Update package-mac.spec #34
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Package AutoSubs for MacOS | |
on: | |
pull_request: | |
branches: | |
- main | |
push: | |
branches: | |
- main | |
jobs: | |
build: | |
runs-on: macos-14 | |
steps: | |
- name: Checkout AutoSubs Repo Code | |
uses: actions/checkout@v4 | |
- name: Setup Node | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 23 | |
- name: Set up Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.12.7' | |
- name: Import Apple Certificates | |
env: | |
APP_CERTIFICATE_BASE64: ${{ secrets.APPLE_SIGNING_CERTIFICATE }} | |
APP_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
INSTALLER_CERTIFICATE_BASE64: ${{ secrets.APPLE_INSTALLER_CERTIFICATE }} | |
INSTALLER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
APPLE_NOTARIZE_KEY: ${{ secrets.APPLE_NOTARIZE_KEY }} | |
APPLE_NOTARIZE_ID: ${{ secrets.APPLE_NOTARIZE_ID }} | |
APPLE_ISSUER: ${{ secrets.APPLE_ISSUER }} | |
run: | | |
# Define paths | |
APP_CERT_PATH=$RUNNER_TEMP/app_certificate.p12 | |
INSTALLER_CERT_PATH=$RUNNER_TEMP/installer_certificate.p12 | |
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | |
# Decode and save certificates | |
echo "$APP_CERTIFICATE_BASE64" | base64 --decode > $APP_CERT_PATH | |
echo "$INSTALLER_CERTIFICATE_BASE64" | base64 --decode > $INSTALLER_CERT_PATH | |
# Create and configure temporary keychain | |
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH | |
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
security list-keychains -s $KEYCHAIN_PATH | |
# Import Application certificate | |
security import $APP_CERT_PATH -P "$APP_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
# Import Installer certificate | |
security import $INSTALLER_CERT_PATH -P "$INSTALLER_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
# Import Notarization credentials | |
echo "$APPLE_NOTARIZE_KEY" | base64 --decode > Notarization_AuthKey.p8 | |
xcrun notarytool store-credentials "AC_PASSWORD" \ | |
--key "Notarization_AuthKey.p8" \ | |
--key-id "$APPLE_NOTARIZE_ID" \ | |
--issuer "$APPLE_ISSUER" | |
- name: Package Python Server | |
run: | | |
cd Transcription-Server | |
python3 -m venv venv | |
source venv/bin/activate | |
pip install -r requirements-mac.txt | |
pyinstaller package-mac.spec --noconfirm | |
deactivate | |
- name: Move Python Server to resources folder | |
run: | | |
mv "Transcription-Server/dist/Transcription-Server" "AutoSubs-App/src-tauri/resources" | |
- name: Code Sign Python Server | |
run: | | |
# Define variables | |
IDENTITY="Developer ID Application: ${{ secrets.APPLE_IDENTITY }}" | |
ENTITLEMENTS="$(pwd)/Signing/entitlements.plist" | |
APP_DIR="$(pwd)/AutoSubs-App/src-tauri/resources/Transcription-Server" | |
FRAMEWORK_DIR="$APP_DIR/_internal/Python.framework" | |
ACTUAL_BINARY="$FRAMEWORK_DIR/Versions/3.12/Python" | |
# Function to sign a single file with entitlements | |
sign_file() { | |
local file="$1" | |
echo "Signing $file with entitlements..." | |
codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS" --sign "$IDENTITY" "$file" | |
} | |
# Function to sign a file without entitlements (for testing framework issues) | |
sign_file_no_entitlements() { | |
local file="$1" | |
echo "Signing $file without entitlements..." | |
codesign --force --options runtime --timestamp --sign "$IDENTITY" "$file" | |
} | |
export -f sign_file | |
export -f sign_file_no_entitlements | |
export IDENTITY | |
export ENTITLEMENTS | |
# Sign the main executable (with entitlements) | |
sign_file "$APP_DIR/transcription-server" | |
# Sign known-extension binaries in _internal (with entitlements) | |
find "$APP_DIR/_internal" -type f \( -name "*.dylib" -o -name "*.so" -o -name "*.exe" -o -name "*.bin" -o -name "ffmpeg*" \) \ | |
-exec bash -c 'sign_file "$0"' {} \; | |
# Sign any executables in the main app directory with -perm -100 | |
find "$APP_DIR" -type f -perm -100 -exec bash -c 'sign_file "$0"' {} \; | |
# If the Python framework exists, handle it explicitly | |
if [ -d "$FRAMEWORK_DIR" ]; then | |
echo "Clearing extended attributes from $FRAMEWORK_DIR..." | |
xattr -cr "$FRAMEWORK_DIR" | |
# Sign the actual Python binary inside the framework WITHOUT entitlements first | |
if [ -f "$ACTUAL_BINARY" ]; then | |
echo "Signing the actual Python binary at $ACTUAL_BINARY without entitlements..." | |
sign_file_no_entitlements "$ACTUAL_BINARY" | |
fi | |
# Now sign the entire framework WITHOUT entitlements, using --deep to ensure all nested code is signed | |
echo "Signing the entire framework at $FRAMEWORK_DIR without entitlements..." | |
codesign --force --deep --options runtime --timestamp --sign "$IDENTITY" "$FRAMEWORK_DIR" | |
fi | |
- name: Install Dependencies | |
run: | | |
cd AutoSubs-App | |
npm install | |
- name: Bundle Tauri App | |
run: | | |
cd AutoSubs-App | |
export APPLE_SIGNING_IDENTITY="Developer ID Application: ${{ secrets.APPLE_IDENTITY }}" | |
npm run tauri build | |
- name: Create Mac Package | |
run: | | |
# Create the package directory | |
mkdir Mac-Package/Payload | |
# Copy the app to the package | |
cp -r AutoSubs-App/src-tauri/target/release/bundle/macos/AutoSubs.app Mac-Package/Payload | |
- name: Create PKG Installer | |
run: | | |
# Give permissions to the scripts | |
chmod +x Mac-Package/Scripts/* | |
# Create the package | |
pkgbuild --identifier com.tom-moroney.autosubs \ | |
--version 2.0 \ | |
--install-location "/Applications" \ | |
--root Mac-Package/Payload \ | |
--scripts Mac-Package/Scripts \ | |
AutoSubs-unsigned.pkg | |
- name: Sign PKG Installer | |
run: | | |
productsign --sign "Developer ID Installer: ${{ secrets.APPLE_IDENTITY }}" \ | |
--timestamp \ | |
"AutoSubs-unsigned.pkg" \ | |
"AutoSubs-Mac-ARM.pkg" | |
- name: Notarize PKG Installer | |
run: | | |
# Submit for notarization | |
xcrun notarytool submit "AutoSubs-Mac-ARM.pkg" \ | |
--keychain-profile "AC_PASSWORD" \ | |
--wait | |
# Staple the ticket to the installer | |
xcrun stapler staple "AutoSubs-Mac-ARM.pkg" | |
- name: Get Latest Release Tag | |
id: get_latest_release | |
env: | |
GH_TOKEN: ${{ secrets.GH_TOKEN }} | |
run: | | |
latest_tag=$(gh release list --limit 1 --json tagName --jq '.[0].tagName') | |
echo "LATEST_TAG=$latest_tag" >> $GITHUB_ENV | |
- name: Upload Asset to Release | |
uses: softprops/action-gh-release@v2 | |
with: | |
tag_name: ${{ env.LATEST_TAG }} | |
files: AutoSubs-Mac-ARM.pkg | |
token: ${{ secrets.GH_TOKEN }} |