Re: Codesigning pain, god it hurts!

[Jonathan Mitchell]

> On 18 May 2016, at 04:29, Quincey Morris 
> <quinceymor...@rivergatesoftware.com> wrote:
> 
> Yes, it’s awful.
> 
I agree. Screwing it up is easy.
I use the following project archive scheme post action script to run a 
Gatekeeper security check on archive builds.
This provides decent confirmation that all is well.

 if [ "${CONFIGURATION}" == "Release" ]; then

    # xcode post build build/archive cannot directly return or log error 
conditions but we can:
    # 1. put up a dialog
    # 2. post a notification
    # 3. say someting
    # 4. write to the syslog
    # 5. write to a file and open the file

    # Execute a project folder script.
    # Note that Git checkout may mutate the execute permissions
    #${PROJECT_DIR}/${PROJECT_NAME}/script.sh

    # audible feedback
    say "Processing post action script for ${PROJECT_NAME}"

    # show avaiable vars - helps a lot when debugging
    SHOW_EXPORTS=0
    if [ $SHOW_EXPORTS -eq 1 ]; then
        OUT_FILE="${HOME}/Desktop/${PROJECT_NAME}-xcode-post-action-exports.txt"
        rm "${OUT_FILE}"
        export -p > "${OUT_FILE}"
        open "${OUT_FILE}"
    fi

    # make archived app path
    APP_PATH="${ARCHIVE_PRODUCTS_PATH}/Applications/${EXECUTABLE_PATH}"

    # update syslog
    syslog -s -l Error "xcode-post-action APP_PATH = ${APP_PATH}"

    # do Gatekeeper security check
    spctl -vvvvv --assess --type execute "${APP_PATH}"
    SPCTL_OUT=$?

    # output result
    syslog -s -l Error "xcode-post-action spctl result code = $SPCTL_OUT"
    if [ $SPCTL_OUT -eq 0 ]; then
        say "Gatekeeper security check passed for ${PROJECT_NAME}"
        osascript -e 'display notification "Gatekeeper security check passed" 
with title "Archive Security Check"'
    else
    say "Gatekeeper security check faile for ${PROJECT_NAME}"
        osascript -e 'tell app "Xcode" to display dialog "Security failure: 
spctl rejected app and Gatekeeper will too." buttons {"Okay"} default button 
"Okay"'
    fi
fi
_______________________________________________

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com