feat: Publish on Mac App Store via GitHub Actions (#139)

* build(mac): App Store flavor.

* ci: Mac App Store build & upload.

* fix(macos,appstore): build version

* Revert "build(mac): App Store flavor."

This reverts commit 32e6f32.

* build(mac, appstore): patch pbxproj instead of creating flutter flavor

* ci(macos): Add provisioning profile

* fix(mac): Include team id and bundle id in entitlements.

* fix(macos, appstore): Build-time provisioning profile

* build(macos): Encryption compliance declaration.

* fix(macos): Sign the app properly.

Author: laosb

.github/workflows/build.yml

@@ -5,6 +5,12 @@ macos-ci-all: macos-ci-clean macos-ci-install
   ./scripts/macos_5_codesign_and_notarize.sh
   ./scripts/macos_6_create_dmg.sh
 
+macos-ci-all-appstore: macos-ci-clean macos-ci-install
+  ./scripts/macos_2_appstore_build.sh
+  ./scripts/macos_3_prepare_before_sign.sh
+  ./scripts/macos_4_replace_dylib.sh
+  ./scripts/macos_5_codesign_and_submit_to_appstore.sh
+
 macos-ci-clean:
   ./scripts/macos_7_clean.sh
 
@@ -23,4 +29,3 @@ macos-build:
   ./scripts/macos_2_build.sh
 
 macos-build-all: macos-install macos-build
-

Justfile

@@ -289,7 +289,6 @@
 					33CC10EC2044A3C60003C045 = {
 						CreatedOnToolsVersion = 9.2;
 						LastSwiftMigration = 1100;
-						ProvisioningStyle = Automatic;
 						SystemCapabilities = {
 							com.apple.Sandbox = {
 								enabled = 1;
@@ -590,9 +589,13 @@
 			buildSettings = {
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CLANG_ENABLE_MODULES = YES;
-				CODE_SIGN_ENTITLEMENTS = Runner/DebugProfile.entitlements;
-				CODE_SIGN_STYLE = Automatic;
+				CODE_SIGN_ENTITLEMENTS = Runner/Release.entitlements;
+				CODE_SIGN_IDENTITY = "Apple Development";
+				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "3rd Party Mac Developer Application";
+				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
+				DEVELOPMENT_TEAM = "";
+				"DEVELOPMENT_TEAM[sdk=macosx*]" = LG57TUQ726;
 				ENABLE_HARDENED_RUNTIME = YES;
 				INFOPLIST_FILE = Runner/Info.plist;
 				INFOPLIST_KEY_LSApplicationCategoryType = "public.app-category.music";
@@ -609,6 +612,7 @@
 				MACOSX_DEPLOYMENT_TARGET = 10.14.6;
 				PRODUCT_BUNDLE_IDENTIFIER = ci.not.rune;
 				PROVISIONING_PROFILE_SPECIFIER = "";
+				"PROVISIONING_PROFILE_SPECIFIER[sdk=macosx*]" = "Rune App Store";
 				SWIFT_VERSION = 5.0;
 			};
 			name = Profile;
@@ -733,8 +737,10 @@
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CLANG_ENABLE_MODULES = YES;
 				CODE_SIGN_ENTITLEMENTS = Runner/DebugProfile.entitlements;
+				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
+				DEVELOPMENT_TEAM = LG57TUQ726;
 				ENABLE_HARDENED_RUNTIME = YES;
 				INFOPLIST_FILE = Runner/Info.plist;
 				INFOPLIST_KEY_LSApplicationCategoryType = "public.app-category.music";
@@ -763,8 +769,12 @@
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CLANG_ENABLE_MODULES = YES;
 				CODE_SIGN_ENTITLEMENTS = Runner/Release.entitlements;
-				CODE_SIGN_STYLE = Automatic;
+				CODE_SIGN_IDENTITY = "Apple Development";
+				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "3rd Party Mac Developer Application";
+				CODE_SIGN_STYLE = Manual;
 				COMBINE_HIDPI_IMAGES = YES;
+				DEVELOPMENT_TEAM = "";
+				"DEVELOPMENT_TEAM[sdk=macosx*]" = LG57TUQ726;
 				ENABLE_HARDENED_RUNTIME = YES;
 				INFOPLIST_FILE = Runner/Info.plist;
 				INFOPLIST_KEY_LSApplicationCategoryType = "public.app-category.music";
@@ -781,6 +791,7 @@
 				MACOSX_DEPLOYMENT_TARGET = 10.14.6;
 				PRODUCT_BUNDLE_IDENTIFIER = ci.not.rune;
 				PROVISIONING_PROFILE_SPECIFIER = "";
+				"PROVISIONING_PROFILE_SPECIFIER[sdk=macosx*]" = "Rune App Store";
 				SWIFT_VERSION = 5.0;
 			};
 			name = Release;

macos/Runner.xcodeproj/project.pbxproj

@@ -20,6 +20,10 @@
 	<string>$(FLUTTER_BUILD_NAME)</string>
 	<key>CFBundleVersion</key>
 	<string>$(FLUTTER_BUILD_NUMBER)</string>
+	<key>ITSAppUsesNonExemptEncryption</key>
+	<false/>
+	<key>LSApplicationCategoryType</key>
+	<string>public.app-category.music</string>
 	<key>LSMinimumSystemVersion</key>
 	<string>$(MACOSX_DEPLOYMENT_TARGET)</string>
 	<key>NSHumanReadableCopyright</key>
@@ -28,7 +32,5 @@
 	<string>MainMenu</string>
 	<key>NSPrincipalClass</key>
 	<string>NSApplication</string>
-	<key>LSApplicationCategoryType</key>
-	<string>public.app-category.music</string>
 </dict>
 </plist>

macos/Runner/Info.plist

@@ -2,6 +2,12 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
+	<key>keychain-access-groups</key>
+	<array/>
+	<key>com.apple.developer.team-identifier</key>
+	<string>LG57TUQ726</string>
+	<key>com.apple.application-identifier</key>
+	<string>LG57TUQ726.ci.not.rune</string>
 	<key>com.apple.security.app-sandbox</key>
 	<true/>
 	<key>com.apple.security.automation.apple-events</key>

macos/Runner/Release.entitlements

@@ -0,0 +1,25 @@
+#!/usr/bin/env sh
+
+set -e
+
+cd "$(dirname "$0")"
+cd ..
+
+# Create backup of project.pbxproj
+cp macos/Runner.xcodeproj/project.pbxproj macos/Runner.xcodeproj/project.pbxproj.backup
+
+# Patch macos/Runner.xcodeproj/project.pbxproj and macos/Runner/Release.entitlements to replace bundle ID
+sed -i '' 's/PRODUCT_BUNDLE_IDENTIFIER = ci.not.rune;/PRODUCT_BUNDLE_IDENTIFIER = ci.not.rune.appstore;/g' macos/Runner.xcodeproj/project.pbxproj
+sed -i '' 's/<string>LG57TUQ726.ci.not.rune<\/string>/<string>LG57TUQ726.ci.not.rune.appstore<\/string>/g' macos/Runner/Release.entitlements
+
+flutter pub get
+rinf message
+cd macos
+pod update
+cd ..
+flutter build macos --build-number $RUNE_APPSTORE_BUILD_NUMBER --build-name $RUNE_APPSTORE_BUILD_VERSION --release
+chmod -R +x build/macos/Build/Products/Release/Rune.app
+xattr -cr build/macos/Build/Products/Release/Rune.app
+
+# Restore original project.pbxproj
+mv macos/Runner.xcodeproj/project.pbxproj.backup macos/Runner.xcodeproj/project.pbxproj

scripts/macos_2_appstore_build.sh

@@ -8,5 +8,6 @@ cd ..
 rm -rf temp_macos
 mkdir temp_macos
 
-cp -R build/macos/Build/Products/Release/Rune.app temp_macos
-cp macos/Runner/Release.entitlements temp_macos
+ditto build/macos/Build/Products/Release/Rune.app temp_macos/Rune.app
+cp macos/Runner/Release.entitlements temp_macos
+cp ~/Library/MobileDevice/Provisioning\ Profiles/*.provisionprofile temp_macos/Rune.app/Contents/embedded.provisionprofile

scripts/macos_3_prepare_before_sign.sh

@@ -11,7 +11,21 @@ echo "Codesign: ----------------------------"
 # DEVELOPER_ID_APPLICATION_SIGNING_IDENTITY must use Developer ID Application certificate, or app cannot be notarized
 # /usr/bin/codesign --deep --force -s "$DEVELOPER_ID_APPLICATION_SIGNING_IDENTITY" --options runtime player.app -v
 
-/usr/bin/codesign --deep --force -s "$DEVELOPER_ID_APPLICATION_SIGNING_IDENTITY" --entitlements Release.entitlements --options runtime Rune.app -v
+/usr/bin/codesign \
+  --deep \
+  --force \
+  -s "$DEVELOPER_ID_APPLICATION_SIGNING_IDENTITY" \
+  --options runtime \
+  -v \
+  Rune.app
+
+/usr/bin/codesign \
+  --force \
+  -s "$DEVELOPER_ID_APPLICATION_SIGNING_IDENTITY" \
+  --entitlements Release.entitlements \
+  --options runtime \
+  -v \
+  Rune.app
 
 echo "Notarize: ----------------------------"
 

scripts/macos_5_codesign_and_notarize.sh

@@ -0,0 +1,48 @@
+#!/usr/bin/env sh
+
+set -e
+
+cd "$(dirname "$0")"
+cd ..
+cd temp_macos
+
+echo "Codesign: ----------------------------"
+
+/usr/bin/codesign \
+  --deep \
+  --force \
+  -s "$APPLE_DISTRIBUTION_SIGNING_IDENTITY" \
+  --options runtime \
+  -v \
+  Rune.app
+
+/usr/bin/codesign \
+  --force \
+  -s "$APPLE_DISTRIBUTION_SIGNING_IDENTITY" \
+  --entitlements Release.entitlements \
+  --options runtime \
+  -v \
+  Rune.app
+
+echo "Package: ----------------------------"
+
+xcrun productbuild \
+  --sign "$MAC_DEVELOPER_INSTALLER_SIGNING_IDENTITY" \
+  --component Rune.app \
+  /Applications \
+  Rune.pkg
+
+echo "Upload to App Store Connect: ----------------------------"
+
+API_PRIVATE_KEYS_DIR=$RUNNER_TEMP \
+xcrun altool \
+  --upload-package Rune.pkg \
+  --type osx \
+  --apiKey "$APP_STORE_CONNECT_KEYID" \
+  --apiIssuer "$APP_STORE_CONNECT_ISSUER" \
+  --asc-public-id "$APP_STORE_CONNECT_PUBLIC_ID" \
+  --apple-id "$APP_STORE_CONNECT_APP_APPLE_ID" \
+  --bundle-id "ci.not.rune.appstore" \
+  --bundle-short-version-string "$RUNE_APPSTORE_BUILD_VERSION" \
+  --bundle-version "$RUNE_APPSTORE_BUILD_NUMBER" \
+  --verbose