Sign binaries in JAR files #571
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Specify 6 CI | |
on: [push] | |
jobs: | |
build: | |
name: Build and Package Specify 6 | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Unbase64 code signing certs | |
run: | | |
echo $MAC_PKCS12 | base64 -d > packaging/expdevidapp.p12 | |
echo $WIN_PKCS12 | base64 -d > packaging/certwithroot.pfx | |
env: | |
WIN_PKCS12: ${{ secrets.WIN_PKCS12 }} | |
MAC_PKCS12: ${{ secrets.MAC_PKCS12_V2 }} | |
- name: Set up JDK 1.8 | |
uses: actions/setup-java@v1 | |
with: | |
java-version: 1.8 | |
- name: Compile Specify 6 | |
run: ant -noinput -buildfile build.xml compile-nonmac | |
- name: Compile Specify 6 for Mac | |
run: ant -noinput -buildfile build.xml compile-mac | |
- name: Get Install4j from cache | |
id: cache-install4j | |
uses: actions/cache@v1 | |
with: | |
path: install4j8.0.11 | |
key: install4j8.0.11-cache | |
- name: Download Install4j | |
if: steps.cache-install4j.outputs.cache-hit != 'true' | |
run: | | |
wget https://download-gcdn.ej-technologies.com/install4j/install4j_unix_8_0_11.tar.gz | |
tar -zxvf install4j_unix_8_0_11.tar.gz | |
- name: Set Install4j license | |
run: install4j8.0.11/bin/install4jc --license=$INSTALL4J_LICENSE | |
env: | |
INSTALL4J_LICENSE: ${{ secrets.INSTALL4J8_LICENSE }} | |
- name: Package Specify 6 | |
run: > | |
ant -noinput -buildfile build.xml -Dinstall4j.dir=./install4j8.0.11 | |
-Dwin-keystore-password=$WIN_KEYSTORE_PASSWORD -Dmac-keystore-password=$MAC_KEYSTORE_PASSWORD | |
-Dwin.pkcs12=certwithroot.pfx -Dmac.pkcs12=expdevidapp.p12 -Dcode.signing=true | |
package-all | |
env: | |
WIN_KEYSTORE_PASSWORD: ${{ secrets.WIN_KEYSTORE_PASSWORD }} | |
MAC_KEYSTORE_PASSWORD: ${{ secrets.MAC_KEYSTORE_PASSWORD_V2 }} | |
- name: Upload Specify_windows_64.exe as artifact | |
uses: actions/upload-artifact@v1 | |
with: | |
name: Specify_windows_64 | |
path: packages/Specify_windows_64.exe | |
- name: Upload Specify_unix_64.sh as artifact | |
uses: actions/upload-artifact@v1 | |
with: | |
name: Specify_unix_64 | |
path: packages/Specify_unix_64.sh | |
- name: Upload Specify_macos.dmg as artifact | |
uses: actions/upload-artifact@v1 | |
with: | |
name: Specify_macos | |
path: packages/Specify_macos.dmg | |
- name: Upload updates.xml as artifact | |
uses: actions/upload-artifact@v1 | |
with: | |
name: updates.xml | |
path: packages/updates.xml | |
notarize: | |
name: Notarize the Specify 6 Mac package | |
needs: build | |
runs-on: macos-latest | |
steps: | |
- name: Download Specify_macos artifact | |
uses: actions/download-artifact@v1 | |
with: | |
name: Specify_macos | |
- name: Sign binaries in JAR files | |
run: | | |
# For libgluegen-rt.jnilib | |
mkdir -p temp_gluegen | |
cd temp_gluegen | |
unzip ../Specify_macos/Specify\ Installer.app/Contents/Resources/app/0.dat/wwlibs/gluegen-rt-natives-macosx-universal.jar | |
codesign --force --options runtime --sign "Developer ID Application: $APPLE_TEAM_ID" --timestamp libgluegen-rt.jnilib | |
zip -u ../Specify_macos/Specify\ Installer.app/Contents/Resources/app/0.dat/wwlibs/gluegen-rt-natives-macosx-universal.jar libgluegen-rt.jnilib | |
cd .. | |
rm -rf temp_gluegen | |
# For mac-universal.lib | |
mkdir -p temp_sqlitejdbc | |
cd temp_sqlitejdbc | |
unzip ../Specify_macos/Specify\ Installer.app/Contents/Resources/app/0.dat/libs/sqlitejdbc.jar | |
codesign --force --options runtime --sign "Developer ID Application: $APPLE_TEAM_ID" --timestamp mac-universal.lib | |
zip -u ../Specify_macos/Specify\ Installer.app/Contents/Resources/app/0.dat/libs/sqlitejdbc.jar mac-universal.lib | |
cd .. | |
rm -rf temp_sqlitejdbc | |
env: | |
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
- name: Re-sign the application | |
run: | | |
codesign --force --options runtime --sign "Developer ID Application: $APPLE_TEAM_ID" --timestamp Specify_macos/Specify\ Installer.app | |
env: | |
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
- name: Create new DMG | |
run: | | |
hdiutil create -volname "Specify Installer" -srcfolder Specify_macos/Specify\ Installer.app -ov -format UDZO Specify_macos_signed.dmg | |
- name: Notarize the Mac package | |
run: | | |
SUBMISSION_ID=$(xcrun notarytool submit Specify_macos_signed.dmg \ | |
--apple-id "beach@ku.edu" \ | |
--password "$AC_PASSWORD" \ | |
--team-id "$APPLE_TEAM_ID" \ | |
--output-format json | jq -r '.id') | |
echo "Submission ID: $SUBMISSION_ID" | |
xcrun notarytool wait "$SUBMISSION_ID" \ | |
--apple-id "beach@ku.edu" \ | |
--password "$AC_PASSWORD" \ | |
--team-id "$APPLE_TEAM_ID" | |
NOTARIZATION_STATUS=$(xcrun notarytool info "$SUBMISSION_ID" \ | |
--apple-id "beach@ku.edu" \ | |
--password "$AC_PASSWORD" \ | |
--team-id "$APPLE_TEAM_ID" \ | |
--output-format json | jq -r '.status') | |
if [ "$NOTARIZATION_STATUS" != "Accepted" ]; then | |
echo "Notarization failed. Fetching logs..." | |
xcrun notarytool log "$SUBMISSION_ID" \ | |
--apple-id "beach@ku.edu" \ | |
--password "$AC_PASSWORD" \ | |
--team-id "$APPLE_TEAM_ID" | |
exit 1 | |
fi | |
env: | |
AC_PASSWORD: ${{ secrets.AC_PASSWORD }} | |
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
- name: Staple the notarization ticket to the installer | |
run: xcrun stapler staple Specify_macos_signed.dmg | |
- name: Upload the stapled Specify_macos.dmg as artifact | |
uses: actions/upload-artifact@v1 | |
with: | |
name: Specify_macos_with_ticket | |
path: Specify_macos_signed.dmg | |
release: | |
name: Create a Specify 6 release | |
needs: [build, notarize] | |
if: startsWith(github.ref, 'refs/tags/') | |
runs-on: ubuntu-latest | |
steps: | |
- name: Download Specify_windows_64 artifact | |
uses: actions/download-artifact@v1 | |
with: | |
name: Specify_windows_64 | |
- name: Download Specify_unix_64 artifact | |
uses: actions/download-artifact@v1 | |
with: | |
name: Specify_unix_64 | |
- name: Download Specify_macos_with_ticket artifact | |
uses: actions/download-artifact@v1 | |
with: | |
name: Specify_macos_with_ticket | |
- name: Download updates.xml artifact | |
uses: actions/download-artifact@v1 | |
with: | |
name: updates.xml | |
- name: Create release | |
uses: softprops/action-gh-release@v1 | |
with: | |
draft: true | |
prerelease: true | |
files: | | |
Specify_windows_64/* | |
Specify_unix_64/* | |
Specify_macos_with_ticket/* | |
updates.xml/* | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |