Skip to content

Sign binaries in JAR files #571

Sign binaries in JAR files

Sign binaries in JAR files #571

Workflow file for this run

name: Specify 6 CI
on: [push]
jobs:
build:
name: Build and Package Specify 6
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Unbase64 code signing certs
run: |
echo $MAC_PKCS12 | base64 -d > packaging/expdevidapp.p12
echo $WIN_PKCS12 | base64 -d > packaging/certwithroot.pfx
env:
WIN_PKCS12: ${{ secrets.WIN_PKCS12 }}
MAC_PKCS12: ${{ secrets.MAC_PKCS12_V2 }}
- name: Set up JDK 1.8
uses: actions/setup-java@v1
with:
java-version: 1.8
- name: Compile Specify 6
run: ant -noinput -buildfile build.xml compile-nonmac
- name: Compile Specify 6 for Mac
run: ant -noinput -buildfile build.xml compile-mac
- name: Get Install4j from cache
id: cache-install4j
uses: actions/cache@v1
with:
path: install4j8.0.11
key: install4j8.0.11-cache
- name: Download Install4j
if: steps.cache-install4j.outputs.cache-hit != 'true'
run: |
wget https://download-gcdn.ej-technologies.com/install4j/install4j_unix_8_0_11.tar.gz
tar -zxvf install4j_unix_8_0_11.tar.gz
- name: Set Install4j license
run: install4j8.0.11/bin/install4jc --license=$INSTALL4J_LICENSE
env:
INSTALL4J_LICENSE: ${{ secrets.INSTALL4J8_LICENSE }}
- name: Package Specify 6
run: >
ant -noinput -buildfile build.xml -Dinstall4j.dir=./install4j8.0.11
-Dwin-keystore-password=$WIN_KEYSTORE_PASSWORD -Dmac-keystore-password=$MAC_KEYSTORE_PASSWORD
-Dwin.pkcs12=certwithroot.pfx -Dmac.pkcs12=expdevidapp.p12 -Dcode.signing=true
package-all
env:
WIN_KEYSTORE_PASSWORD: ${{ secrets.WIN_KEYSTORE_PASSWORD }}
MAC_KEYSTORE_PASSWORD: ${{ secrets.MAC_KEYSTORE_PASSWORD_V2 }}
- name: Upload Specify_windows_64.exe as artifact
uses: actions/upload-artifact@v1
with:
name: Specify_windows_64
path: packages/Specify_windows_64.exe
- name: Upload Specify_unix_64.sh as artifact
uses: actions/upload-artifact@v1
with:
name: Specify_unix_64
path: packages/Specify_unix_64.sh
- name: Upload Specify_macos.dmg as artifact
uses: actions/upload-artifact@v1
with:
name: Specify_macos
path: packages/Specify_macos.dmg
- name: Upload updates.xml as artifact
uses: actions/upload-artifact@v1
with:
name: updates.xml
path: packages/updates.xml
notarize:
name: Notarize the Specify 6 Mac package
needs: build
runs-on: macos-latest
steps:
- name: Download Specify_macos artifact
uses: actions/download-artifact@v1
with:
name: Specify_macos
- name: Sign binaries in JAR files
run: |
# For libgluegen-rt.jnilib
mkdir -p temp_gluegen
cd temp_gluegen
unzip ../Specify_macos/Specify\ Installer.app/Contents/Resources/app/0.dat/wwlibs/gluegen-rt-natives-macosx-universal.jar
codesign --force --options runtime --sign "Developer ID Application: $APPLE_TEAM_ID" --timestamp libgluegen-rt.jnilib
zip -u ../Specify_macos/Specify\ Installer.app/Contents/Resources/app/0.dat/wwlibs/gluegen-rt-natives-macosx-universal.jar libgluegen-rt.jnilib
cd ..
rm -rf temp_gluegen
# For mac-universal.lib
mkdir -p temp_sqlitejdbc
cd temp_sqlitejdbc
unzip ../Specify_macos/Specify\ Installer.app/Contents/Resources/app/0.dat/libs/sqlitejdbc.jar
codesign --force --options runtime --sign "Developer ID Application: $APPLE_TEAM_ID" --timestamp mac-universal.lib
zip -u ../Specify_macos/Specify\ Installer.app/Contents/Resources/app/0.dat/libs/sqlitejdbc.jar mac-universal.lib
cd ..
rm -rf temp_sqlitejdbc
env:
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
- name: Re-sign the application
run: |
codesign --force --options runtime --sign "Developer ID Application: $APPLE_TEAM_ID" --timestamp Specify_macos/Specify\ Installer.app
env:
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
- name: Create new DMG
run: |
hdiutil create -volname "Specify Installer" -srcfolder Specify_macos/Specify\ Installer.app -ov -format UDZO Specify_macos_signed.dmg
- name: Notarize the Mac package
run: |
SUBMISSION_ID=$(xcrun notarytool submit Specify_macos_signed.dmg \
--apple-id "beach@ku.edu" \
--password "$AC_PASSWORD" \
--team-id "$APPLE_TEAM_ID" \
--output-format json | jq -r '.id')
echo "Submission ID: $SUBMISSION_ID"
xcrun notarytool wait "$SUBMISSION_ID" \
--apple-id "beach@ku.edu" \
--password "$AC_PASSWORD" \
--team-id "$APPLE_TEAM_ID"
NOTARIZATION_STATUS=$(xcrun notarytool info "$SUBMISSION_ID" \
--apple-id "beach@ku.edu" \
--password "$AC_PASSWORD" \
--team-id "$APPLE_TEAM_ID" \
--output-format json | jq -r '.status')
if [ "$NOTARIZATION_STATUS" != "Accepted" ]; then
echo "Notarization failed. Fetching logs..."
xcrun notarytool log "$SUBMISSION_ID" \
--apple-id "beach@ku.edu" \
--password "$AC_PASSWORD" \
--team-id "$APPLE_TEAM_ID"
exit 1
fi
env:
AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
- name: Staple the notarization ticket to the installer
run: xcrun stapler staple Specify_macos_signed.dmg
- name: Upload the stapled Specify_macos.dmg as artifact
uses: actions/upload-artifact@v1
with:
name: Specify_macos_with_ticket
path: Specify_macos_signed.dmg
release:
name: Create a Specify 6 release
needs: [build, notarize]
if: startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-latest
steps:
- name: Download Specify_windows_64 artifact
uses: actions/download-artifact@v1
with:
name: Specify_windows_64
- name: Download Specify_unix_64 artifact
uses: actions/download-artifact@v1
with:
name: Specify_unix_64
- name: Download Specify_macos_with_ticket artifact
uses: actions/download-artifact@v1
with:
name: Specify_macos_with_ticket
- name: Download updates.xml artifact
uses: actions/download-artifact@v1
with:
name: updates.xml
- name: Create release
uses: softprops/action-gh-release@v1
with:
draft: true
prerelease: true
files: |
Specify_windows_64/*
Specify_unix_64/*
Specify_macos_with_ticket/*
updates.xml/*
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}