:51 +02:00 · 2025-08-01 21:19:51 +02:00 · 59b618ae7a
commit 59b618ae7a
parent 79b7e277f1 f0e1ee342c
11 changed files with 90 additions and 22 deletions
--- a/.github/actions/package/macos/action.yml
+++ b/.github/actions/package/macos/action.yml
@ -64,15 +64,6 @@ runs:
        cd ${{ env.INSTALL_DIR }}
        chmod +x "PrismLauncher.app/Contents/MacOS/prismlauncher"

-        if [ -n '${{ inputs.apple-codesign-id }}' ]; then
-          APPLE_CODESIGN_ID='${{ inputs.apple-codesign-id }}'
-          ENTITLEMENTS_FILE='../program_info/App.entitlements'
-        else
-          APPLE_CODESIGN_ID='-'
-          ENTITLEMENTS_FILE='../program_info/AdhocSignedApp.entitlements'
-        fi
-
-        sudo codesign --sign "$APPLE_CODESIGN_ID" --deep --force --entitlements "$ENTITLEMENTS_FILE" --options runtime "PrismLauncher.app/Contents/MacOS/prismlauncher"
        mv "PrismLauncher.app" "Prism Launcher.app"

    - name: Notarize
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -165,6 +165,9 @@ jobs:

          ARTIFACT_NAME: ${{ matrix.artifact-name }}-Qt6
          BUILD_PLATFORM: official
+
+          APPLE_CODESIGN_IDENTITY: ${{ secrets.APPLE_CODESIGN_ID }}
+          APPLE_BUILD_FOR_NOTARIZATION: ${{ secrets.APPLE_NOTARIZE_PASSWORD && 'YES' || 'NO' }}
        run: |
          cmake --workflow --preset "$CMAKE_PRESET"

--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -409,6 +409,9 @@ if(UNIX AND APPLE)
    set(MACOSX_SPARKLE_SHA256 "50612a06038abc931f16011d7903b8326a362c1074dabccb718404ce8e585f0b" CACHE STRING "SHA256 checksum for Sparkle release archive")
    set(MACOSX_SPARKLE_DIR "${CMAKE_BINARY_DIR}/frameworks/Sparkle")

+    set(MACOSX_CODESIGN_IDENTITY "-" CACHE STRING "The identity to use for codesigning (the name, not the secret)")
+    set(MACOSX_PREPARE_NOTARIZATION OFF CACHE BOOL "Whether to disable features incompatible with notarization (notably, do not request an entitlement that allows for attaching a debugger)")
+
    if(NOT MACOSX_SPARKLE_UPDATE_PUBLIC_KEY STREQUAL "" AND NOT MACOSX_SPARKLE_UPDATE_FEED_URL STREQUAL "")
        set(Launcher_ENABLE_UPDATER YES)
    endif()
--- a/cmake/macosPreset.json
+++ b/cmake/macosPreset.json
@ -13,7 +13,11 @@
 				"lhs": "${hostSystemName}",
 				"rhs": "Darwin"
 			},
-			"generator": "Ninja"
+			"generator": "Ninja",
+			"cacheVariables": {
+				"MACOSX_CODESIGN_IDENTITY": "$penv{APPLE_CODESIGN_IDENTITY}",
+				"MACOSX_PREPARE_NOTARIZATION": "$penv{APPLE_BUILD_FOR_NOTARIZATION}"
+			}
 		},
 		{
 			"name": "macos_universal_base",
--- a/launcher/CMakeLists.txt
+++ b/launcher/CMakeLists.txt
@ -1526,6 +1526,7 @@ if(WIN32 OR (UNIX AND APPLE))
            LIBEXEC_DIR ${LIBRARY_DEST_DIR}
            LIB_DIR ${LIBRARY_DEST_DIR}
            PLUGINS_DIR ${PLUGIN_DEST_DIR}
+            NO_APP_STORE_COMPLIANCE
            NO_OVERWRITE
            NO_TRANSLATIONS
            NO_COMPILER_RUNTIME
@ -1570,3 +1571,14 @@ if(WIN32 OR (UNIX AND APPLE))
        COMPONENT bundle
    )
 endif()
+
+if(UNIX AND APPLE)
+    # Need to fix code signing for the bundle
+    set(MACOSX_ENTITLEMENTS "${CMAKE_CURRENT_BINARY_DIR}/../program_info/App.entitlements")
+    configure_file(
+        "${CMAKE_CURRENT_SOURCE_DIR}/MacOSCodesign.cmake.in"
+        "${CMAKE_CURRENT_BINARY_DIR}/MacOSCodesign.cmake"
+        @ONLY
+    )
+    install(SCRIPT "${CMAKE_CURRENT_BINARY_DIR}/MacOSCodesign.cmake" COMPONENT Runtime)
+endif()
--- a/launcher/MacOSCodesign.cmake.in
+++ b/launcher/MacOSCodesign.cmake.in
@ -0,0 +1,8 @@
+execute_process(
+        COMMAND "@CMAKE_SOURCE_DIR@/program_info/macos_signature.sh" "@MACOSX_CODESIGN_IDENTITY@" "@MACOSX_ENTITLEMENTS@"
+        WORKING_DIRECTORY "@CMAKE_INSTALL_PREFIX@"
+        RESULT_VARIABLE CODESIGN_RESULT
+)
+if(NOT CODESIGN_RESULT EQUAL 0)
+    message(FATAL_ERROR "Failed to codesign the bundle")
+endif()
--- a/nix/unwrapped.nix
+++ b/nix/unwrapped.nix
@ -3,6 +3,7 @@
  stdenv,
  cmake,
  cmark,
+  darwin,
  apple-sdk_11,
  extra-cmake-modules,
  gamemode,
@ -74,6 +75,7 @@ stdenv.mkDerivation {
    extra-cmake-modules
    jdk17
    stripJavaArchivesHook
+    darwin.sigtool
  ];

  buildInputs =
--- a/program_info/AdhocSignedApp.entitlements
+++ b/program_info/AdhocSignedApp.entitlements
@ -1,12 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-    <key>com.apple.security.cs.disable-library-validation</key>
-    <true/>
-    <key>com.apple.security.device.audio-input</key>
-    <true/>
-    <key>com.apple.security.device.camera</key>
-    <true/>
-</dict>
-</plist>
--- a/program_info/App.entitlements.in
+++ b/program_info/App.entitlements.in
@ -2,6 +2,8 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
+@Launcher_AdhocEntitlements@
+@Launcher_DebugEntitlements@
    <key>com.apple.security.device.audio-input</key>
    <true/>
    <key>com.apple.security.device.camera</key>
--- a/program_info/CMakeLists.txt
+++ b/program_info/CMakeLists.txt
@ -38,6 +38,22 @@ set(Launcher_Branding_LogoQRC "program_info/prismlauncher.qrc" PARENT_SCOPE)

 set(Launcher_Portable_File "program_info/portable.txt" PARENT_SCOPE)

+if(MACOSX_CODESIGN_IDENTITY STREQUAL "-")
+    string(CONCAT Launcher_AdhocEntitlements
+            "    <key>com.apple.security.cs.disable-library-validation</key>\n"
+            "    <true/>")
+else()
+    set(Launcher_AdhocEntitlements "")
+endif()
+if(CMAKE_BUILD_TYPE STREQUAL "Debug" AND NOT MACOSX_PREPARE_NOTARIZATION)
+    string(CONCAT Launcher_DebugEntitlements
+            "    <key>com.apple.security.get-task-allow</key>\n"
+            "    <true/>")
+else()
+    set(Launcher_DebugEntitlements "")
+endif()
+
+configure_file(App.entitlements.in App.entitlements)
 configure_file(${Launcher_AppID}.desktop.in ${Launcher_AppID}.desktop)
 configure_file(${Launcher_AppID}.metainfo.xml.in ${Launcher_AppID}.metainfo.xml)
 configure_file(prismlauncher.rc.in prismlauncher.rc @ONLY)
--- a/program_info/macos_signature.sh
+++ b/program_info/macos_signature.sh
@ -0,0 +1,39 @@
+#!/usr/bin/env sh
+
+# Run this script from the directory containing "PrismLauncher.app"
+
+CODE_SIGN_IDENTITY="${1:--}"
+MAIN_ENTITLEMENTS_FILE="${2:-../program_info/App.entitlements}"
+
+if [[ "$CODE_SIGN_IDENTITY" == "Developer ID Application"* ]]; then
+    CODE_SIGN_IDENTITY=("$CODE_SIGN_IDENTITY" --timestamp)
+fi
+
+################ FRAMEWORKS ################
+cd "PrismLauncher.app/Contents/Frameworks" || exit 1
+# See https://sparkle-project.org/documentation/sandboxing/
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime Sparkle.framework/Versions/B/XPCServices/Installer.xpc
+# For Sparkle versions >= 2.6
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime --preserve-metadata=entitlements Sparkle.framework/Versions/B/XPCServices/Downloader.xpc
+# For Sparkle versions < 2.6
+#codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime --entitlements Entitlements/Downloader.entitlements Sparkle.framework/Versions/B/XPCServices/Downloader.xpc
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime Sparkle.framework/Versions/B/Autoupdate
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime Sparkle.framework/Versions/B/Updater.app
+
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" ./*.framework
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" ./*.dylib
+
+################ XPC SERVICES ################
+if cd "../XPCServices"; then
+    codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime ./*.xpc
+fi
+
+################ PLUGINS ################
+cd "../PlugIns" || exit 1
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" */*.dylib
+cd "../MacOS" || exit 1
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" jars/*.jar
+
+################ APP ################
+cd "../../.." || exit 1
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" --entitlements "$MAIN_ENTITLEMENTS_FILE" -o runtime ./PrismLauncher.app