Update notarisation to XCode 13 tooling.

.github/workflows/packaging.yml

@@ -61,8 +61,8 @@ jobs:
           file_glob: true
           file: build/linux/*
 
-  macos:
+  macos-net:
-    name: macOS Disk Images
+    name: macOS .NET
     runs-on: macos-11
     steps:
       - name: Clone Repository
@@ -76,7 +76,7 @@ jobs:
       - name: Prepare Environment
         run: echo "GIT_TAG=${GITHUB_REF#refs/tags/}" >> ${GITHUB_ENV}
 
-      - name: Package Disk Images
+      - name: Package Disk Image
         env:
           MACOS_DEVELOPER_IDENTITY: ${{ secrets.MACOS_DEVELOPER_IDENTITY }}
           MACOS_DEVELOPER_CERTIFICATE_BASE64: ${{ secrets.MACOS_DEVELOPER_CERTIFICATE_BASE64 }}
@@ -85,9 +85,45 @@ jobs:
           MACOS_DEVELOPER_PASSWORD: ${{ secrets.MACOS_DEVELOPER_PASSWORD }}
         run: |
           mkdir -p build/macos
-          ./packaging/macos/buildpackage.sh "${GIT_TAG}" "${PWD}/build/macos"
+          ./packaging/macos/buildpackage.sh "${GIT_TAG}" "${PWD}/build/macos" "standard" "build.dmg"
 
-      - name: Upload Packages
+      - name: Upload Package
+        uses: svenstaro/upload-release-action@v2
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          tag: ${{ github.ref }}
+          overwrite: true
+          file_glob: true
+          file: build/macos/*
+
+  macos-mono:
+    name: macOS Mono
+    runs-on: macos-11
+
+    steps:
+      - name: Clone Repository
+        uses: actions/checkout@v3
+
+      - name: Install .NET 6
+        uses: actions/setup-dotnet@v1
+        with:
+          dotnet-version: '6.0.x'
+
+      - name: Prepare Environment
+        run: echo "GIT_TAG=${GITHUB_REF#refs/tags/}" >> ${GITHUB_ENV}
+
+      - name: Package Disk Image
+        env:
+          MACOS_DEVELOPER_IDENTITY: ${{ secrets.MACOS_DEVELOPER_IDENTITY }}
+          MACOS_DEVELOPER_CERTIFICATE_BASE64: ${{ secrets.MACOS_DEVELOPER_CERTIFICATE_BASE64 }}
+          MACOS_DEVELOPER_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_DEVELOPER_CERTIFICATE_PASSWORD }}
+          MACOS_DEVELOPER_USERNAME: ${{ secrets.MACOS_DEVELOPER_USERNAME }}
+          MACOS_DEVELOPER_PASSWORD: ${{ secrets.MACOS_DEVELOPER_PASSWORD }}
+        run: |
+          mkdir -p build/macos
+          ./packaging/macos/buildpackage.sh "${GIT_TAG}" "${PWD}/build/macos" "mono" "build-mono.dmg"
+
+      - name: Upload Package
         uses: svenstaro/upload-release-action@v2
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}

packaging/macos/buildpackage.sh

@@ -16,13 +16,13 @@
 
 set -o errexit -o pipefail || exit $?
 
-if [ $# -ne "2" ]; then
+if [[ "${OSTYPE}" != "darwin"* ]]; then
-	echo "Usage: $(basename "$0") tag outputdir"
+	echo >&2 "macOS packaging requires a macOS host"
 	exit 1
 fi
 
-if [[ "${OSTYPE}" != "darwin"* ]]; then
+if [ $# -ne "4" ]; then
-	echo >&2 "macOS packaging requires a macOS host"
+	echo "Usage: $(basename "$0") tag outputdir platform dmg"
 	exit 1
 fi
 
@@ -106,7 +106,7 @@ build_app() {
 
 	# Sign binaries with developer certificate
 	if [ -n "${MACOS_DEVELOPER_IDENTITY}" ]; then
-		codesign -s "${MACOS_DEVELOPER_IDENTITY}" --timestamp --options runtime -f --entitlements entitlements.plist --deep "${LAUNCHER_DIR}"
+		codesign --sign "${MACOS_DEVELOPER_IDENTITY}" --timestamp --options runtime -f --entitlements entitlements.plist --deep "${LAUNCHER_DIR}"
 	fi
 }
 
@@ -216,43 +216,23 @@ notarize_package() {
 	# Create a temporary read-only dmg for submission (notarization service rejects read/write images)
 	hdiutil convert "${DMG_PATH}" -format ULFO -ov -o "${NOTARIZE_DMG_PATH}"
 
-	NOTARIZATION_UUID=$(xcrun altool --notarize-app --primary-bundle-id "net.openra.packaging" -u "${MACOS_DEVELOPER_USERNAME}" -p "${MACOS_DEVELOPER_PASSWORD}" --file "${NOTARIZE_DMG_PATH}" 2>&1 | awk -F' = ' '/RequestUUID/ { print $2; exit }')
+	xcrun notarytool submit "${NOTARIZE_DMG_PATH}" --wait --apple-id "${MACOS_DEVELOPER_USERNAME}" --password "${MACOS_DEVELOPER_PASSWORD}" --team-id "${MACOS_DEVELOPER_IDENTITY}"
-	if [ -z "${NOTARIZATION_UUID}" ]; then
-		echo "Submission failed"
-		exit 1
-	fi
 
-	echo "${DMG_PATH} submission UUID is ${NOTARIZATION_UUID}"
 	rm "${NOTARIZE_DMG_PATH}"
 
-	while :; do
+	echo "${DMG_PATH}: Stapling tickets"
-		sleep 30
+	DMG_DEVICE=$(hdiutil attach -readwrite -noverify -noautoopen "${DMG_PATH}" | egrep '^/dev/' | sed 1q | awk '{print $1}')
-		NOTARIZATION_RESULT=$(xcrun altool --notarization-info "${NOTARIZATION_UUID}" -u "${MACOS_DEVELOPER_USERNAME}" -p "${MACOS_DEVELOPER_PASSWORD}" 2>&1 | awk -F': ' '/Status/ { print $2; exit }')
+	sleep 2
-		echo "${DMG_PATH}: ${NOTARIZATION_RESULT}"
 
-		if [ "${NOTARIZATION_RESULT}" == "invalid" ]; then
+	xcrun stapler staple "/Volumes/OpenRA/OpenRA - Red Alert.app"
-			NOTARIZATION_LOG_URL=$(xcrun altool --notarization-info "${NOTARIZATION_UUID}" -u "${MACOS_DEVELOPER_USERNAME}" -p "${MACOS_DEVELOPER_PASSWORD}" 2>&1 | awk -F': ' '/LogFileURL/ { print $2; exit }')
+	xcrun stapler staple "/Volumes/OpenRA/OpenRA - Tiberian Dawn.app"
-			echo "${NOTARIZATION_UUID} failed notarization with error:"
+	xcrun stapler staple "/Volumes/OpenRA/OpenRA - Dune 2000.app"
-			curl -s "${NOTARIZATION_LOG_URL}" -w "\n"
-			exit 1
-		fi
 
-		if [ "${NOTARIZATION_RESULT}" == "success" ]; then
+	sync
-			echo "${DMG_PATH}: Stapling tickets"
+	sync
-			DMG_DEVICE=$(hdiutil attach -readwrite -noverify -noautoopen "${DMG_PATH}" | egrep '^/dev/' | sed 1q | awk '{print $1}')
-			sleep 2
 
-			xcrun stapler staple "/Volumes/OpenRA/OpenRA - Red Alert.app"
+	hdiutil detach "${DMG_DEVICE}"
-			xcrun stapler staple "/Volumes/OpenRA/OpenRA - Tiberian Dawn.app"
+	break
-			xcrun stapler staple "/Volumes/OpenRA/OpenRA - Dune 2000.app"
-
-			sync
-			sync
-
-			hdiutil detach "${DMG_DEVICE}"
-			break
-		fi
-	done
 }
 
 finalize_package() {
@@ -261,28 +241,26 @@ finalize_package() {
 	OUTPUT_PATH="${3}"
 
 	if [ "${PLATFORM}" = "mono" ]; then
-		hdiutil convert "${INPUT_PATH}" -format UDZO -imagekey zlib-level=9 -ov -o "${OUTPUT_PATH}"
+		hdiutil convert "${INPUT_PATH}" -format UDZO -imagekey zlib-level=9 -ov -o "${OUTPUT_PATH}-mono.dmg"
 	else
 		# ULFO offers better compression and faster decompression speeds, but is only supported by 10.11+
-		hdiutil convert "${INPUT_PATH}" -format ULFO -ov -o "${OUTPUT_PATH}"
+		hdiutil convert "${INPUT_PATH}" -format ULFO -ov -o "${OUTPUT_PATH}.dmg"
 	fi
 
 	rm "${INPUT_PATH}"
 }
 
-build_platform "standard" "build.dmg"
+PLATFORM="$3"
-build_platform "mono" "build-mono.dmg"
+DISK_IMAGE="$4"
+
+build_platform "${PLATFORM}" "${DISK_IMAGE}"
 
 if [ -n "${MACOS_DEVELOPER_CERTIFICATE_BASE64}" ] && [ -n "${MACOS_DEVELOPER_CERTIFICATE_PASSWORD}" ] && [ -n "${MACOS_DEVELOPER_IDENTITY}" ]; then
 	security delete-keychain build.keychain
 fi
 
-if [ -n "${MACOS_DEVELOPER_USERNAME}" ] && [ -n "${MACOS_DEVELOPER_PASSWORD}" ]; then
+if [ -n "${MACOS_DEVELOPER_USERNAME}" ] && [ -n "${MACOS_DEVELOPER_PASSWORD}" ] && [ -n "${MACOS_DEVELOPER_IDENTITY}" ]; then
-	# Parallelize processing
+	notarize_package "${DISK_IMAGE}"
-	(notarize_package "build.dmg") &
-	(notarize_package "build-mono.dmg") &
-	wait
 fi
 
-finalize_package "standard" "build.dmg" "${OUTPUTDIR}/OpenRA-${TAG}.dmg"
+finalize_package "${PLATFORM}" "${DISK_IMAGE}" "${OUTPUTDIR}/OpenRA-${TAG}"
-finalize_package "mono" "build-mono.dmg" "${OUTPUTDIR}/OpenRA-${TAG}-mono.dmg"