From 3a8efde4ce3830f9fb8cb6277059264986c407b1 Mon Sep 17 00:00:00 2001 From: Tom Moroney Date: Sun, 8 Dec 2024 02:25:36 +0000 Subject: [PATCH] Update package-mac.yml --- .github/workflows/package-mac.yml | 64 +++++++++---------------------- 1 file changed, 18 insertions(+), 46 deletions(-) diff --git a/.github/workflows/package-mac.yml b/.github/workflows/package-mac.yml index d0c80f4..f47501c 100644 --- a/.github/workflows/package-mac.yml +++ b/.github/workflows/package-mac.yml @@ -76,64 +76,36 @@ jobs: pyinstaller package-server.spec --noconfirm deactivate + - name: Move Python Server to resources folder + run: | + mv "Transcription-Server/dist/Transcription-Server" "AutoSubs-App/src-tauri/resources" + - name: Code Sign Python Server run: | # Define variables IDENTITY="Developer ID Application: ${{ secrets.APPLE_IDENTITY }}" ENTITLEMENTS="$(pwd)/Signing/entitlements.plist" - APP_DIR="$(pwd)/Transcription-Server/dist/Transcription-Server" - FRAMEWORK_DIR="$APP_DIR/_internal/Python.framework" - ACTUAL_BINARY="$APP_DIR/_internal/Python.framework/Versions/3.12/Python" - - # Function to sign a single file with entitlements + APP_DIR="$(pwd)/AutoSubs-App/src-tauri/resources/Transcription-Server" + + # Function to sign a single file sign_file() { local file="$1" - echo "Signing $file with entitlements..." + echo "Signing $file..." codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS" --sign "$IDENTITY" "$file" } - - # Function to sign a file without entitlements (for testing framework issues) - sign_file_no_entitlements() { - local file="$1" - echo "Signing $file without entitlements..." - codesign --force --options runtime --timestamp --sign "$IDENTITY" "$file" - } - - export -f sign_file - export -f sign_file_no_entitlements - export IDENTITY - export ENTITLEMENTS - + + export -f sign_file # Export the function so it's available in subshells + export IDENTITY # Export IDENTITY so it's available in subshells + export ENTITLEMENTS # Export ENTITLEMENTS so it's available in subshells + # Sign the main executable sign_file "$APP_DIR/transcription-server" - - # Sign known-extension binaries in _internal - find "$APP_DIR/_internal" -type f \( -name "*.dylib" -o -name "*.so" -o -name "*.exe" -o -name "*.bin" -o -name "ffmpeg*" \) \ - -exec bash -c 'sign_file "$0"' {} \; - - # Clear extended attributes on the framework to avoid conflicts - if [ -d "$FRAMEWORK_DIR" ]; then - echo "Clearing extended attributes from $FRAMEWORK_DIR..." - xattr -cr "$FRAMEWORK_DIR" - - # If the actual binary exists, sign it directly without entitlements first - if [ -f "$ACTUAL_BINARY" ]; then - echo "Signing the actual Python binary at $ACTUAL_BINARY..." - sign_file_no_entitlements "$ACTUAL_BINARY" - fi - - # Now sign the entire framework directory without entitlements to see if that helps - echo "Signing framework at $FRAMEWORK_DIR without entitlements..." - sign_file_no_entitlements "$FRAMEWORK_DIR" - fi - - # Sign any other executables in the main app directory (user-executable) - # Using -perm -100 to find files where the owner has execute permission - find "$APP_DIR" -type f -perm -100 -exec bash -c 'sign_file "$0"' {} \; - - name: Move Python Server to resources folder - run: | - mv "Transcription-Server/dist/Transcription-Server" "AutoSubs-App/src-tauri/resources" + # Sign all embedded binaries and executables in the _internal directory + find "$APP_DIR/_internal" -type f \( -name "*.dylib" -o -name "*.so" -o -name "*.exe" -o -name "*.bin" -o -name "ffmpeg*" \) -exec bash -c 'sign_file "$0"' {} \; + + # Sign any other executables in the main app directory + find "$APP_DIR" -type f -perm +111 -exec bash -c 'sign_file "$0"' {} \; - name: Install Dependencies run: |