diff --git a/.env.example b/.env.example new file mode 100644 index 0000000..80825ec --- /dev/null +++ b/.env.example @@ -0,0 +1,5 @@ + +APPLE_TEAM_ID= +APPLE_ID= +APPLE_PASSWORD= +APPLE_SIGNING_IDENTITY= \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 31a9d2e..1d23fe3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -157,11 +157,35 @@ jobs: chmod +x src-tauri/binaries/donut-daemon-${{ matrix.target }} fi + - name: Import Apple certificate + if: matrix.platform == 'macos-latest' + env: + APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} + APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} + run: | + CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 + KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db + KEYCHAIN_PASSWORD=$(openssl rand -base64 32) + + echo "$APPLE_CERTIFICATE" | base64 --decode -o $CERTIFICATE_PATH + + security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + security set-keychain-settings -lut 21600 $KEYCHAIN_PATH + security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + + security import $CERTIFICATE_PATH -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH + security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + security list-keychain -d user -s $KEYCHAIN_PATH login.keychain-db + - name: Build Tauri app uses: tauri-apps/tauri-action@73fb865345c54760d875b94642314f8c0c894afa #v0.6.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_REF_NAME: ${{ github.ref_name }} + APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} + APPLE_ID: ${{ secrets.APPLE_ID }} + APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} + APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} with: projectPath: ./src-tauri tagName: ${{ github.ref_name }} @@ -171,6 +195,12 @@ jobs: prerelease: false args: ${{ matrix.args }} + - name: Clean up Apple certificate + if: matrix.platform == 'macos-latest' && always() + run: | + security delete-keychain $RUNNER_TEMP/app-signing.keychain-db || true + rm -f $RUNNER_TEMP/build_certificate.p12 || true + # - name: Commit CHANGELOG.md # uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 #v6.0.1 # with: diff --git a/.github/workflows/rolling-release.yml b/.github/workflows/rolling-release.yml index c43e68d..d49db70 100644 --- a/.github/workflows/rolling-release.yml +++ b/.github/workflows/rolling-release.yml @@ -161,6 +161,26 @@ jobs: chmod +x src-tauri/binaries/donut-daemon-${{ matrix.target }} fi + - name: Import Apple certificate + if: matrix.platform == 'macos-latest' + env: + APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} + APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} + run: | + CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 + KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db + KEYCHAIN_PASSWORD=$(openssl rand -base64 32) + + echo "$APPLE_CERTIFICATE" | base64 --decode -o $CERTIFICATE_PATH + + security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + security set-keychain-settings -lut 21600 $KEYCHAIN_PATH + security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + + security import $CERTIFICATE_PATH -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH + security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH + security list-keychain -d user -s $KEYCHAIN_PATH login.keychain-db + - name: Generate nightly timestamp id: timestamp shell: bash @@ -177,6 +197,10 @@ jobs: BUILD_TAG: "nightly-${{ steps.timestamp.outputs.timestamp }}" GITHUB_REF_NAME: "nightly-${{ steps.timestamp.outputs.timestamp }}" GITHUB_SHA: ${{ github.sha }} + APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} + APPLE_ID: ${{ secrets.APPLE_ID }} + APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} + APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} with: projectPath: ./src-tauri tagName: "nightly-${{ steps.timestamp.outputs.timestamp }}" @@ -185,3 +209,9 @@ jobs: releaseDraft: false prerelease: true args: ${{ matrix.args }} + + - name: Clean up Apple certificate + if: matrix.platform == 'macos-latest' && always() + run: | + security delete-keychain $RUNNER_TEMP/app-signing.keychain-db || true + rm -f $RUNNER_TEMP/build_certificate.p12 || true diff --git a/.gitignore b/.gitignore index d7fff86..c65e85d 100644 --- a/.gitignore +++ b/.gitignore @@ -52,4 +52,7 @@ yarn-error.log* nodecar/nodecar-bin # sync test harness cache -.cache/ \ No newline at end of file +.cache/ + +# env +.env \ No newline at end of file diff --git a/README.md b/README.md index e8f0ff9..d58d9c6 100644 --- a/README.md +++ b/README.md @@ -42,7 +42,6 @@ ## Download -> As of right now, the app is not signed by Apple. You need to have Gatekeeper disabled to run it. The app automatically checks for updates on each launch. > For Linux, .deb and .rpm packages are available as well as standalone .AppImage files. The app can be downloaded from the [releases page](https://github.com/zhom/donutbrowser/releases/latest).