refactored notarization

Author: StephenHodgson

.github/workflows/validate.yml

@@ -19,6 +19,7 @@ jobs:
     env:
       VERSION: ''
       TEMPLATE_PATH: ''
+      EXPORT_OPTION: ''
       UNITY_PROJECT_PATH: ''
     runs-on: ${{ matrix.os }}
     strategy:
@@ -69,6 +70,15 @@ jobs:
               exit 1
             }
           echo "VERSION=$version" >> $env:GITHUB_ENV
+
+          # if the unity-version is 6000.x then set export option to app-store-connect otherwise set it to development
+          if ('${{ matrix.unity-version }}' -eq '6000.x') {
+            echo "EXPORT_OPTION=app-store-connect" >> $env:GITHUB_ENV
+          } elseif ('${{ matrix.unity-version }}' -eq '2022.3.x') {
+            echo "EXPORT_OPTION=development" >> $env:GITHUB_ENV
+          } else {
+            echo "EXPORT_OPTION=steam" >> $env:GITHUB_ENV
+          }
         shell: pwsh
       - uses: buildalon/activate-unity-license@v1
         with:
@@ -103,8 +113,8 @@ jobs:
           app-store-connect-key-id: ${{ secrets.APP_STORE_CONNECT_KEY_ID }}
           app-store-connect-issuer-id: ${{ secrets.APP_STORE_CONNECT_ISSUER_ID }}
           team-id: ${{ secrets.APPLE_TEAM_ID }}
-          export-option: app-store
-          upload: ${{ matrix.unity-version == '6000.x' }}
+          export-option: ${{ env.EXPORT_OPTION }}
+          notarize: ${{ matrix.unity-version != '6000.x' }}
       - name: print outputs
         if: always()
         run: |

dist/index.js

@@ -57691,9 +57691,9 @@ async function updateBetaBuildLocalization(betaBuildLocalization, whatsNew) {
 async function pollForValidBuild(project, maxRetries = 60, interval = 30) {
     var _a, _b, _c;
     (0, utilities_1.log)(`Polling build validation...`);
-    await new Promise(resolve => setTimeout(resolve, interval * 1000));
     let retries = 0;
     while (++retries < maxRetries) {
+        await new Promise(resolve => setTimeout(resolve, interval * 1000));
         core.info(`Polling for build... Attempt ${retries}/${maxRetries}`);
         let { preReleaseVersion, build } = await getLastPreReleaseVersionAndBuild(project);
         if (preReleaseVersion) {
@@ -57728,7 +57728,6 @@ async function pollForValidBuild(project, maxRetries = 60, interval = 30) {
         else {
             core.info(`Waiting for pre-release build ${project.versionString}...`);
         }
-        await new Promise(resolve => setTimeout(resolve, interval * 1000));
     }
     throw new Error('Timed out waiting for valid build!');
 }
@@ -58403,21 +58402,27 @@ async function ExportXcodeArchive(projectRef) {
     if (projectRef.platform === 'macOS') {
         if (!projectRef.isAppStoreUpload()) {
             const notarizeInput = core.getInput('notarize') || 'true';
+            projectRef.executablePath = await getFirstPathWithGlob(`${projectRef.exportPath}/**/*.app`);
             const notarize = notarizeInput === 'true';
             core.debug(`Notarize? ${notarize}`);
             if (notarize) {
-                projectRef.executablePath = await createMacOSInstallerPkg(projectRef);
-            }
-            else {
-                projectRef.executablePath = await getFileAtGlobPath(`${projectRef.exportPath}/**/*.app`);
+                await signMacOSAppBundle(projectRef);
+                if (projectRef.exportOption !== 'steam') {
+                    projectRef.executablePath = await createMacOSInstallerPkg(projectRef);
+                }
+                else {
+                    const zipPath = path.join(projectRef.exportPath, projectRef.executablePath.replace('.app', '.zip'));
+                    await (0, exec_1.exec)('ditto', ['-c', '-k', '--sequesterRsrc', '--keepParent', projectRef.executablePath, zipPath]);
+                    await notarizeArchive(projectRef, zipPath, projectRef.executablePath);
+                }
             }
         }
         else {
-            projectRef.executablePath = await getFileAtGlobPath(`${projectRef.exportPath}/**/*.pkg`);
+            projectRef.executablePath = await getFirstPathWithGlob(`${projectRef.exportPath}/**/*.pkg`);
         }
     }
     else {
-        projectRef.executablePath = await getFileAtGlobPath(`${projectRef.exportPath}/**/*.ipa`);
+        projectRef.executablePath = await getFirstPathWithGlob(`${projectRef.exportPath}/**/*.ipa`);
     }
     try {
         await fs.promises.access(projectRef.executablePath, fs.constants.R_OK);
@@ -58429,34 +58434,134 @@ async function ExportXcodeArchive(projectRef) {
     core.setOutput('executable', projectRef.executablePath);
     return projectRef;
 }
-async function getFileAtGlobPath(globPattern) {
+async function getFirstPathWithGlob(globPattern) {
     const globber = await glob.create(globPattern);
     const files = await globber.glob();
     if (files.length === 0) {
         throw new Error(`No file found at: ${globPattern}`);
     }
     return files[0];
 }
+async function signMacOSAppBundle(projectRef) {
+    const appPath = await getFirstPathWithGlob(`${projectRef.exportPath}/**/*.app`);
+    await fs.promises.access(appPath, fs.constants.R_OK);
+    const stat = await fs.promises.stat(appPath);
+    if (!stat.isDirectory()) {
+        throw new Error(`Not a valid app bundle: ${appPath}`);
+    }
+    const signAppBundlePath = __nccwpck_require__.ab + "sign-app-bundle.sh";
+    core.info(`Signing app bundle: ${appPath}`);
+    let codesignOutput = '';
+    const codesignExitCode = await (0, exec_1.exec)(__nccwpck_require__.ab + "sign-app-bundle.sh", [appPath, projectRef.entitlementsPath], {
+        listeners: {
+            stdout: (data) => {
+                codesignOutput += data.toString();
+            }
+        },
+        ignoreReturnCode: true
+    });
+    if (codesignExitCode !== 0) {
+        (0, utilities_1.log)(codesignOutput, 'error');
+        throw new Error(`Failed to code sign the app!`);
+    }
+    core.info(codesignOutput);
+}
 async function createMacOSInstallerPkg(projectRef) {
     core.info('Creating macOS installer pkg...');
     let output = '';
     const pkgPath = `${projectRef.exportPath}/${projectRef.projectName}.pkg`;
-    const appPath = await getFileAtGlobPath(`${projectRef.exportPath}/**/*.app`);
-    await (0, exec_1.exec)('productbuild', ['--component', appPath, '/Applications', pkgPath], {
+    const appPath = await getFirstPathWithGlob(`${projectRef.exportPath}/**/*.app`);
+    const productBuildExitCode = await (0, exec_1.exec)('xcrun', ['productbuild', '--component', appPath, '/Applications', pkgPath], {
         listeners: {
             stdout: (data) => {
                 output += data.toString();
             }
-        }
+        },
+        ignoreReturnCode: true
     });
+    if (productBuildExitCode !== 0) {
+        (0, utilities_1.log)(output, 'error');
+        throw new Error(`Failed to create the pkg!`);
+    }
     try {
         await fs.promises.access(pkgPath, fs.constants.R_OK);
     }
     catch (error) {
         throw new Error(`Failed to create the pkg at: ${pkgPath}!`);
     }
+    const signPkgPath = __nccwpck_require__.ab + "sign-app-pkg.sh";
+    core.info(`Signing pkg: ${pkgPath}`);
+    let codesignOutput = '';
+    const codesignExitCode = await (0, exec_1.exec)(__nccwpck_require__.ab + "sign-app-pkg.sh", [pkgPath], {
+        listeners: {
+            stdout: (data) => {
+                codesignOutput += data.toString();
+            }
+        },
+        ignoreReturnCode: true
+    });
+    if (codesignExitCode !== 0) {
+        (0, utilities_1.log)(codesignOutput, 'error');
+        throw new Error(`Failed to code sign the pkg!`);
+    }
     return pkgPath;
 }
+async function notarizeArchive(projectRef, archivePath, staplePath) {
+    const notarizeArgs = [
+        'notarytool',
+        'submit',
+        '--key', projectRef.credential.appStoreConnectKeyPath,
+        '--key-id', projectRef.credential.appStoreConnectKeyId,
+        '--issuer', projectRef.credential.appStoreConnectIssuerId,
+        '--team-id', projectRef.credential.teamId,
+        '--wait',
+        '--no-progress',
+        '--output-format', 'json',
+    ];
+    if (core.isDebug()) {
+        notarizeArgs.push('--verbose');
+    }
+    let notarizeOutput = '';
+    const notarizeExitCode = await (0, exec_1.exec)(xcrun, [...notarizeArgs, archivePath], {
+        listeners: {
+            stdout: (data) => {
+                notarizeOutput += data.toString();
+            }
+        },
+        ignoreReturnCode: true
+    });
+    if (notarizeExitCode !== 0) {
+        (0, utilities_1.log)(notarizeOutput, 'error');
+        throw new Error(`Failed to notarize the app!`);
+    }
+    core.debug(notarizeOutput);
+    const notaryResult = JSON.parse(notarizeOutput);
+    if (notaryResult.status !== 'Accepted') {
+        throw new Error(`Notarization failed! Status: ${notaryResult.status} | ${notaryResult.message}`);
+    }
+    const stapleArgs = [
+        'stapler',
+        'staple',
+        staplePath,
+    ];
+    if (core.isDebug()) {
+        stapleArgs.push('--verbose');
+    }
+    let stapleOutput = '';
+    const stapleExitCode = await (0, exec_1.exec)(xcrun, stapleArgs, {
+        listeners: {
+            stdout: (data) => {
+                stapleOutput += data.toString();
+            }
+        },
+        ignoreReturnCode: true
+    });
+    if (stapleExitCode !== 0) {
+        (0, utilities_1.log)(stapleOutput, 'error');
+        throw new Error(`Failed to staple the notarization ticket!`);
+    }
+    core.info(stapleOutput);
+}
 async function getExportOptions(projectRef) {
     const exportOptionPlistInput = core.getInput('export-option-plist');
     let exportOptionsPath = undefined;

dist/index.js.map

@@ -0,0 +1,31 @@
+#!/bin/bash
+# This script is used to sign macOS app bundles with a specified entitlements file.
+# Usage: ./signing.sh <path_to_app_bundle> <path_to_entitlements_path>
+# Example: ./signing.sh /path/to/MyApp.app /path/to/entitlements.plist
+
+APP_BUNDLE_PATH="$1"
+ENTITLEMENTS_PATH="$2"
+
+# remove any metadata from the app bundle
+xattr -cr "$APP_BUNDLE_PATH"
+
+# get the signing identity that matches Developer ID Application
+SIGNING_IDENTITY=$(security find-identity -p codesigning -v | grep "Developer ID Application" | awk -F'"' '{print $2}' | head -n 1)
+if [ -z "$SIGNING_IDENTITY" ]; then
+    echo "No 'Developer ID Application' signing identity found!"
+    exit 1
+fi
+
+# sign *.bundles and delete any existing *.meta files from them
+find "$APP_BUNDLE_PATH" -name "*.bundle" -exec find {} -name '*.meta' -delete \; -exec codesign --deep --force --verify --verbose --timestamp --options runtime --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" {} \;
+
+# sign any *.dylibs
+find "$APP_BUNDLE_PATH" -name "*.dylib" -exec codesign --force --verify --verbose --timestamp --options runtime --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" {} \;
+
+#sign the app bundle
+codesign --deep --force --verify --verbose --timestamp --options runtime --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$APP_BUNDLE_PATH"
+
+# verify the app bundle
+if ! codesign --verify --verbose=2 "$APP_BUNDLE_PATH"; then
+    exit 1
+fi

dist/sign-app-bundle.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+# This script is meant to sign macOS .pkg files.
+# Usage: ./sign-app-pkg.sh <path_to_pkg>
+# Example: ./sign-app-pkg.sh /path/to/MyApp.pkg
+
+PKG_PATH="$1"
+
+# find the Developer ID Installer signing identity
+SIGNING_IDENTITY=$(security find-identity -v | grep "Developer ID Installer" | awk -F'"' '{print $2}' | head -n 1)
+if [ -z "$SIGNING_IDENTITY" ]; then
+    echo "No 'Developer ID Installer' signing identity found!"
+    exit 1
+fi
+
+productsign --sign "$SIGNING_IDENTITY" "$PKG_PATH" "${PKG_PATH%.pkg}-signed.pkg"
+
+# verify the signed package
+if ! pkgutil --check-signature "${PKG_PATH%.pkg}-signed.pkg"; then
+    exit 1
+fi
+
+# replace the original package with the signed one
+rm "$PKG_PATH"
+mv "${PKG_PATH%.pkg}-signed.pkg" "$PKG_PATH"
+echo "Package signed successfully!"

dist/sign-app-pkg.sh

@@ -246,9 +246,9 @@ async function updateBetaBuildLocalization(betaBuildLocalization: BetaBuildLocal
 
 async function pollForValidBuild(project: XcodeProject, maxRetries: number = 60, interval: number = 30): Promise<Build> {
     log(`Polling build validation...`);
-    await new Promise(resolve => setTimeout(resolve, interval * 1000));
     let retries = 0;
     while (++retries < maxRetries) {
+        await new Promise(resolve => setTimeout(resolve, interval * 1000));
         core.info(`Polling for build... Attempt ${retries}/${maxRetries}`);
         let { preReleaseVersion, build } = await getLastPreReleaseVersionAndBuild(project);
         if (preReleaseVersion) {
@@ -280,7 +280,6 @@ async function pollForValidBuild(project: XcodeProject, maxRetries: number = 60,
         } else {
             core.info(`Waiting for pre-release build ${project.versionString}...`);
         }
-        await new Promise(resolve => setTimeout(resolve, interval * 1000));
     }
     throw new Error('Timed out waiting for valid build!');
 }

src/AppStoreConnectClient.ts

@@ -0,0 +1,31 @@
+#!/bin/bash
+# This script is used to sign macOS app bundles with a specified entitlements file.
+# Usage: ./signing.sh <path_to_app_bundle> <path_to_entitlements_path>
+# Example: ./signing.sh /path/to/MyApp.app /path/to/entitlements.plist
+
+APP_BUNDLE_PATH="$1"
+ENTITLEMENTS_PATH="$2"
+
+# remove any metadata from the app bundle
+xattr -cr "$APP_BUNDLE_PATH"
+
+# get the signing identity that matches Developer ID Application
+SIGNING_IDENTITY=$(security find-identity -p codesigning -v | grep "Developer ID Application" | awk -F'"' '{print $2}' | head -n 1)
+if [ -z "$SIGNING_IDENTITY" ]; then
+    echo "No 'Developer ID Application' signing identity found!"
+    exit 1
+fi
+
+# sign *.bundles and delete any existing *.meta files from them
+find "$APP_BUNDLE_PATH" -name "*.bundle" -exec find {} -name '*.meta' -delete \; -exec codesign --deep --force --verify --verbose --timestamp --options runtime --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" {} \;
+
+# sign any *.dylibs
+find "$APP_BUNDLE_PATH" -name "*.dylib" -exec codesign --force --verify --verbose --timestamp --options runtime --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" {} \;
+
+#sign the app bundle
+codesign --deep --force --verify --verbose --timestamp --options runtime --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$APP_BUNDLE_PATH"
+
+# verify the app bundle
+if ! codesign --verify --verbose=2 "$APP_BUNDLE_PATH"; then
+    exit 1
+fi

src/sign-app-bundle.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+# This script is meant to sign macOS .pkg files.
+# Usage: ./sign-app-pkg.sh <path_to_pkg>
+# Example: ./sign-app-pkg.sh /path/to/MyApp.pkg
+
+PKG_PATH="$1"
+
+# find the Developer ID Installer signing identity
+SIGNING_IDENTITY=$(security find-identity -v | grep "Developer ID Installer" | awk -F'"' '{print $2}' | head -n 1)
+if [ -z "$SIGNING_IDENTITY" ]; then
+    echo "No 'Developer ID Installer' signing identity found!"
+    exit 1
+fi
+
+productsign --sign "$SIGNING_IDENTITY" "$PKG_PATH" "${PKG_PATH%.pkg}-signed.pkg"
+
+# verify the signed package
+if ! pkgutil --check-signature "${PKG_PATH%.pkg}-signed.pkg"; then
+    exit 1
+fi
+
+# replace the original package with the signed one
+rm "$PKG_PATH"
+mv "${PKG_PATH%.pkg}-signed.pkg" "$PKG_PATH"
+echo "Package signed successfully!"