CI: extracted notarization process for better orchestration

frankmorgner · frankmorgner · commit e7fd828b8894 · 2026-01-28T08:48:28.000+01:00
diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
@@ -46,19 +46,16 @@ jobs:
           DEV_ID_INSTALLER: ${{ secrets.DEV_ID_INSTALLER }}
           DEV_ID_APPLICATION: ${{ secrets.DEV_ID_APPLICATION }}
       - run: .github/build.sh
-        if: ${{   startsWith(github.ref, 'refs/tags/') && github.repository == 'OpenSC/OpenSC' }}
         env:
           CODE_SIGN_IDENTITY: ${{ secrets.CODE_SIGN_IDENTITY }}
           DEVELOPMENT_TEAM: ${{ secrets.DEVELOPMENT_TEAM }}
           INSTALLER_SIGN_IDENTITY: ${{ secrets.INSTALLER_SIGN_IDENTITY }}
-          NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }}
-          APPLE_ID: ${{ secrets.APPLE_ID }}
-      - run: .github/build.sh
-        if: ${{ ! startsWith(github.ref, 'refs/tags/') || github.repository != 'OpenSC/OpenSC' }}
+      - run: MacOSX/notarize
+        if: ${{ startsWith(github.ref, 'refs/tags/') && github.repository == 'OpenSC/OpenSC' }}
         env:
-          CODE_SIGN_IDENTITY: ${{ secrets.CODE_SIGN_IDENTITY }}
           DEVELOPMENT_TEAM: ${{ secrets.DEVELOPMENT_TEAM }}
-          INSTALLER_SIGN_IDENTITY: ${{ secrets.INSTALLER_SIGN_IDENTITY }}
+          NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }}
+          APPLE_ID: ${{ secrets.APPLE_ID }}
       - run: .github/cleanup-macos.sh
         env:
           KEY_PASSWORD: ${{ secrets.DEV_ID_PASSWORD }}
diff --git a/MacOSX/Makefile.am b/MacOSX/Makefile.am
@@ -3,6 +3,7 @@ EXTRA_DIST = build \
 	build-openssl-macos.sh \
 	Distribution.xml.in \
 	libtool-bundle \
+	notarize \
 	OpenSC_applescripts.entitlements \
 	OpenSC_binaries.entitlements \
 	OpenSC_Notify.applescript \
diff --git a/MacOSX/build b/MacOSX/build
@@ -14,12 +14,14 @@ set -ex
 test -x ./configure || ./bootstrap
 BUILDPATH=${PWD}
 
+# keep in sync with MacOSX/notarize
 while IFS='=' read -r key value; do
     # Skip empty or comment lines
     [[ -z "$key" || "$key" =~ ^# ]] && continue
     export "$key=$value"
 done < $BUILDPATH/VERSION.mk
 
+# keep in sync with MacOSX/notarize
 export PACKAGE_VERSION=${PACKAGE_VERSION_MAJOR}.${PACKAGE_VERSION_MINOR}.${PACKAGE_VERSION_FIX}
 PREFIX=/Library/OpenSC
 export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/usr/lib/pkgconfig
@@ -189,8 +191,3 @@ do
 	fi
 done
 rm -rf ${imagedir}
-
-if test -n "${NOTARIZATION_PASSWORD}"; then
-	xcrun notarytool submit --team-id ${DEVELOPMENT_TEAM} --apple-id ${APPLE_ID} --password ${NOTARIZATION_PASSWORD} --wait OpenSC-${PACKAGE_VERSION}.dmg
-	xcrun stapler staple OpenSC-${PACKAGE_VERSION}.dmg
-fi
diff --git a/MacOSX/notarize b/MacOSX/notarize
@@ -0,0 +1,23 @@
+#!/bin/bash
+# Notarize and staple the macOS installer image.
+#
+# This is only tested and supported on macOS 10.10 or later, using Xcode 6.0.1.
+# Building should also work on older macOS versions with slight changes; YMMV.
+
+set -ex
+BUILDPATH=${PWD}
+
+# keep in sync with MacOSX/build
+while IFS='=' read -r key value; do
+    # Skip empty or comment lines
+    [[ -z "$key" || "$key" =~ ^# ]] && continue
+    export "$key=$value"
+done < $BUILDPATH/VERSION.mk
+
+# keep in sync with MacOSX/build
+export PACKAGE_VERSION=${PACKAGE_VERSION_MAJOR}.${PACKAGE_VERSION_MINOR}.${PACKAGE_VERSION_FIX}
+
+if test -n "${NOTARIZATION_PASSWORD}" -a -n "${DEVELOPMENT_TEAM}"; then
+    xcrun notarytool submit --team-id ${DEVELOPMENT_TEAM} --apple-id ${APPLE_ID} --password ${NOTARIZATION_PASSWORD} --wait OpenSC-${PACKAGE_VERSION}.dmg
+    xcrun stapler staple OpenSC-${PACKAGE_VERSION}.dmg
+fi
