CI: Code sign macOS bundle with PyInstaller

phw · phw · commit b4e41155b69c · 2025-03-18T14:45:58.000+01:00
Replace custom code signing tool with PyInstaller functionality. Also
always run notarization, as older macOS versions are no longer supported.
diff --git a/picard.spec b/picard.spec
@@ -113,7 +113,10 @@ else:
               upx=False,
               icon='picard.ico',
               version='win-version-info.txt',
-              console=False)
+              console=False,
+              # macOS code signing
+              codesign_identity=os.environ.get('CODESIGN_IDENTITY', None),
+              entitlements_file='./scripts/package/entitlements.plist')
 
 
     coll = COLLECT(exe,
diff --git a/scripts/package/macos-package-app.sh b/scripts/package/macos-package-app.sh
@@ -9,19 +9,13 @@ MACOS_VERSION_MAJOR=${MACOS_VERSION_MAJOR%.*}
 MACOS_VERSION_MINOR=${MACOS_VERSION#*.}
 MACOS_VERSION_MINOR=${MACOS_VERSION_MINOR%.*}
 
-echo "Building Picard..."
-rm -rf dist build locale
-python3 setup.py clean
-python3 setup.py build --disable-locales
-python3 setup.py build_locales
-python3 setup.py build_ext -i
-pyinstaller --noconfirm --clean picard.spec
+APP_BUNDLE="MusicBrainz Picard.app"
 
 CODESIGN=0
 NOTARIZE=0
 KEYCHAIN_PATH=picard.keychain
 KEYCHAIN_PASSWORD=$(openssl rand -base64 32)
-CERTIFICATE_NAME="MetaBrainz Foundation Inc."
+CODESIGN_IDENTITY="MetaBrainz Foundation Inc."
 CERTIFICATE_FILE=scripts/package/appledev.p12
 
 if [ -f "$CERTIFICATE_FILE" ] && [ -n "$CODESIGN_MACOS_P12_PASSWORD" ]; then
@@ -37,50 +31,34 @@ if [ -f "$CERTIFICATE_FILE" ] && [ -n "$CODESIGN_MACOS_P12_PASSWORD" ]; then
     security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
     security find-identity -p codesigning # For debugging
     CODESIGN=1
+    export CODESIGN_IDENTITY
 fi
 
-# Submit app for notarization on macOS >= 10.14
-if { [ "$MACOS_VERSION_MAJOR" -eq 10 ] && [ "$MACOS_VERSION_MINOR" -ge 14 ]; } || [ "$MACOS_VERSION_MAJOR" -ge 11 ]; then
-    NOTARIZE=1
-fi
+echo "Building Picard..."
+rm -rf dist build locale
+python3 setup.py clean
+python3 setup.py build --disable-locales
+python3 setup.py build_locales
+python3 setup.py build_ext -i
+pyinstaller --noconfirm --clean picard.spec
 
 cd dist
 
-echo "Create and sign app bundle..."
-APP_BUNDLE="MusicBrainz Picard.app"
-
 if [ "$CODESIGN" = '1' ]; then
-    echo "Code signing app bundle ${APP_BUNDLE}..."
-    if [ "$NOTARIZE" = "1" ]; then
-      # Enable hardened runtime if app will get notarized
-      codesign --verbose --deep --force \
-        --options runtime \
-        --entitlements ../scripts/package/entitlements.plist \
-        --keychain "$KEYCHAIN_PATH" --sign "$CERTIFICATE_NAME" \
-        "$APP_BUNDLE"
-      ../scripts/package/macos-notarize-app.sh "$APP_BUNDLE"
-      echo "Verifying signature and notarization for app bundle ${APP_BUNDLE}..."
-      codesign --verify --verbose --deep --strict=symlinks --check-notarization  "$APP_BUNDLE"
-    else
-      codesign --verbose --deep --force \
-        --keychain "$KEYCHAIN_PATH" --sign "$CERTIFICATE_NAME" \
-        "$APP_BUNDLE"
-      echo "Verifying signature for app bundle ${APP_BUNDLE}..."
-      codesign --verify --verbose --deep --strict=all "$APP_BUNDLE"
-    fi
+  ../scripts/package/macos-notarize-app.sh "$APP_BUNDLE"
+  echo "Verifying signature and notarization for app bundle ${APP_BUNDLE}..."
+  codesign --verify --verbose --deep --strict=symlinks --check-notarization  "$APP_BUNDLE"
 fi
 
-# Only test the app if it was codesigned, otherwise execution likely fails
-if [ "$CODESIGN" = '1' ]; then
-  "$APP_BUNDLE/Contents/MacOS/picard-run" --long-version --no-crash-dialog || echo "Failed running picard-run"
-  VERSIONS=$("$APP_BUNDLE/Contents/MacOS/picard-run" --long-version --no-crash-dialog)
-  echo "$VERSIONS"
-  ASTRCMP_REGEX="astrcmp C"
-  [[ $VERSIONS =~ $ASTRCMP_REGEX ]] || (echo "Failed: Build does not include astrcmp C" && false)
-  LIBDISCID_REGEX="libdiscid [0-9]+\.[0-9]+\.[0-9]+"
-  [[ $VERSIONS =~ $LIBDISCID_REGEX ]] || (echo "Failed: Build does not include libdiscid" && false)
-  "$APP_BUNDLE/Contents/Frameworks/fpcalc" -version
-fi
+echo "Testing executables..."
+"$APP_BUNDLE/Contents/MacOS/picard-run" --long-version --no-crash-dialog || echo "Failed running picard-run"
+VERSIONS=$("$APP_BUNDLE/Contents/MacOS/picard-run" --long-version --no-crash-dialog)
+echo "$VERSIONS"
+ASTRCMP_REGEX="astrcmp C"
+[[ $VERSIONS =~ $ASTRCMP_REGEX ]] || (echo "Failed: Build does not include astrcmp C" && false)
+LIBDISCID_REGEX="libdiscid [0-9]+\.[0-9]+\.[0-9]+"
+[[ $VERSIONS =~ $LIBDISCID_REGEX ]] || (echo "Failed: Build does not include libdiscid" && false)
+"$APP_BUNDLE/Contents/Frameworks/fpcalc" -version
 
 echo "Package app bundle into DMG image..."
 DMG="MusicBrainz-Picard${VERSION:+-$VERSION}${MACOSX_DEPLOYMENT_TARGET:+-macOS-$MACOSX_DEPLOYMENT_TARGET}${TARGET_ARCH:+-$TARGET_ARCH}.dmg"
@@ -108,7 +86,7 @@ fi
 set -e
 
 [ "$CODESIGN" = '1' ] && codesign --verify --verbose \
-  --keychain "$KEYCHAIN_PATH" --sign "$CERTIFICATE_NAME" "$DMG"
+  --keychain "$KEYCHAIN_PATH" --sign "$CODESIGN_IDENTITY" "$DMG"
 md5 -r "$DMG"
 
 if [ -n "$MACOS_UPLOAD" ]; then
