#!/usr/bin/env bash set -euo pipefail set -e # Exit on any error ######################## # configurable section # ######################## # Check if the required arguments are provided if [ "$#" -lt 4 ]; then echo "โŒ Error: Missing arguments" echo "Usage: $0 " exit 10 fi qtBin="$1/bin" identity="$2" profile="$3" appBundle="$4" appBundleExe=$(basename "$appBundle" .app) archiveName="$(dirname "$appBundle")/${appBundleExe}_toNotarize.zip" outputArchive="$(dirname "$appBundle")/${appBundleExe}.zip" EXECUTABLE_PATH="$appBundle/Contents/MacOS/$appBundleExe" export COPYFILE_DISABLE=1 # prevent future ._ files echo "๐Ÿ“ฆ Summary of paths:" echo "Qt bin path: $qtBin" echo "App bundle: $appBundle" echo "App executable: $appBundle/Contents/MacOS/$appBundleExe" echo "Archive for notarization: $archiveName" echo "Final output archive: $outputArchive" cleanApp(){ # Remove output archive if it exists if [ -f "$outputArchive" ]; then echo "๐Ÿ—‘๏ธ Removing existing output archive: $outputArchive" rm -f "$outputArchive" || { echo "โŒ Error: Failed to delete archive $outputArchive"; exit 1; } fi # Code signing fix script for macOS # This script cleans resource forks, extended attributes, and re-signs the app # Configuration echo "๐Ÿ”ง Starting code signing fix for "$appBundleExe".app" # Check if app exists if [ ! -d "$appBundle" ]; then echo "โŒ Error: App not found at $appBundle" exit 1 fi # Navigate to the app directory cd "$(dirname "$appBundle")" APP_NAME="$(basename "$appBundle")" echo "๐Ÿ“ Working with app: $APP_NAME" # Step 1: Remove existing signature echo "๐Ÿ—‘๏ธ Removing existing signature..." codesign --remove-signature "$APP_NAME" 2>/dev/null || echo "No existing signature found" # Step 2: Clean extended attributes and resource forks echo "๐Ÿงน Cleaning extended attributes and resource forks..." xattr -cr "$APP_NAME" xattr -dr com.apple.quarantine "$APP_NAME" # Step 3: Remove problematic files #echo "๐Ÿ—‚๏ธ Removing .DS_Store and resource fork files..." #find "$APP_NAME" -name ".DS_Store" -delete 2>/dev/null || true #find "$APP_NAME" -name "._*" -delete 2>/dev/null || true # Step 4: Remove any hidden files that might cause issues #echo "๐Ÿ‘ป Removing hidden files..." #find "$APP_NAME" -type f -name ".*" -not -name ".keep" -delete 2>/dev/null || true # Step 5: Verify app bundle structure echo "๐Ÿ“‹ Verifying app bundle structure..." if [ ! -f "$APP_NAME/Contents/Info.plist" ]; then echo "โŒ Error: Info.plist not found in Contents/" exit 1 fi if [ ! -f "$APP_NAME/Contents/MacOS/$appBundleExe" ]; then echo "โŒ Error: Executable not found in Contents/MacOS/$appBundleExe" exit 1 fi echo "โœ… App bundle structure looks good" # Optional: Check for any remaining extended attributes echo "๐Ÿ”Ž Checking for remaining extended attributes..." if xattr "$APP_NAME/Contents/MacOS/$appBundleExe" 2>/dev/null; then echo "โš ๏ธ Warning: Extended attributes still present" xattr -l "$APP_NAME/Contents/MacOS/$appBundleExe" 2>/dev/null else echo "โœ… No extended attributes found" fi echo "๐ŸŽ‰ All done! Your app should now be properly signed." } relinkLibs() { echo "๐Ÿ”„ Relinking libraries in $appBundle" local binary_path="$EXECUTABLE_PATH" local relative_path="MacOS" echo "Processing: $binary_path - $relative_path" # Get current dependencies dependencies=$(otool -L "$binary_path" 2>/dev/null | grep -E "@rpath/.*\.framework|@rpath/.*\.dylib" | awk '{print $1}') if [ -z "$dependencies" ]; then echo " No @rpath dependencies found" return fi # Process each @rpath dependency while IFS= read -r dep; do if [ -n "$dep" ]; then # Extract the framework/library name from @rpath/... framework_name=$(echo "$dep" | sed 's|@rpath/||') # Check if this framework exists in Contents/Frameworks framework_path="$appBundle/Contents/Frameworks/$framework_name" if [ -e "$framework_path" ]; then # Calculate the new path relative to the binary if [ "$relative_path" = "MacOS" ]; then new_path="@executable_path/../Frameworks/$framework_name" else # For frameworks calling other frameworks, use @loader_path new_path="@loader_path/../$framework_name" fi echo " Changing: $dep" echo " To: $new_path" # Make the binary writable chmod u+w "$binary_path" # Use install_name_tool to change the dependency install_name_tool -change "$dep" "$new_path" "$binary_path" 2>/dev/null if [ $? -eq 0 ]; then echo " โœ“ Successfully changed" else echo " โœ— Failed to change" exit 1 fi else echo " Skipping: $dep (not found in Contents/Frameworks)" fi fi done <<< "$dependencies" } collectApp() { echo "๐Ÿ”„ Collecting application bundle $appBundle" if [ ! -d "$appBundle" ]; then echo "โŒ Error: Application bundle not found at $appBundle" exit 1 fi # Remove existing archive if it exists if [ -f "$archiveName" ]; then echo "๐Ÿ—‘๏ธ Removing existing archive: $archiveName" rm -f "$archiveName" fi echo " " echo "๐Ÿ”ง Running macdeployqt to collect dependencies and resources" echo "$qtBin/macdeployqt $appBundle -verbose=3 -always-overwrite -appstore-compliant" "$qtBin/macdeployqt" "$appBundle" -verbose=3 -always-overwrite -appstore-compliant -no-strip # -no-strip # -sign-for-notarization=$identity -verbose=1 echo " " } signFolderRecursively() { local folder="$1" echo "๐Ÿ”„ Signing folder recursively: $folder" if [ -d "$folder" ]; then find "$folder" -type f \( -name "*.dylib" -o -name "*.so" -o -perm +111 \) | while read bin; do echo "๐Ÿ”‘ Signing binary: $bin" codesign --force --options runtime --timestamp --sign "$identity" "$bin" done else echo "โš ๏ธ Folder not found: $folder (skipping)" fi } resignApps(){ echo "๐Ÿ”„ Resigning application bundle $appBundle" # Sign libraries in Frameworks directory first echo "๐Ÿ”‘ Signing frameworks..." signFolderRecursively "$appBundle/Contents/Frameworks" # Sign plugins next echo "๐Ÿ”‘ Signing PlugIns..." signFolderRecursively "$appBundle/Contents/PlugIns" echo "๐Ÿ”‘ Signing icPlugins..." signFolderRecursively "$appBundle/Contents/icPlugins" echo "๐Ÿ”‘ Signing icExtra..." signFolderRecursively "$appBundle/Contents/icExtra" # Sign the main executable echo "๐Ÿ”‘ Signing main executable..." codesign --force --options runtime --timestamp --sign "$identity" "$appBundle/Contents/MacOS/$appBundleExe" # Finally sign the whole bundle echo "๐Ÿ”‘ Signing complete application bundle..." codesign --force --deep --options runtime --timestamp --sign "$identity" "$appBundle" # Verify signature codesign -vvv --deep "$appBundle" } wrap_app() { echo "๐Ÿ”„ Wrapping application bundle $appBundle into archive $archiveName" case "$archiveName" in *.dmg) "$qtBin/macdeployqt" "$appBundle" -dmg -verbose=2 ;; *) ditto -c -k --keepParent "$appBundle" "$archiveName" ;; esac # --sequesterRsrc } submit_and_staple() { echo "๐Ÿ”„ Submitting archive $archiveName for notarization" notarization_output=$(xcrun notarytool submit "$archiveName" \ --keychain-profile "$profile" \ --wait) echo "$notarization_output" # Extract submission ID using regex submissionId=$(echo "$notarization_output" | grep -o "id: [a-f0-9\-]\+" | head -1 | cut -d' ' -f2) status=$(echo "$notarization_output" | grep -o "status: [A-Za-z]\+" | tail -1 | cut -d' ' -f2) if [[ "$status" != "Accepted" ]]; then echo "โŒ Notarization failed with status: $status" statusJson=$(xcrun notarytool info "$submissionId" \ --keychain-profile "$profile" --output-format json) if [[ $(jq -r '.status' <<<"$statusJson") != "Accepted" ]]; then echo "โŒ Notarization details:" xcrun notarytool log "$submissionId" --keychain-profile "$profile" exit 1 fi else echo "โœ… Notarization accepted, stapling app bundle..." xcrun stapler staple "$appBundle" # Verify stapling was successful echo "๐Ÿ” Verifying staple status..." staple_check=$(xcrun stapler validate -v "$appBundle") if [[ $staple_check == *"valid"* ]]; then echo "โœ… Stapling validation successful" else echo "โš ๏ธ Stapling validation issue: $staple_check" exit 1 fi # Check Gatekeeper validation echo "๐Ÿ” Checking Gatekeeper validation..." spctl_result=$(spctl -a -t exec -vv "$appBundle" 2>&1) echo "$spctl_result" if [[ $spctl_result == *"accepted"* ]]; then echo "โœ… App passed Gatekeeper validation" else echo "โš ๏ธ App may have Gatekeeper validation issues" exit 1 fi fi echo "๐Ÿ“ฆ Creating final archive: $outputArchive" if [ -f "$outputArchive" ]; then rm -f "$outputArchive" fi ditto -c -k -rsrc --sequesterRsrc --keepParent "$appBundle" "$outputArchive" if [ -f "$outputArchive" ]; then echo "โœ… Final archive created successfully at: $outputArchive" else echo "โŒ Failed to create final archive" exit 1 fi exit 0 } #echo "๐Ÿ”„ Starting application build process for $appBundleExe Waiting for 10 seconds to ensure all processes are ready..." #sync #sleep 10 cleanApp collectApp #relinkLibs resignApps wrap_app submit_and_staple