build: notarize mac release binary

Notarize the mac release binary from cmake as described here:

https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow?language=objc

. This involves adding `--options runtime` when codesigning to enable
the hardened build.

Signed-off-by: Rafael Kitover <rkitover@gmail.com>
This commit is contained in:
Rafael Kitover 2023-07-22 20:51:48 +00:00
parent 774fbab7cc
commit 32d273ad78
No known key found for this signature in database
GPG Key ID: 08AB596679D86240
1 changed files with 44 additions and 22 deletions

View File

@ -1263,7 +1263,7 @@ if(NOT TRANSLATIONS_ONLY)
) )
endif() endif()
if(APPLE AND (UPSTREAM_RELEASE OR ENABLE_ONLINEUPDATES)) if(APPLE AND UPSTREAM_RELEASE)
if(CMAKE_BUILD_TYPE MATCHES "^(Release|MinSizeRel)$") if(CMAKE_BUILD_TYPE MATCHES "^(Release|MinSizeRel)$")
find_program(STRIP_PROGRAM strip) find_program(STRIP_PROGRAM strip)
@ -1280,7 +1280,7 @@ if(NOT TRANSLATIONS_ONLY)
add_custom_command( add_custom_command(
TARGET visualboyadvance-m TARGET visualboyadvance-m
POST_BUILD POST_BUILD
VERBATIM COMMAND sh -c [=[codesign --sign "Developer ID Application" --force --deep ./visualboyadvance-m.app || :]=] VERBATIM COMMAND sh -c [=[codesign --sign "Developer ID Application" --options runtime --timestamp --force --deep ./visualboyadvance-m.app || :]=]
WORKING_DIRECTORY ${CMAKE_BINARY_DIR} WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
) )
@ -1292,13 +1292,14 @@ if(NOT TRANSLATIONS_ONLY)
add_custom_command( add_custom_command(
TARGET visualboyadvance-m TARGET visualboyadvance-m
POST_BUILD POST_BUILD
VERBATIM COMMAND sh -c "codesign --sign 'Developer ID Application' --force ${framework} || :" VERBATIM COMMAND sh -c "codesign --sign 'Developer ID Application' --options runtime --timestamp --force --deep ${framework} || :"
WORKING_DIRECTORY ${CMAKE_BINARY_DIR} WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
) )
endforeach() endforeach()
endif() endif()
if(UPSTREAM_RELEASE) # Zip, notarize, staple to the .app and zip again
if(CMAKE_BUILD_TYPE STREQUAL Debug) if(CMAKE_BUILD_TYPE STREQUAL Debug)
set(appzip visualboyadvance-m-Mac-${ARCH_NAME}-debug${ZIP_SUFFIX}.zip) set(appzip visualboyadvance-m-Mac-${ARCH_NAME}-debug${ZIP_SUFFIX}.zip)
else() else()
@ -1313,18 +1314,39 @@ if(NOT TRANSLATIONS_ONLY)
WORKING_DIRECTORY ${CMAKE_BINARY_DIR} WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
) )
add_custom_command(
TARGET visualboyadvance-m
POST_BUILD
COMMAND xcrun notarytool submit ${appzip} --keychain-profile AC_PASSWORD --wait
WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
)
add_custom_command(
TARGET visualboyadvance-m
POST_BUILD
COMMAND xcrun stapler staple ./visualboyadvance-m.app
WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
)
add_custom_command(
TARGET visualboyadvance-m
POST_BUILD
COMMAND ${CMAKE_COMMAND} -E remove ${appzip}
COMMAND ${ZIP_PROGRAM} -9yr ${appzip} ./visualboyadvance-m.app
WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
)
if(GPG_KEYS) if(GPG_KEYS)
add_custom_command( add_custom_command(
TARGET visualboyadvance-m TARGET visualboyadvance-m
POST_BUILD POST_BUILD
COMMAND ${CMAKE_COMMAND} -E remove ${appzip}.asc COMMAND ${CMAKE_COMMAND} -E remove ${appzip}.asc
# COMMAND ${CMAKE_COMMAND} -P ${CMAKE_CURRENT_SOURCE_DIR}/interactive-pause.cmake # COMMAND ${CMAKE_COMMAND} -P ${CMAKE_CURRENT_SOURCE_DIR}/interactive-pause.cmake
COMMAND ${GPG_PROGRAM} --detach-sign -a ${appzip} COMMAND ${GPG_PROGRAM} --detach-sign -a ${appzip}
WORKING_DIRECTORY ${CMAKE_BINARY_DIR} WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
) )
endif() endif()
endif() endif()
endif()
if(UPSTREAM_RELEASE AND NOT WIN32 AND NOT APPLE AND CMAKE_BUILD_TYPE MATCHES "^(Release|MinSizeRel)$") if(UPSTREAM_RELEASE AND NOT WIN32 AND NOT APPLE AND CMAKE_BUILD_TYPE MATCHES "^(Release|MinSizeRel)$")
find_program(STRIP_PROGRAM strip) find_program(STRIP_PROGRAM strip)