Add verify codesign steps (#754)

* Add verify codesign steps * Add step to get notary info
HDFGroup · Aug 27, 2024 · 77ad657 · 77ad657
1 parent 120c70f
commit 77ad657
Show file tree

Hide file tree

Showing 3 changed files with 66 additions and 7 deletions.
diff --git a/.github/workflows/cmake-ctest.yml b/.github/workflows/cmake-ctest.yml
@@ -406,7 +406,19 @@ jobs:
           NOTARY_USER: ${{ vars.NOTARY_USER }}
           NOTARY_KEY: ${{ vars.NOTARY_KEY }}
         run: |
-          /usr/bin/codesign --force --timestamp --options runtime --verbose=4 --strict --sign ${{ env.SIGNER }} --deep ${{ runner.workspace }}/hdf4/build/${{ inputs.preset_name }}-macos-Clang/*.dmg
+          /usr/bin/codesign --force --timestamp --options runtime --entitlements ${{ runner.workspace }}/hdf4/${{ steps.set-file-base.outputs.SOURCE_BASE }}/config/cmake/distribution.entitlements --verbose=4 --strict --sign ${{ env.SIGNER }} --deep ${{ runner.workspace }}/hdf4/build/${{ inputs.preset_name }}-macos-Clang/*.dmg
+        if: ${{ needs.check-secret.outputs.sign-state == 'exists' }}
+        shell: bash
+
+      - name: Check dmg timestamp (MacOS_latest)
+        run: |
+          /usr/bin/codesign -dvv ${{ runner.workspace }}/hdf4/build/${{ inputs.preset_name }}-macos-Clang/*.dmg
+        if: ${{ needs.check-secret.outputs.sign-state == 'exists' }}
+        shell: bash
+
+      - name: Verify dmg (MacOS_latest)
+        run: |
+          /usr/bin/hdiutil verify ${{ runner.workspace }}/hdf4/build/${{ inputs.preset_name }}-macos-Clang/*.dmg
         if: ${{ needs.check-secret.outputs.sign-state == 'exists' }}
         shell: bash
 
@@ -419,12 +431,38 @@ jobs:
           NOTARY_USER: ${{ vars.NOTARY_USER }}
           NOTARY_KEY: ${{ vars.NOTARY_KEY }}
         run: |
-          JSONOUT=$(/usr/bin/xcrun notarytool submit --wait --output-format json --apple-id ${{ env.NOTARY_USER }} --password ${{ env.NOTARY_KEY }} --team-id ${{ env.SIGNER }} ${{ runner.workspace }}/hdf4/build/${{ inputs.preset_name }}-macos-Clang/*.dmg)
-          echo "jsonout=$JSONOUT" >> $GITHUB_ENV
+          jsonout=$(/usr/bin/xcrun notarytool submit --wait --output-format json --apple-id ${{ env.NOTARY_USER }} --password ${{ env.NOTARY_KEY }} --team-id ${{ env.SIGNER }} ${{ runner.workspace }}/hdf4/build/${{ inputs.preset_name }}-macos-Clang/*.dmg)
+          echo "JSONOUT=$jsonout" >> $GITHUB_ENV
+        if: ${{ needs.check-secret.outputs.sign-state == 'exists' }}
+        shell: bash
+
+      - name: Get ID token (MacOS_latest)
+        id: get-id-token
+        run: |
+          echo "notary result is ${{ steps.notarize-dmg.outputs.JSONOUT }}."
+          token=$(jq '.id' ${{ steps.notarize-dmg.outputs.JSONOUT }})
+          echo "ID_TOKEN=$token" >> "$GITHUB_ENV"          
         if: ${{ needs.check-secret.outputs.sign-state == 'exists' }}
         shell: bash
 
-      - run: echo "notary result is ${{ steps.notarize-dmg.outputs.jsonout }}."
+      - name: post notary check (MacOS_latest)
+        id: post-notary
+        env:
+          KEYCHAIN_PASSWD: ${{ secrets.KEYCHAIN_PASSWD }}
+          KEYCHAIN_NAME: ${{ vars.KEYCHAIN_NAME }}
+          SIGNER: ${{ vars.SIGNER }}
+          NOTARY_USER: ${{ vars.NOTARY_USER }}
+          NOTARY_KEY: ${{ vars.NOTARY_KEY }}
+        run: |
+          notaryout=$(/usr/bin/xcrun notarytool info --apple-id ${{ env.NOTARY_USER }} --password ${{ env.NOTARY_KEY }} --team-id ${{ env.SIGNER }} ${{ steps.get-id-token.ID_TOKEN }})
+          echo "NOTARYOUT=$notaryout" >> $GITHUB_ENV
+        if: ${{ needs.check-secret.outputs.sign-state == 'exists' }}
+        shell: bash
+
+      - name: Get notary info (MacOS_latest)
+        id: get-notary-info
+        run: |
+          echo "notary info is ${{ steps.post-notary.NOTARYOUT }}."
         if: ${{ needs.check-secret.outputs.sign-state == 'exists' }}
         shell: bash
 

diff --git a/config/cmake/CPack.Info.plist.in b/config/cmake/CPack.Info.plist.in
@@ -1,5 +1,5 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<?xml version="1.0" ?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
   <key>CFBundleDevelopmentRegion</key>
@@ -16,11 +16,16 @@
   <string>FMWK</string>
   <key>CFBundleSignature</key>
   <string>????</string>
+  <!-- See https://developer.apple.com/app-store/categories/ for list of AppStore categories -->
+  <key>LSApplicationCategoryType</key>
+  <string>public.app-category.utilities</string>
   <key>CFBundleVersion</key>
   <string>@CPACK_PACKAGE_VERSION@</string>
   <key>CFBundleShortVersionString</key>
   <string>@CPACK_SHORT_VERSION_STRING@</string>
+  <key>NSHumanReadableCopyright</key>
+  <string>Copyright 2006 by The HDF Group</string>
   <key>CSResourcesFileMapped</key>
-  <true/>
+  <string>true</string>
 </dict>
 </plist>
diff --git a/config/cmake/distribution.entitlements b/config/cmake/distribution.entitlements
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-executable-page-protection</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+</dict>
+</plist>