Changeset 19582 in josm

Timestamp:

2026-06-12T15:45:59+02:00 (2 days ago)

Author:

stoecker

Message:

see #24689 - fix MacOS signing - patch by Thomas Skowron

Location:

trunk

Files:

• .github/workflows/ant-test.yml (modified) (2 diffs)
• native/macosx/macos-jpackage.sh (modified) (4 diffs)

trunk/.github/workflows/ant-test.yml

@@ -57 +57 @@
       - name: Upload Ant reports
         if: ${{ always() }}
-        uses: actions/download-artifact@v7
+        uses: actions/upload-artifact@v4
         with:
-          name: Ant reports for JOSM ${{ needs.createrelease.outputs.josm_revision }} on java ${{ matrix.java }} on ${{ matrix.os }}
+          name: Ant reports for JOSM on java ${{ matrix.java }} on ${{ matrix.os }}
           path: |
             test/report/*.txt
@@ -74 +74 @@
     steps:
       - name: Download Artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@v4
         with:
           path: artifacts

trunk/native/macosx/macos-jpackage.sh

@@ -41 +41 @@
     echo "$CERT_MACOS_P12" | base64 --decode > $CERTIFICATE_P12
     security create-keychain -p "$KEYCHAIN_PW" $KEYCHAIN
+    security set-keychain-settings -lut 21600 $KEYCHAIN
     security default-keychain -s $KEYCHAIN
+    security list-keychains -d user -s $KEYCHAIN login.keychain-db
     security unlock-keychain -p "$KEYCHAIN_PW" $KEYCHAIN
     security import $CERTIFICATE_P12 -k $KEYCHAIN -P "$CERT_MACOS_PW" -T /usr/bin/codesign
-    security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PW" $KEYCHAIN
+    security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PW" $KEYCHAIN
     rm $CERTIFICATE_P12
     SIGNAPP=true
@@ -52 +54 @@
 
 set -u
+
+# For two-arch builds (ARM64 runner), the x64 jpackage runs under Rosetta 2 and
+# cannot access the keychain item; sign_app re-signs everything after the merge
+# anyway, so skip jpackage's --mac-sign for this case entirely.
+if [ -n "${2:-}" ]; then
+    JPACKAGEOPTIONS=""
+fi
 
 function do_jpackage() {
@@ -91 +100 @@
   echo "Building done (${JAVA_HOME})."
 }
-function do_signapp() {
+function notarize_app() {
   echo "Compressing app (${1})"
   ditto -c -k --zlibCompressionLevel 9 --keepParent "app/${1}.app" "app/${1}.zip"
@@ -150 +159 @@
   directory_iterate "JOSM_${second}.app" "JOSM.app" "JOSM_${first}.app" "JOSM_${second}.app"
   )
-  do_signapp "JOSM_${first}"
-  do_signapp "JOSM_${second}"
   if [ "${KEYCHAINPATH}" != "false" ]; then
+    security unlock-keychain -p "$KEYCHAIN_PW" $KEYCHAIN
+    CODESIGN_OPTS=(--sign "FOSSGIS e.V." --force --keychain "${KEYCHAINPATH}" --timestamp --options runtime
+      --entitlements "$(dirname "${BASH_SOURCE[0]}")/josm.entitlements")
     function do_codesign() {
-      codesign --sign "FOSSGIS e.V." \
-        --force \
-        --keychain "${KEYCHAINPATH}" \
-        --timestamp \
+      codesign "${CODESIGN_OPTS[@]}" \
         --prefix "de.openstreetmap.josm" \
         --identifier "${2}" \
-        --options runtime \
-        --entitlements "$(dirname "${BASH_SOURCE[0]}")/josm.entitlements" \
         --verbose=4 "${1}"
     }
-    do_codesign app/JOSM.app/Contents/runtime "com.oracle.java.de.openstreetmap.josm"
-    do_codesign app/JOSM.app/ "de.openstreetmap.josm"
+    function sign_app() {
+      # jpackage's --mac-sign does not produce valid Developer ID signatures with
+      # secure timestamps. Sign every Mach-O binary in the app individually first
+      # (inside-out), then seal the runtime bundle and the app bundle.
+      while IFS= read -r -d '' binary; do
+        if file "$binary" | grep -q 'Mach-O'; then
+          codesign "${CODESIGN_OPTS[@]}" "$binary"
+        fi
+      done < <(find "${1}" -type f -print0)
+      do_codesign "${1}/Contents/runtime" "com.oracle.java.de.openstreetmap.josm"
+      do_codesign "${1}/" "de.openstreetmap.josm"
+    }
+    sign_app "app/JOSM_${first}.app"
+    sign_app "app/JOSM_${second}.app"
+    sign_app "app/JOSM.app"
   fi
+  notarize_app "JOSM_${first}"
+  notarize_app "JOSM_${second}"
 fi
-do_signapp JOSM
+notarize_app JOSM