mirror of
https://github.com/fish-shell/fish-shell.git
synced 2024-11-26 02:13:38 +08:00
e4a993c581
As spotted in #7656, macOS installer files built on Big Sur fail signature verification on macOS 10.11. This is because Big Sur productsign no longer supplies the SHA-1 hash, and 10.11 does not know how to read the SHA-256 hash. Replace the productsign flow with a flow based on http://users.wfu.edu/cottrell/productsign/productsign_linux.html . This uses the xar tool to digitally sign the installer packages, with both SHA-1 and SHA-256 hashes. The xar tool is somewhat tricky to build, so is checked in (as binary!) compiled for Mac. To build a Mac package, run make_pkg.sh (which invokes the signing flow) followed by mac_notarize.sh which adds the notarization.
48 lines
2.0 KiB
Bash
Executable File
48 lines
2.0 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
# Script to produce an OS X installer .pkg and .app(.zip)
|
|
|
|
VERSION=$(git describe --always --dirty 2>/dev/null)
|
|
if test -z "$VERSION" ; then
|
|
echo "Could not get version from git"
|
|
if test -f version; then
|
|
VERSION=$(cat version)
|
|
fi
|
|
fi
|
|
|
|
echo "Version is $VERSION"
|
|
|
|
set -x
|
|
|
|
#Exit on error
|
|
set -e
|
|
|
|
# Respect MAC_CODESIGN_ID, or default for ad-hoc.
|
|
# Note the :- means "or default" and the following - is the value.
|
|
MAC_CODESIGN_ID=${MAC_CODESIGN_ID:--}
|
|
|
|
PKGDIR=$(mktemp -d)
|
|
|
|
SRC_DIR=$PWD
|
|
OUTPUT_PATH=${FISH_ARTEFACT_PATH:-~/fish_built}
|
|
|
|
mkdir -p "$PKGDIR/build" "$PKGDIR/root" "$PKGDIR/intermediates" "$PKGDIR/dst"
|
|
{ cd "$PKGDIR/build" && cmake -DMAC_INJECT_GET_TASK_ALLOW=OFF -DCMAKE_BUILD_TYPE=RelWithDebInfo -DWITH_GETTEXT=OFF -DCMAKE_OSX_ARCHITECTURES='arm64;x86_64' -DMAC_CODESIGN_ID="${MAC_CODESIGN_ID}" "$SRC_DIR" && make VERBOSE=1 -j 12 && env DESTDIR="$PKGDIR/root/" make install; }
|
|
pkgbuild --scripts "$SRC_DIR/build_tools/osx_package_scripts" --root "$PKGDIR/root/" --identifier 'com.ridiculousfish.fish-shell-pkg' --version "$VERSION" "$PKGDIR/intermediates/fish.pkg"
|
|
productbuild --package-path "$PKGDIR/intermediates" --distribution "$SRC_DIR/build_tools/osx_distribution.xml" --resources "$SRC_DIR/build_tools/osx_package_resources/" "$OUTPUT_PATH/fish-$VERSION.pkg"
|
|
|
|
# Here is the historical way to sign the installer package.
|
|
# But when run on macOS 11.1, the resulting installers don't work on 10.11.
|
|
# So we have our own script instead. See issue #7656.
|
|
# Also see https://developer.apple.com/forums/thread/664842
|
|
# If/when productsign is fixed to support 10.11, we can switch back to this.
|
|
# MAC_PRODUCTSIGN_ID=${MAC_PRODUCTSIGN_ID:--}
|
|
# productsign --sign "${MAC_PRODUCTSIGN_ID}" "$OUTPUT_PATH/fish-$VERSION.pkg" "$OUTPUT_PATH/fish-$VERSION-signed.pkg" && mv "$OUTPUT_PATH/fish-$VERSION-signed.pkg" "$OUTPUT_PATH/fish-$VERSION.pkg"
|
|
|
|
"$SRC_DIR/build_tools/mac_sign_package.sh" "$OUTPUT_PATH/fish-$VERSION.pkg"
|
|
|
|
# Make the app
|
|
{ cd "$PKGDIR/build" && make signed_fish_macapp && zip -r "$OUTPUT_PATH/fish-$VERSION.app.zip" fish.app; }
|
|
|
|
rm -r "$PKGDIR"
|