ci(macos): add automated codesigning + notarization (#464)

CI/macos/obs-websocket.pkgproj

@@ -514,7 +514,7 @@
 			<key>CONCLUSION_ACTION</key>
 			<integer>0</integer>
 			<key>IDENTIFIER</key>
-			<string>fr.palakis.obswebsocket</string>
+			<string>fr.palakis.obs-websocket</string>
 			<key>OVERWRITE_PERMISSIONS</key>
 			<false/>
 			<key>VERSION</key>

CI/package-macos.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 set -e
 
@@ -12,13 +12,13 @@ fi
 echo "[obs-websocket] Preparing package build"
 export QT_CELLAR_PREFIX="$(/usr/bin/find /usr/local/Cellar/qt -d 1 | sort -t '.' -k 1,1n -k 2,2n -k 3,3n | tail -n 1)"
 
-export GIT_HASH=$(git rev-parse --short HEAD)
+GIT_HASH=$(git rev-parse --short HEAD)
-export GIT_BRANCH_OR_TAG=$(git name-rev --name-only HEAD | awk -F/ '{print $NF}')
+GIT_BRANCH_OR_TAG=$(git name-rev --name-only HEAD | awk -F/ '{print $NF}')
 
-export VERSION="$GIT_HASH-$GIT_BRANCH_OR_TAG"
+VERSION="$GIT_HASH-$GIT_BRANCH_OR_TAG"
-export LATEST_VERSION="$GIT_BRANCH_OR_TAG"
 
-export FILENAME="obs-websocket-$VERSION.pkg"
+FILENAME_UNSIGNED="obs-websocket-$VERSION-Unsigned.pkg"
+FILENAME="obs-websocket-$VERSION.pkg"
 
 echo "[obs-websocket] Modifying obs-websocket.so"
 install_name_tool \
@@ -34,8 +34,57 @@ install_name_tool \
 echo "[obs-websocket] Dependencies for obs-websocket"
 otool -L ./build/obs-websocket.so
 
+if [[ "$RELEASE_MODE" == "True" ]]; then
+	echo "[obs-websocket] Signing plugin binary: obs-websocket.so"
+	codesign --sign "$CODE_SIGNING_IDENTITY" ./build/obs-websocket.so
+else
+	echo "[obs-websocket] Skipped plugin codesigning"
+fi
+
 echo "[obs-websocket] Actual package build"
 packagesbuild ./CI/macos/obs-websocket.pkgproj
 
 echo "[obs-websocket] Renaming obs-websocket.pkg to $FILENAME"
-mv ./release/obs-websocket.pkg ./release/$FILENAME
+mv ./release/obs-websocket.pkg ./release/$FILENAME_UNSIGNED
+
+if [[ "$RELEASE_MODE" == "True" ]]; then
+	echo "[obs-websocket] Signing installer: $FILENAME"
+	productsign \
+		--sign "$INSTALLER_SIGNING_IDENTITY" \
+		./release/$FILENAME_UNSIGNED \
+		./release/$FILENAME
+	rm ./release/$FILENAME_UNSIGNED
+
+	echo "[obs-websocket] Submitting installer $FILENAME for notarization"
+	zip -r ./release/$FILENAME.zip ./release/$FILENAME
+	UPLOAD_RESULT=$(xcrun altool \
+		--notarize-app \
+		--primary-bundle-id "fr.palakis.obs-websocket" \
+		--username "$AC_USERNAME" \
+		--password "$AC_PASSWORD" \
+		--asc-provider "$AC_PROVIDER_SHORTNAME" \
+		--file "./release/$FILENAME.zip")
+	rm ./release/$FILENAME.zip
+
+	REQUEST_UUID=$(echo $UPLOAD_RESULT | awk -F ' = ' '/RequestUUID/ {print $2}')
+	echo "Request UUID: $REQUEST_UUID"
+
+	echo "[obs-websocket] Wait for notarization result"
+	# Pieces of code borrowed from rednoah/notarized-app
+	while sleep 30 && date; do
+		CHECK_RESULT=$(xcrun altool \
+			--notarization-info "$REQUEST_UUID" \
+			--username "$AC_USERNAME" \
+			--password "$AC_PASSWORD" \
+			--asc-provider "$AC_PROVIDER_SHORTNAME")
+		echo $CHECK_RESULT
+
+		if ! grep -q "Status: in progress" <<< "$CHECK_RESULT"; then
+			echo "[obs-websocket] Staple ticket to installer: $FILENAME"
+			xcrun stapler staple ./release/$FILENAME
+			break
+		fi
+	done
+else
+	echo "[obs-websocket] Skipped installer codesigning and notarization"
+fi

azure-pipelines.yml

@@ -1,3 +1,14 @@
+variables:
+  isReleaseMode: ${{ startsWith(variables['Build.SourceBranch'], 'refs/tags/') }}
+
+trigger:
+  branches:
+    include:
+      - master
+  tags:
+    include:
+      - '*'
+
 jobs:
 - job: 'GenerateDocs'
   condition: |
@@ -149,8 +160,22 @@ jobs:
     - script: ./CI/build-macos.sh
       displayName: 'Build obs-websocket'
 
+    - task: InstallAppleCertificate@1
+      displayName: 'Install release signing certificates'
+      condition: eq(variables['isReleaseMode'], true)
+      inputs:
+        certSecureFile: 'Certificates.p12'
+        certPwd: $(secrets.macOS.certificatesImportPassword)
+
     - script: ./CI/package-macos.sh
       displayName: 'Package obs-websocket'
+      env:
+        RELEASE_MODE: $(isReleaseMode)
+        CODE_SIGNING_IDENTITY: $(secrets.macOS.codeSigningIdentity)
+        INSTALLER_SIGNING_IDENTITY: $(secrets.macOS.installerSigningIdentity)
+        AC_USERNAME: $(secrets.macOS.notarization.username)
+        AC_PASSWORD: $(secrets.macOS.notarization.password)
+        AC_PROVIDER_SHORTNAME: $(secrets.macOS.notarization.providerShortName)
 
     - task: PublishBuildArtifacts@1
       inputs: