From 95094f40193e2b78b8f4846582af97f512d6a037 Mon Sep 17 00:00:00 2001 From: Norihiro Kamae Date: Sat, 20 Aug 2022 17:34:05 +0900 Subject: [PATCH] cmake(macOS): Sign dependencies first If the plugin is signed before signing dependencies, errors below are reported by `codesign -vvv --deep --strict`. ``` release/obs-face-tracker.plugin/Contents/MacOS/obs-face-tracker: a sealed resource is missing or invalid file modified: /Users/user/obs-face-tracker/release/obs-face-tracker.plugin/Contents/lib/libgfortran.5.dylib file modified: /Users/user/obs-face-tracker/release/obs-face-tracker.plugin/Contents/lib/libquadmath.0.dylib file modified: /Users/user/obs-face-tracker/release/obs-face-tracker.plugin/Contents/lib/libgcc_s.1.1.dylib file modified: /Users/user/obs-face-tracker/release/obs-face-tracker.plugin/Contents/lib/libgomp.1.dylib file modified: /Users/user/obs-face-tracker/release/obs-face-tracker.plugin/Contents/lib/libopenblas.0.dylib ``` Strangely, this error is not reported for the legacy plugin structure. --- .github/workflows/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 0accf35..7af76a5 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -246,22 +246,22 @@ jobs: case ${{ matrix.obs }} in 27) files=( - release/${PLUGIN_NAME}/bin/${PLUGIN_NAME}.so $(find release/${PLUGIN_NAME}/ -name '*.dylib') + release/${PLUGIN_NAME}/bin/${PLUGIN_NAME}.so ) ;; 28) files=( - release/${PLUGIN_NAME}.plugin/Contents/MacOS/${PLUGIN_NAME} $(find release/${PLUGIN_NAME}.plugin/ -name '*.dylib') + release/${PLUGIN_NAME}.plugin/Contents/MacOS/${PLUGIN_NAME} ) ;; esac for dylib in "${files[@]}"; do - codesign --remove-signature "$dylib" || true + codesign --force --sign "${{ secrets.MACOS_SIGNING_APPLICATION_IDENTITY }}" "$dylib" done for dylib in "${files[@]}"; do - codesign --sign "${{ secrets.MACOS_SIGNING_APPLICATION_IDENTITY }}" "$dylib" + codesign -vvv --deep --strict "$dylib" done - name: Package