Xcode Notarization

Github Action to notarize macOS applications or packages. It does this by submitting your built .app, .pkg or .dmg file to Apple's notarization service. It also will poll the notarization service until it times out of receives a success response.

Note: This action is a fork from devbotsxyz/xcode-notarize with higher retries and timeout values.

Basic Usage

- name: "Notarize Release Build"
  uses: GuillaumeFalourd/xcode-notarize@v1
  with:
    product-path: "path/to/file.app" # or .pkg or .dmg
    appstore-connect-username: ${{ secrets.NOTARIZATION_USERNAME }}
    appstore-connect-password: ${{ secrets.NOTARIZATION_PASSWORD }}

Note that notarization is not the final step. After Apple has notarized your application, you also want to staple a notarization ticket to your product. This can be done with the Xcode Staple action.

Action Inputs

Field	Mandatory	Default Value	Observation
product-path	YES	N/A	Path to the product to notarize. e.g: `path/to/product`
appstore-connect-username	NO	N/A	The AppStore Connect username.
appstore-connect-password	NO	N/A	The AppStore Connect password.
appstore-connect-api-key	NO	N/A	The AppStore Connect API Key.
appstore-connect-api-issuer	NO	N/A	The AppStore Connect API Issuer.
primary-bundle-id	NO	N/A	Unique identifier that identifies this product notarization. Defaults to the bundle identifier of the app you are uploading.
verbose	NO	false	Verbose to detail action steps.

Related Actions

Xcode Staple - Staple a Notarization Ticket to your product.

Full example

StackOverflow Reference

Example of what you need to perform the full operation to generate, sign and notarize a PKG on Github Actions (the concept would be similar for APP or DMG).

Premisses

Email/Username Apple Id Developer account (AppStore)
Password Apple Id Developer account (AppStore)
Developer Id Installer:
- name
- .cer base64
- .key base64
- .key password (if encrypted key, otherwise remove -passin pass:${{ secrets.KEY_PASSWORD }})
Developer Id Application:
- name
- .cer base64
- .key base64
- .key password (if encrypted key, otherwise remove -passin pass:${{ secrets.KEY_PASSWORD }})

Workflow

jobs:
  [...] # Job generating macos-bin-files from the project

  pkg:
    needs: [...]
    runs-on: macos-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Download macos bin file
        uses: actions/download-artifact@v2
        with:
          name: macos-bin-files
          path: dist/
      - name:
        run: | 
          ----- Create certificate files from secrets base64 -----
          echo ${{ secrets.DEVELOPER_ID_INSTALLER_CER_BASE64 }} | base64 --decode > certificate_installer.cer
          echo ${{ secrets.DEVELOPER_ID_INSTALLER_KEY_BASE64 }} | base64 --decode > certificate_installer.key
          echo ${{ secrets.DEVELOPER_ID_APPLICATION_CER_BASE64 }} | base64 --decode > certificate_application.cer
          echo ${{ secrets.DEVELOPER_ID_APPLICATION_KEY_BASE64 }} | base64 --decode > certificate_application.key

          ----- Create p12 file -----
          openssl pkcs12 -export -name zup -in certificate_installer.cer -inkey certificate_installer.key -passin pass:${{ secrets.KEY_PASSWORD }} -out certificate_installer.p12 -passout pass:${{ secrets.P12_PASSWORD }}
          openssl pkcs12 -export -name zup -in certificate_application.cer -inkey certificate_application.key -passin pass:${{ secrets.KEY_PASSWORD }} -out certificate_application.p12 -passout pass:${{ secrets.P12_PASSWORD }}

          ----- Configure Keychain -----
          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
          security create-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" $KEYCHAIN_PATH
          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
          security unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" $KEYCHAIN_PATH

          ----- Import certificates on Keychain -----
          security import certificate_installer.p12 -P "${{ secrets.P12_PASSWORD }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
          security import certificate_application.p12 -P "${{ secrets.P12_PASSWORD }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
          security list-keychain -d user -s $KEYCHAIN_PATH

          ----- Codesign files with script -----
          use a script to sign each file from the artifact (ref: https://gist.github.com/GuillaumeFalourd/4efc73f1a6014b791c0ef223a023520a)

          ----- Generate PKG from codesigned files -----
          use a macos installer script (ref: https://github.com/KosalaHerath/macos-installer-builder/tree/master/macOS-x64)

          ----- Sign PKG file -----
          productsign --sign "${{ secrets.DEVELOPER_ID_INSTALLER_NAME }}" $INPUT_FILE_PATH $OUTPUT_FILE_PATH

          - name: "Notarize Release Build PKG"
            uses: devbotsxyz/xcode-notarize@v1 
            with:
              product-path: $PATH_TO_PKG
              appstore-connect-username: ${{ secrets.APPLE_ACCOUNT_USERNAME }}
              appstore-connect-password: ${{ secrets.APPLE_ACCOUNT_PASSWORD }}
              primary-bundle-id: 'BUNDLE_ID'

          - name: "Staple Release Build"
            uses: devbotsxyz/xcode-staple@v1
            with:
              product-path: $PATH_TO_PKG

  [...] # Job distributing or publising package

License and Contributions

This Action is licensed under the MIT license. Contributions are very much welcome and encouraged but we would like to ask to file an issue before submitting pull requests.

guillaumefalourd / xcode-notarize Goto Github PK

xcode-notarize's Introduction

Xcode Notarization

Basic Usage

Action Inputs

Related Actions

Full example

Premisses

Workflow

License and Contributions

xcode-notarize's People

Contributors

Stargazers

Watchers

Forkers

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent