Updated mac workflow script

tmoroney · Dec 8, 2024 · 2394424 · 2394424
1 parent d4a78f2
commit 2394424
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 17 deletions.
diff --git a/.github/workflows/package-mac.yml b/.github/workflows/package-mac.yml
@@ -86,26 +86,53 @@ jobs:
         IDENTITY="Developer ID Application: ${{ secrets.APPLE_IDENTITY }}"
         ENTITLEMENTS="$(pwd)/Signing/entitlements.plist"
         APP_DIR="$(pwd)/AutoSubs-App/src-tauri/resources/Transcription-Server"
-
-        # Function to sign a single file
+        FRAMEWORK_DIR="$APP_DIR/_internal/Python.framework"
+        ACTUAL_BINARY="$FRAMEWORK_DIR/Versions/3.12/Python"
+    
+        # Function to sign a single file with entitlements
         sign_file() {
             local file="$1"
-            echo "Signing $file..."
+            echo "Signing $file with entitlements..."
             codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS" --sign "$IDENTITY" "$file"
         }
-
-        export -f sign_file  # Export the function so it's available in subshells
-        export IDENTITY       # Export IDENTITY so it's available in subshells
-        export ENTITLEMENTS   # Export ENTITLEMENTS so it's available in subshells
-
-        # Sign the main executable
+
+        # Function to sign a file without entitlements (for testing framework issues)
+        sign_file_no_entitlements() {
+            local file="$1"
+            echo "Signing $file without entitlements..."
+            codesign --force --options runtime --timestamp --sign "$IDENTITY" "$file"
+        }
+
+        export -f sign_file
+        export -f sign_file_no_entitlements
+        export IDENTITY
+        export ENTITLEMENTS
+
+        # Sign the main executable (with entitlements)
         sign_file "$APP_DIR/transcription-server"
-
-        # Sign all embedded binaries and executables in the _internal directory
-        find "$APP_DIR/_internal" -type f \( -name "*.dylib" -o -name "*.so" -o -name "*.exe" -o -name "*.bin" -o -name "ffmpeg*" \) -exec bash -c 'sign_file "$0"' {} \;
-
-        # Sign any other executables in the main app directory
-        find "$APP_DIR" -type f -perm +111 -exec bash -c 'sign_file "$0"' {} \;
+
+        # Sign known-extension binaries in _internal (with entitlements)
+        find "$APP_DIR/_internal" -type f \( -name "*.dylib" -o -name "*.so" -o -name "*.exe" -o -name "*.bin" -o -name "ffmpeg*" \) \
+            -exec bash -c 'sign_file "$0"' {} \;
+
+        # Sign any executables in the main app directory with -perm -100
+        find "$APP_DIR" -type f -perm -100 -exec bash -c 'sign_file "$0"' {} \;
+
+        # If the Python framework exists, handle it explicitly
+        if [ -d "$FRAMEWORK_DIR" ]; then
+          echo "Clearing extended attributes from $FRAMEWORK_DIR..."
+          xattr -cr "$FRAMEWORK_DIR"
+
+          # Sign the actual Python binary inside the framework WITHOUT entitlements first
+          if [ -f "$ACTUAL_BINARY" ]; then
+            echo "Signing the actual Python binary at $ACTUAL_BINARY without entitlements..."
+            sign_file_no_entitlements "$ACTUAL_BINARY"
+          fi
+
+          # Now sign the entire framework WITHOUT entitlements, using --deep to ensure all nested code is signed
+          echo "Signing the entire framework at $FRAMEWORK_DIR without entitlements..."
+          codesign --force --deep --options runtime --timestamp --sign "$IDENTITY" "$FRAMEWORK_DIR"
+        fi
 
     - name: Install Dependencies
       run: |

diff --git a/Transcription-Server/Info.plist b/Transcription-Server/Info.plist
@@ -3,9 +3,9 @@
 <plist version="1.0">
 <dict>
     <key>CFBundleIdentifier</key>
-    <string>com.autosubs.transcription-server</string>
+    <string>com.tom-moroney.autosubs</string>
     <key>CFBundleName</key>
-    <string>Transcription Server</string>
+    <string>AutoSubs Transcription Server</string>
     <key>CFBundleVersion</key>
     <string>1.0</string>
     <key>CFBundleExecutable</key>