do some checks

Author: StephenHodgson

dist/index.js

@@ -57464,7 +57464,7 @@ exports.UnauthorizedError = void 0;
 exports.GetAppId = GetAppId;
 exports.GetLatestBundleVersion = GetLatestBundleVersion;
 exports.UpdateTestDetails = UpdateTestDetails;
-exports.ListCertificates = ListCertificates;
+exports.GetCertificate = GetCertificate;
 const app_store_connect_api_1 = __nccwpck_require__(9073);
 const utilities_1 = __nccwpck_require__(5739);
 const core = __nccwpck_require__(2186);
@@ -57749,13 +57749,14 @@ async function UpdateTestDetails(project, whatsNew) {
 function normalizeVersion(version) {
     return version.split('.').map(part => parseInt(part, 10).toString()).join('.');
 }
-async function ListCertificates(project, certificateType) {
+async function GetCertificate(project, certificateType = null) {
     await getOrCreateClient(project);
-    const certificateQuery = {
-        query: {
-            "filter[certificateType]": certificateType,
-        }
-    };
+    const certificateQuery = {};
+    if (certificateType) {
+        certificateQuery.query = {
+            'filter[certificateType]': [certificateType],
+        };
+    }
     (0, utilities_1.log)(`GET /certificates?${JSON.stringify(certificateQuery.query)}`);
     const { data: response, error: responseError } = await appStoreConnectClient.api.CertificatesService.certificatesGetCollection(certificateQuery);
     if (responseError) {
@@ -57764,10 +57765,17 @@ async function ListCertificates(project, certificateType) {
     }
     const responseJson = JSON.stringify(response, null, 2);
     if (!response || !response.data || response.data.length === 0) {
-        throw new Error(`No certificates found! ${responseJson}`);
+        return null;
     }
     (0, utilities_1.log)(responseJson);
-    return response.data;
+    const validCerts = response.data.filter(certificate => {
+        if (!certificate.attributes) {
+            return false;
+        }
+        const isExpired = new Date(certificate.attributes.expirationDate) < new Date();
+        return certificate.attributes.activated && !isExpired;
+    });
+    return validCerts.length === 0 ? null : validCerts[0];
 }
 
 
@@ -57782,6 +57790,7 @@ Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.AppleCredential = void 0;
 exports.ImportCredentials = ImportCredentials;
 exports.RemoveCredentials = RemoveCredentials;
+exports.ImportCertificate = ImportCertificate;
 const core = __nccwpck_require__(2186);
 const exec = __nccwpck_require__(1514);
 const uuid = __nccwpck_require__(5840);
@@ -57933,6 +57942,15 @@ async function RemoveCredentials() {
         core.error(`Failed to remove app store connect key!\n${error.stack}`);
     }
 }
+async function ImportCertificate(certificate) {
+    const tempCredential = core.getState('tempCredential');
+    if (!tempCredential) {
+        throw new Error('Missing tempCredential state');
+    }
+    const keychainPath = `${temp}/${tempCredential}.keychain-db`;
+    const certificatePath = `${temp}/${certificate.attributes.name}.cer`;
+    core.info('Importing certificate...');
+}
 
 
 /***/ }),
@@ -58017,6 +58035,7 @@ Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.GetProjectDetails = GetProjectDetails;
 exports.ArchiveXcodeProject = ArchiveXcodeProject;
 exports.ExportXcodeArchive = ExportXcodeArchive;
+exports.isAppBundleNotarized = isAppBundleNotarized;
 exports.ValidateApp = ValidateApp;
 exports.UploadApp = UploadApp;
 const XcodeProject_1 = __nccwpck_require__(1981);
@@ -58427,17 +58446,18 @@ async function ExportXcodeArchive(projectRef) {
         if (!projectRef.isAppStoreUpload()) {
             const notarizeInput = core.getInput('notarize') || 'true';
             projectRef.executablePath = await getFirstPathWithGlob(`${projectRef.exportPath}/**/*.app`);
-            const notarize = notarizeInput === 'true';
-            core.debug(`Notarize? ${notarize}`);
-            if (notarize) {
+            if (notarizeInput === 'true') {
                 await signMacOSAppBundle(projectRef);
                 if (!projectRef.isSteamBuild) {
                     projectRef.executablePath = await createMacOSInstallerPkg(projectRef);
                 }
                 else {
-                    const zipPath = path.join(projectRef.exportPath, projectRef.executablePath.replace('.app', '.zip'));
-                    await (0, exec_1.exec)('ditto', ['-c', '-k', '--sequesterRsrc', '--keepParent', projectRef.executablePath, zipPath]);
-                    await notarizeArchive(projectRef, zipPath, projectRef.executablePath);
+                    const isNotarized = await isAppBundleNotarized(projectRef.executablePath);
+                    if (!isNotarized) {
+                        const zipPath = path.join(projectRef.exportPath, projectRef.executablePath.replace('.app', '.zip'));
+                        await (0, exec_1.exec)('ditto', ['-c', '-k', '--sequesterRsrc', '--keepParent', projectRef.executablePath, zipPath]);
+                        await notarizeArchive(projectRef, zipPath, projectRef.executablePath);
+                    }
                 }
             }
         }
@@ -58458,6 +58478,16 @@ async function ExportXcodeArchive(projectRef) {
     core.setOutput('executable', projectRef.executablePath);
     return projectRef;
 }
+async function isAppBundleNotarized(appPath) {
+    let output = '';
+    const exitCode = await (0, exec_1.exec)('stapler', ['validate', appPath], {
+        listeners: {
+            stdout: (data) => { output += data.toString(); }
+        },
+        ignoreReturnCode: true
+    });
+    return exitCode === 0 && output.includes('The validate action worked!');
+}
 async function getFirstPathWithGlob(globPattern) {
     const globber = await glob.create(globPattern);
     const files = await globber.glob();
@@ -58474,7 +58504,6 @@ async function signMacOSAppBundle(projectRef) {
         throw new Error(`Not a valid app bundle: ${appPath}`);
     }
     const signAppBundlePath = __nccwpck_require__.ab + "sign-app-bundle.sh";
-    core.info(`Signing app bundle: ${appPath}`);
     let codesignOutput = '';
     const codesignExitCode = await (0, exec_1.exec)('sh', [__nccwpck_require__.ab + "sign-app-bundle.sh", appPath, projectRef.entitlementsPath], {
         listeners: {
@@ -58485,10 +58514,8 @@ async function signMacOSAppBundle(projectRef) {
         ignoreReturnCode: true
     });
     if (codesignExitCode !== 0) {
-        (0, utilities_1.log)(codesignOutput, 'error');
         throw new Error(`Failed to code sign the app!`);
     }
-    core.info(codesignOutput);
 }
 async function createMacOSInstallerPkg(projectRef) {
     core.info('Creating macOS installer pkg...');
@@ -58513,6 +58540,11 @@ async function createMacOSInstallerPkg(projectRef) {
     catch (error) {
         throw new Error(`Failed to create the pkg at: ${pkgPath}!`);
     }
+    const developerIdInstallerCert = await (0, AppStoreConnectClient_1.GetCertificate)(projectRef, 'MAC_INSTALLER_DISTRIBUTION');
+    core.info(`Found Developer ID Installer certificate: [${developerIdInstallerCert.id}] ${developerIdInstallerCert.attributes.name}`);
+    const certPath = path.join(process.env.RUNNER_TEMP, 'developer_id_installer.cer');
+    await fs.promises.writeFile(certPath, developerIdInstallerCert.attributes.certificateContent);
+    core.info(`Saved Developer ID Installer certificate to: ${certPath}`);
     const signPkgPath = __nccwpck_require__.ab + "sign-app-pkg.sh";
     core.info(`Signing pkg: ${pkgPath}`);
     let codesignOutput = '';

dist/index.js.map

@@ -304,19 +304,17 @@ function normalizeVersion(version: string): string {
     return version.split('.').map(part => parseInt(part, 10).toString()).join('.');
 }
 
-/*
-* List all the certificates for the given certificate type.
-* @param project The Xcode project.
-* @param certificateType The type of certificate to list.
+/**
 * https://developer.apple.com/documentation/appstoreconnectapi/list_and_download_certificates
 */
-export async function ListCertificates(project: XcodeProject, certificateType: Array<('APPLE_PAY' | 'APPLE_PAY_MERCHANT_IDENTITY' | 'APPLE_PAY_PSP_IDENTITY' | 'APPLE_PAY_RSA' | 'DEVELOPER_ID_KEXT' | 'DEVELOPER_ID_KEXT_G2' | 'DEVELOPER_ID_APPLICATION' | 'DEVELOPER_ID_APPLICATION_G2' | 'DEVELOPMENT' | 'DISTRIBUTION' | 'IDENTITY_ACCESS' | 'IOS_DEVELOPMENT' | 'IOS_DISTRIBUTION' | 'MAC_APP_DISTRIBUTION' | 'MAC_INSTALLER_DISTRIBUTION' | 'MAC_APP_DEVELOPMENT' | 'PASS_TYPE_ID' | 'PASS_TYPE_ID_WITH_NFC')>): Promise<Certificate[]> {
+export async function GetCertificate(project: XcodeProject, certificateType: 'APPLE_PAY' | 'APPLE_PAY_MERCHANT_IDENTITY' | 'APPLE_PAY_PSP_IDENTITY' | 'APPLE_PAY_RSA' | 'DEVELOPER_ID_KEXT' | 'DEVELOPER_ID_KEXT_G2' | 'DEVELOPER_ID_APPLICATION' | 'DEVELOPER_ID_APPLICATION_G2' | 'DEVELOPMENT' | 'DISTRIBUTION' | 'IDENTITY_ACCESS' | 'IOS_DEVELOPMENT' | 'IOS_DISTRIBUTION' | 'MAC_APP_DISTRIBUTION' | 'MAC_INSTALLER_DISTRIBUTION' | 'MAC_APP_DEVELOPMENT' | 'PASS_TYPE_ID' | 'PASS_TYPE_ID_WITH_NFC' = null): Promise<Certificate> {
     await getOrCreateClient(project);
-    const certificateQuery: CertificatesGetCollectionData = {
-        query: {
-            "filter[certificateType]": certificateType,
+    const certificateQuery: CertificatesGetCollectionData = {};
+    if (certificateType) {
+        certificateQuery.query = {
+            'filter[certificateType]': [certificateType],
         }
-    };
+    }
     log(`GET /certificates?${JSON.stringify(certificateQuery.query)}`);
     const { data: response, error: responseError } = await appStoreConnectClient.api.CertificatesService.certificatesGetCollection(certificateQuery);
     if (responseError) {
@@ -325,8 +323,13 @@ export async function ListCertificates(project: XcodeProject, certificateType: A
     }
     const responseJson = JSON.stringify(response, null, 2);
     if (!response || !response.data || response.data.length === 0) {
-        throw new Error(`No certificates found! ${responseJson}`);
+        return null;
     }
     log(responseJson);
-    return response.data;
+    const validCerts = response.data.filter(certificate => {
+        if (!certificate.attributes) { return false; }
+        const isExpired = new Date(certificate.attributes.expirationDate) < new Date();
+        return certificate.attributes.activated && !isExpired;
+    });
+    return validCerts.length === 0 ? null : validCerts[0];
 }

src/AppStoreConnectClient.ts

@@ -2,6 +2,7 @@ import core = require('@actions/core');
 import exec = require('@actions/exec');
 import uuid = require('uuid');
 import fs = require('fs');
+import { Certificate } from '@rage-against-the-pixel/app-store-connect-api/dist/app_store_connect_api';
 
 const security = '/usr/bin/security';
 const temp = process.env['RUNNER_TEMP'] || '.';
@@ -180,3 +181,18 @@ export async function RemoveCredentials(): Promise<void> {
         core.error(`Failed to remove app store connect key!\n${error.stack}`);
     }
 }
+
+/**
+ * Imports the specified certificate from app store connect into the keychain created by the action in ImportCredentials.
+ * @param certificate
+ * @returns void
+ */
+export async function ImportCertificate(certificate: Certificate): Promise<void> {
+    const tempCredential = core.getState('tempCredential');
+    if (!tempCredential) {
+        throw new Error('Missing tempCredential state');
+    }
+    const keychainPath = `${temp}/${tempCredential}.keychain-db`;
+    const certificatePath = `${temp}/${certificate.attributes.name}.cer`;
+    core.info('Importing certificate...');
+}

src/AppleCredential.ts

@@ -11,7 +11,8 @@ import {
     GetLatestBundleVersion,
     UpdateTestDetails,
     UnauthorizedError,
-    GetAppId
+    GetAppId,
+    GetCertificate
 } from './AppStoreConnectClient';
 import { log } from './utilities';
 import core = require('@actions/core');
@@ -428,16 +429,17 @@ export async function ExportXcodeArchive(projectRef: XcodeProject): Promise<Xcod
         if (!projectRef.isAppStoreUpload()) {
             const notarizeInput = core.getInput('notarize') || 'true'
             projectRef.executablePath = await getFirstPathWithGlob(`${projectRef.exportPath}/**/*.app`);
-            const notarize = notarizeInput === 'true';
-            core.debug(`Notarize? ${notarize}`);
-            if (notarize) {
+            if (notarizeInput === 'true') {
                 await signMacOSAppBundle(projectRef);
                 if (!projectRef.isSteamBuild) {
                     projectRef.executablePath = await createMacOSInstallerPkg(projectRef);
                 } else {
-                    const zipPath = path.join(projectRef.exportPath, projectRef.executablePath.replace('.app', '.zip'));
-                    await exec('ditto', ['-c', '-k', '--sequesterRsrc', '--keepParent', projectRef.executablePath, zipPath]);
-                    await notarizeArchive(projectRef, zipPath, projectRef.executablePath);
+                    const isNotarized = await isAppBundleNotarized(projectRef.executablePath);
+                    if (!isNotarized) {
+                        const zipPath = path.join(projectRef.exportPath, projectRef.executablePath.replace('.app', '.zip'));
+                        await exec('ditto', ['-c', '-k', '--sequesterRsrc', '--keepParent', projectRef.executablePath, zipPath]);
+                        await notarizeArchive(projectRef, zipPath, projectRef.executablePath);
+                    }
                 }
             }
         }
@@ -457,6 +459,17 @@ export async function ExportXcodeArchive(projectRef: XcodeProject): Promise<Xcod
     return projectRef;
 }
 
+export async function isAppBundleNotarized(appPath: string): Promise<boolean> {
+    let output = '';
+    const exitCode = await exec('stapler', ['validate', appPath], {
+        listeners: {
+            stdout: (data: Buffer) => { output += data.toString(); }
+        },
+        ignoreReturnCode: true
+    });
+    return exitCode === 0 && output.includes('The validate action worked!');
+}
+
 async function getFirstPathWithGlob(globPattern: string): Promise<string> {
     const globber = await glob.create(globPattern);
     const files = await globber.glob();
@@ -473,24 +486,19 @@ async function signMacOSAppBundle(projectRef: XcodeProject): Promise<void> {
     if (!stat.isDirectory()) {
         throw new Error(`Not a valid app bundle: ${appPath}`);
     }
-    // sign the app bundle using ./sign-app-bundle.sh
     const signAppBundlePath = path.join(__dirname, 'sign-app-bundle.sh');
-    core.info(`Signing app bundle: ${appPath}`);
     let codesignOutput = '';
     const codesignExitCode = await exec('sh', [signAppBundlePath, appPath, projectRef.entitlementsPath], {
         listeners: {
             stdout: (data: Buffer) => {
                 codesignOutput += data.toString();
             }
         },
-        // silent: !core.isDebug(),
         ignoreReturnCode: true
     });
     if (codesignExitCode !== 0) {
-        log(codesignOutput, 'error');
         throw new Error(`Failed to code sign the app!`);
     }
-    core.info(codesignOutput);
 }
 
 async function createMacOSInstallerPkg(projectRef: XcodeProject): Promise<string> {
@@ -515,6 +523,13 @@ async function createMacOSInstallerPkg(projectRef: XcodeProject): Promise<string
     } catch (error) {
         throw new Error(`Failed to create the pkg at: ${pkgPath}!`);
     }
+    // TODO get Developer ID Installer signing certificate from app store connect API
+    const developerIdInstallerCert = await GetCertificate(projectRef, 'MAC_INSTALLER_DISTRIBUTION');
+    core.info(`Found Developer ID Installer certificate: [${developerIdInstallerCert.id}] ${developerIdInstallerCert.attributes.name}`);
+    // save certificate contents to runner.temp directory
+    const certPath = path.join(process.env.RUNNER_TEMP, 'developer_id_installer.cer');
+    await fs.promises.writeFile(certPath, developerIdInstallerCert.attributes.certificateContent);
+    core.info(`Saved Developer ID Installer certificate to: ${certPath}`);
     // sign the .pkg using ./sign-app-pkg.sh
     const signPkgPath = path.join(__dirname, 'sign-app-pkg.sh');
     core.info(`Signing pkg: ${pkgPath}`);