add: macOS sign and notarize process.

See [Issue GerryFerdinandus#41]

Author: GerryFerdinandus

…er/trackereditor.app/Contents/Info.plist …pp/trackereditor.app/Contents/Info.plistenduser/trackereditor.app/Contents/Info.plist renamed to enduser/macos/app/trackereditor.app/Contents/Info.plist enduser/trackereditor.app/Contents/Info.plist renamed to enduser/macos/app/trackereditor.app/Contents/Info.plist

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+	<key>com.apple.security.files.user-selected.read-write</key>
+	<true/>
+	<key>com.apple.security.network.client</key>
+	<true/>
+</dict>
+</plist>

…rackereditor.app/Contents/MacOS/.gitkeep …rackereditor.app/Contents/MacOS/.gitkeependuser/trackereditor.app/Contents/MacOS/.gitkeep renamed to enduser/macos/app/trackereditor.app/Contents/MacOS/.gitkeep enduser/trackereditor.app/Contents/MacOS/.gitkeep renamed to enduser/macos/app/trackereditor.app/Contents/MacOS/.gitkeep

@@ -0,0 +1,36 @@
+#!/usr/bin/env sh
+
+#must run on griet server only
+if [ -z "${TRAVIS}" ]
+then
+	echo "This is not TRAVIS CI build server "
+	exit 1
+fi
+
+# secure/hidden variable from travis
+#	CERTIFICATE_OSX_P12
+#	CERTIFICATE_PASSWORD
+
+
+# constant variable
+KEY_CHAIN=build.keychain
+CERTIFICATE_P12=certificate.p12
+
+# Recreate the certificate from the secure environment variable
+echo $CERTIFICATE_OSX_P12 | base64 --decode > $CERTIFICATE_P12
+
+# create a keychain
+security create-keychain -p travis $KEY_CHAIN
+
+# Make the keychain the default so identities are found
+security default-keychain -s $KEY_CHAIN
+
+# Unlock the keychain
+security unlock-keychain -p travis $KEY_CHAIN
+
+security import $CERTIFICATE_P12 -k $KEY_CHAIN -P $CERTIFICATE_PASSWORD -T /usr/bin/codesign;
+
+security set-key-partition-list -S apple-tool:,apple: -s -k travis $KEY_CHAIN
+
+# remove certs
+rm -fr *.p12

…duser/trackereditor.app/Contents/PkgInfo …s/app/trackereditor.app/Contents/PkgInfoenduser/trackereditor.app/Contents/PkgInfo renamed to enduser/macos/app/trackereditor.app/Contents/PkgInfo enduser/trackereditor.app/Contents/PkgInfo renamed to enduser/macos/app/trackereditor.app/Contents/PkgInfo

@@ -14,19 +14,13 @@ elif [ "$TRAVIS_OS_NAME" = "osx" ]
 then
   # Apple macOS
   echo "Building zip file for macOS"
-  cd enduser
 
-  # Move the executable to the application bundle
-  mv trackereditor trackereditor.app/Contents/MacOS
+  # Add certificate into the macOS system
+  source ./scripts/travis_add_macos_cert.sh
 
-  # Move the trackers list to application bundle
-  mv add_trackers.txt trackereditor.app/Contents/MacOS
-  mv remove_trackers.txt trackereditor.app/Contents/MacOS
+  # sign + zip the app
+  source ./scripts/travis_sign_macos_app.sh
 
-  # Create the zip file.
-  zip -j ../$RELEASE_ZIP_FILE *.txt
-  zip -r ../$RELEASE_ZIP_FILE trackereditor.app
-  cd ..
 elif [ "$TRAVIS_OS_NAME" = "windows" ]
 then
   # Windows

…tor.app/Contents/Resources/iconfile.icns …tor.app/Contents/Resources/iconfile.icnsenduser/trackereditor.app/Contents/Resources/iconfile.icns renamed to enduser/macos/app/trackereditor.app/Contents/Resources/iconfile.icns enduser/trackereditor.app/Contents/Resources/iconfile.icns renamed to enduser/macos/app/trackereditor.app/Contents/Resources/iconfile.icns

@@ -0,0 +1,142 @@
+#!/usr/bin/env sh
+
+# secure/hidden variable from travis
+#CERTIFICATE_ID="..."
+#USERNAME="..."
+#APP_SPECIFIC_PASSWORD="..." 
+#RELEASE_ZIP_FILE="..."
+
+# path to app
+FILE_APP='enduser/macos/app/trackereditor.app'
+PLISTBUDDY_APP='/usr/libexec/PlistBuddy'
+
+if [ ! -x "${PLISTBUDDY_APP}" ]
+then
+	echo "Couldn't find PlistBuddy"
+	exit 1
+fi
+
+# copy everything into enduser/macos/app folder
+#
+# Move the executable to the application bundle
+mv enduser/trackereditor enduser/macos/app/trackereditor.app/Contents/MacOS
+
+# Move the trackers list to application bundle
+mv enduser/add_trackers.txt enduser/macos/app/trackereditor.app/Contents/MacOS
+mv enduser/remove_trackers.txt enduser/macos/app/trackereditor.app/Contents/MacOS
+
+# move all the *.txt file
+mv enduser/*.txt enduser/macos/app
+
+# sign the app. -sign is the developer cetificate ID
+# entitlements does not work at this moment
+#codesign --timestamp --entitlements enduser/macos/entitlements.plist --force --options runtime --deep --sign $CERTIFICATE_ID $FILE_APP
+codesign --timestamp --force --options runtime --deep --sign $CERTIFICATE_ID $FILE_APP
+
+# Check exit code
+exit_code=$?
+if [ "${exit_code}" != "0" ]
+then
+	echo "codesign failed: ${exit_code}"
+	exit 1
+fi
+
+#must use ditto to compress the file application folder only for notarize. Zip program will not work!
+/usr/bin/ditto -c -k --keepParent "$FILE_APP" "$RELEASE_ZIP_FILE"
+
+# upload zip to notarize service. for RequestUUID 
+# -- username is the normal apple ID. example [email protected] 
+# -- password is 'app specific password' generated via apple web site. Security -> app-specific password
+echo "Uploading to notarize server" 
+xcrun altool --notarize-app --output-format xml --primary-bundle-id "trackereditor" --username $USERNAME --password $APP_SPECIFIC_PASSWORD --file $RELEASE_ZIP_FILE > "result.plist"
+
+# remove the uploaded zip file. need to be created again later.
+rm $RELEASE_ZIP_FILE 
+
+
+# Check exit code
+exit_code=$?
+if [ "${exit_code}" != "0" ]
+then
+	echo "notarize-app failed: ${exit_code}"
+	cat "result.plist"
+	exit 1
+fi
+
+# Get the RequestUUID
+RequestUUID="$("${PLISTBUDDY_APP}" -c "Print notarization-upload:RequestUUID"  "result.plist")"
+echo "RequestUUID: ${RequestUUID}"
+
+# wait till notarize apple server is finish with the processing the zip upload.
+for (( ; ; ))
+do
+
+    # get status from apple notarize server
+    xcrun altool --output-format xml --notarization-info "${RequestUUID}"  -u $USERNAME -p $APP_SPECIFIC_PASSWORD > "result.plist"
+    # Check exit code
+    exit_code=$?
+    if [ "${exit_code}" != "0" ]
+    then
+    	echo "notarization-info failed: ${exit_code}"
+	    cat "result.plist"
+        # print the error in the URL
+        LogFileURL="$("${PLISTBUDDY_APP}" -c "Print notarization-info:LogFileURL"  "result.plist")"
+        if [ ! -z "${LogFileURL}" ]
+        then
+            curl "${LogFileURL}"
+        fi
+	    exit 1
+    fi
+
+    # get the status. 
+    StatusCode="$("${PLISTBUDDY_APP}" -c "Print notarization-info:Status"  "result.plist")"
+    echo "Status: ${StatusCode}"
+
+    # if no status code present in result then it is still busy
+    if [ "${StatusCode}" == "in progress" ]
+    then
+        sleep 15
+    else
+   	    echo "Finish waiting."
+        #cat "result.plist"   
+        # Check if everything is correct 
+        StatusCode="$("${PLISTBUDDY_APP}" -c "Print notarization-info:'Status Code'"  "result.plist")"
+        echo "Status code: ${StatusCode}"
+        if [ "${StatusCode}" == "0" ]
+        then
+            # there are no error.
+            break
+        else
+            # print the error in the URL
+            LogFileURL="$("${PLISTBUDDY_APP}" -c "Print notarization-info:LogFileURL"  "result.plist")"
+            if [ ! -z "${LogFileURL}" ]
+            then
+                curl "${LogFileURL}"
+            fi
+	    exit 1
+        fi
+    fi
+done
+
+# verify sign *.app is succes full
+spctl --assess --type execute --verbose $FILE_APP
+# Check exit code
+exit_code=$?
+if [ "${exit_code}" != "0" ]
+then
+	echo "spctl failed: ${exit_code}"
+	exit 1
+fi
+
+# staple the *.app
+xcrun stapler staple $FILE_APP
+# Check exit code
+exit_code=$?
+if [ "${exit_code}" != "0" ]
+then
+	echo "spctl stapler: ${exit_code}"
+	exit 1
+fi
+
+# zip only the app folder with extra text file.
+/usr/bin/ditto -c -k "enduser/macos/app" "$RELEASE_ZIP_FILE"