TVBHR-2417 Add keychain unlock step

the-virtual-brain · Jul 20, 2023 · da5dc6b · da5dc6b
1 parent b99e8a9
commit da5dc6b
Showing 1 changed file with 11 additions and 5 deletions.
diff --git a/tvb_build/conda_env_to_app.py b/tvb_build/conda_env_to_app.py
@@ -59,8 +59,9 @@
 APP_NAME = "tvb-{}".format(VERSION)
 # should match an Apple Developer defined identifier
 IDENTIFIER = "ro.codemart.tvb"
-# KEY for the ENV variable where we expect the signing identity to be defined
+# KEYs for the ENV variable where we expect the signing identity to be defined
 KEY_SIGN_IDENTITY = "SIGN_APP_IDENTITY"
+KEY_MAC_PWD = "MAC_PASSWORD"
 # The author of this package
 AUTHOR = "TVB Team"
 # Full path to the anaconda environment folder to package
@@ -388,9 +389,11 @@ def _sign_app(app_path=APP_FILE):
     Sign a .APP file, with an Apple Developer Identity previously installed on the current machine.
     The identity needs to show when executing command "security find-identity"
     """
-    if KEY_SIGN_IDENTITY not in os.environ:
-        print(f"!! We can not sign the resulting .app because the {KEY_SIGN_IDENTITY} variable is not in ENV defined!!")
+    if KEY_SIGN_IDENTITY not in os.environ or KEY_MAC_PWD not in os.environ:
+        print(f"!! We can not sign the resulting .app because the {KEY_SIGN_IDENTITY} and "
+              f"{KEY_MAC_PWD} variables are not in ENV!!")
     dev_identity = os.environ.get(KEY_SIGN_IDENTITY)
+    mac_pwd = os.environ.get(KEY_MAC_PWD)
     print(f"Preparing to sign: {app_path} with {dev_identity}")
     # Create app.entitlements file with the application allowed security allowed points
     ent_file = "app.entitlements"
@@ -412,9 +415,12 @@ def _sign_app(app_path=APP_FILE):
     </plist>
     """)
 
-    # Uncomment the following command if needed for debug purposes
+    # Some of the following command are just for debug purposes. Codesign is the critical one!
     subprocess.Popen(["security", "find-identity"], shell=False).communicate()
-    subprocess.Popen(["codesign", "-s", dev_identity, "-f", "--timestamp", "-o", "runtime", "--entitlements", "app.entitlements", app_path], shell=False).communicate()
+    subprocess.Popen(["security", "unlock-keychain", "-p", mac_pwd,
+                      "/Users/tvb/Library/Keychains/login.keychain"], shell=False).communicate()
+    subprocess.Popen(["codesign", "-s", dev_identity, "-f", "--timestamp", "-o", "runtime",
+                      "--entitlements", "app.entitlements", app_path], shell=False).communicate()
     subprocess.Popen(["spctl", "-a", "-t", "exec", "-vv", app_path], shell=False).communicate()
 
     if os.path.exists(ent_file):