Github Action Pipeline for Deploying Mac App Auto signed

[kcrandall]

I made this github action that will automatically upload your Avalonia UI desktop mac app zip and zip.dsa to s3 so you can distribute it with something like NetSparkle. You will need to add your aws credentials as secrets to github actions as well as apple base64 encoded p12 file and the p12 files password. Below i have directions on how to get the p12 file youll need for this as well.

Youll also need to change this AvaloniaApplication1/AvaloniaApplication1/AvaloniaApplication1.Desktop everywhere i didnt make it an env variable yet.

APPLE_CERTIFICATE: base64 encoded p12 file string
APPLE_CERTIFICATE_PASSWORD: p12 password
APPLE_CERT_NAME: the name on the cert can find this in the keychain on mac or one of the build steps actually prints this out for you. I assume the action could be improved to parse that output and auto set it.
Github Action:

name: Build and Deploy macOS Binary

on:
  workflow_dispatch:
    inputs:
      environment:
        description: 'Deployment Environment'
        required: true
        type: choice
        options:
          - dev
          - int
          - demo
          - stage
          - prod

env:
  APP_NAME: MyApp
  PRIMARY_BUNDLE_ID: "com.domain.app"
  APPLE_TEAM_ID: "YOUR_TEAMID"
  APPLE_CERT_NAME: "Developer ID Application: <NAME> (<YOUR_TEAMID>)"

  
jobs:
  build-and-deploy:
    runs-on: macos-latest
    timeout-minutes: 10

    steps:
    - name: Checkout repository
      uses: actions/checkout@v2

    - name: Setup .NET
      uses: actions/setup-dotnet@v1
      with:
        dotnet-version: '8.0.x'
        # cache: true
        # cache-dependency-path: subdir/packages.lock.json

    - name: Restore dependencies
      run: |
        cd AvaloniaApplication1/AvaloniaApplication1/AvaloniaApplication1.Desktop
        dotnet restore

    - name: Build the app
      run: |
        cd AvaloniaApplication1/AvaloniaApplication1/AvaloniaApplication1.Desktop
        dotnet publish -c Release -r osx-arm64 --self-contained -p:UseAppHost=true

    - name: Prepare packaging script
      run: |
        cd AvaloniaApplication1/AvaloniaApplication1/AvaloniaApplication1.Desktop
        chmod +x ./package-macos-app.sh
        ./package-macos-app.sh
    
    - name: Check if Xcode Command Line Tools are installed
      id: xcode-check
      run: |
        if xcode-select --print-path &>/dev/null; then
          echo "Xcode Command Line Tools are already installed."
          echo "::set-output name=installed::true"
        else
          echo "Xcode Command Line Tools are not installed."
          echo "::set-output name=installed::false"
        fi
  
    - name: Install Xcode Command Line Tools
      if: steps.xcode-check.outputs.installed == 'false'
      run: sudo xcode-select --install
    
    - name: Import Apple Certificate and Key
      env:
        CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
      run: |
        echo "${{ secrets.APPLE_CERTIFICATE }}" | base64 --decode > certificate.p12
        security create-keychain -p actions temp.keychain
        security import certificate.p12 -k temp.keychain -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign
        security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k actions temp.keychain

    - name: List all certificates in the keychain
      run: security find-identity -v -p codesigning

    - name: Print certificate details
      run: |
        security find-certificate -a -c "${{ env.APPLE_CERT_NAME }}" -Z temp.keychain

    - name: List keychain info
      run: security list-keychains

    - name: Set default keychain
      run: security default-keychain -s temp.keychain

    - name: Unlock keychain
      run: security unlock-keychain -p actions temp.keychain

    - name: List identities again
      run: security find-identity -v -p codesigning
  
    - name: Sign the app
      run: |
        cd AvaloniaApplication1/AvaloniaApplication1/AvaloniaApplication1.Desktop
        codesign --deep --force --verbose --sign "${{ env.APPLE_CERT_NAME }}" ${{ env.APP_NAME }}.app
  
    - name: Verify code signing
      run: |
        cd AvaloniaApplication1/AvaloniaApplication1/AvaloniaApplication1.Desktop
        codesign --verify --verbose --deep ${{ env.APP_NAME }}.app

    # - name: Notarize the app (Optional)
    #   env:
    #     APPLE_ID: ${{ secrets.APPLE_ID }}
    #     APP_SPECIFIC_PASSWORD: ${{ secrets.APP_SPECIFIC_PASSWORD }}
    #   run: |
    #     cd AvaloniaApplication1/AvaloniaApplication1/AvaloniaApplication1.Desktop/bin/Release/net8.0/osx-arm64/publish
    #     xcrun altool --notarize-app --primary-bundle-id "${{ env.PRIMARY_BUNDLE_ID }}" --username "$APPLE_ID" --password "$APP_SPECIFIC_PASSWORD" --file ${{ env.APP_NAME }}.zip
    #     # Add logic to check for notarization status and staple the ticket

    - name: Generate DSA keys
      id: generate-dsa-keys
      run: |
        openssl dsaparam -out dsaparam.pem 2048
        openssl gendsa -out private_key.pem dsaparam.pem
        openssl dsa -in private_key.pem -pubout -out public_key.pem
        PRIVATE_KEY=$(cat private_key.pem | base64 | tr -d '\n')
        PUBLIC_KEY=$(cat public_key.pem | base64 | tr -d '\n')
        echo "::set-output name=PRIVATE_KEY::$PRIVATE_KEY"
        echo "::set-output name=PUBLIC_KEY::$PUBLIC_KEY"

    - name: Create DSA Signature with OpenSSL
      run: |
        cd AvaloniaApplication1/AvaloniaApplication1/AvaloniaApplication1.Desktop
        echo "${{ steps.generate-dsa-keys.outputs.PRIVATE_KEY }}" | base64 --decode > private_key.pem
        echo "${{ steps.generate-dsa-keys.outputs.PUBLIC_KEY }}" | base64 --decode > public_key.pem
        zip -r ${{ env.APP_NAME }}.zip ${{ env.APP_NAME }}.app
        openssl dgst -sha256 -sign private_key.pem -out ${{ env.APP_NAME }}.zip.dsa ${{ env.APP_NAME }}.zip
    
    - name: Simulate App Launch
      run: |
        cd AvaloniaApplication1/AvaloniaApplication1/AvaloniaApplication1.Desktop
        open ${{ env.APP_NAME }}.app &
        sleep 10
        pkill -f ${{ env.APP_NAME }}.app

    - name: Install AWS CLI
      run: |
        curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"
        sudo installer -pkg AWSCLIV2.pkg -target /    
        
    - name: Configure AWS CLI
      run: |
        aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws configure set default.region us-east-1
  
    - name: Retrieve AWS Account ID
      id: aws-account
      run: echo "::set-output name=id::$(aws sts get-caller-identity --query Account --output text)"

    - name: Upload to S3
      run: |
        cd AvaloniaApplication1/AvaloniaApplication1/AvaloniaApplication1.Desktop
        TIMESTAMP=$(date +"%Y%m%d%H%M")
        aws s3 cp ${{ env.APP_NAME }}.zip s3://${{ env.BUCKET_NAME }}/macos/$TIMESTAMP.zip
        aws s3 cp ${{ env.APP_NAME }}.zip.dsa s3://${{ env.BUCKET_NAME }}/macos/$TIMESTAMP.zip.dsa
      env:
          BUCKET_NAME: ${{ github.event.inputs.environment }}-your-bucket-${{ steps.aws-account.outputs.id }}

How to get developer signing certificate Mac distribution for outside apple:

https://stackoverflow.com/questions/9418661/how-to-create-p12-certificate-for-ios-distribution

Requesting a Certificate Signing Request (CSR)

1. Open Keychain Access:
   • You can find Keychain Access in your Applications > Utilities folder, or you can use Spotlight Search (Cmd + Space) and type Keychain Access.
2. Open Certificate Assistant:
   • In the menu bar at the top of your screen, click on Keychain Access.
   • From the drop-down menu, select Certificate Assistant.
   • From the Certificate Assistant sub-menu, select Request a Certificate from a Certificate Authority....
3. Request Certificate Information:
   • In the Certificate Assistant window, fill in your email address and Common Name. The Common Name is usually your name or the name of your organization.
   • Keep CA Email blank and select “Saved to disk” and “Let me specify key pair information”
   • Choose the option to Save to disk and select Let me specify key pair information if you see that option.
   • Click Continue.
4. Save the CSR:
   • Choose a location to save your CSR file and click Save.
   • You will get a .certSigningRequest file.
     Submitting the CSR to Apple
5. Log in to the Apple Developer Portal:
   • Go to Apple Developer Certificates, Identifiers & Profiles and log in with your Apple ID.
6. Create a Certificate:
   • Click on the “Add” (+) button at the top-right of the main panel
   • Select Developer ID Application and click Continue.
7. Upload the CSR:
   • Click on Choose File and select the .certSigningRequest file you saved earlier.
   • If there is an option pick the G2 Sub-CA
   • Click Continue.
     Install .cer and generate .p12 certificate
8. Find .cer file you’ve downloaded and double-click
9. Set Login drop-down to “login" and Click Add
10. Open up KeyChain Access and you'll find profile created in Step A
11. You can expand “private key” profile (shows certificate you added)
12. Select only these two items (not the public key)
13. Right click and click “Export 2 items…” from popup
14. Now make sure file format is “.p12” and choose filename and destination on your hard drive
15. Click Save. Now, you’ll be prompted to set a password but keep these both blank
16. Click OK. Now, you have a .p12 file on your hard drive

Steps if the keychain doesn’t export to .p12 files (option is greyed out because private key isnt linked to cert):

1. Find the private key in Keychain Access under Login > Keys > “The name you entered in Cert signing request step” download that private key as a .p12 file
2. Remember the password will need it in next step and for everything later on
3. Convert the private key to a .pem file openssl pkcs12 -in private_key.p12 -out private_key.pem -nodes
4. Locate .cert file downloaded from apple website. Convert to .pem file openssl x509 -inform der -in certificate.cer -out certificate.pem
5. Combine both openssl pkcs12 -export -in certificate.pem -inkey private_key.pem -out combined.p12
   • OR /usr/bin/openssl pkcs12 -export -in certificate.pem -inkey private_key.pem -out combined.p12 -passout pass:SimplePassword123
6. (Optional) Base64 encode the p12 file to your clipboard base64 -i combined.p12 | pbcopy
   TIP: if you have multiple versions of open ssl on your computer use /usr/bin/openssl instead of openssl command to use the right one

package-macos-app.sh

#!/bin/bash

# Define variables
APP_NAME="MyApp.app"
ZIP_FILE="MyApp.zip"
PUBLISH_OUTPUT_DIRECTORY="bin/Release/net8.0/osx-arm64/publish"
INFO_PLIST="Info.plist"
ICON_FILE="logo.icns"
# SIGNING_IDENTITY is your Developer ID Application: Your Name (TEAMID)
SIGNING_IDENTITY="Developer ID Application: Your Name (TEAMID)"

# Remove old .app bundle if it exists
if [ -d "$APP_NAME" ]; then
    rm -rf "$APP_NAME"
fi

# Create the .app bundle structure
mkdir -p "$APP_NAME/Contents/MacOS"
mkdir -p "$APP_NAME/Contents/Resources"

# Copy the Info.plist file and the icon
cp "$INFO_PLIST" "$APP_NAME/Contents/Info.plist"
cp "$ICON_FILE" "$APP_NAME/Contents/Resources/logo.icns"

# Copy the published output to the MacOS directory
cp -a "$PUBLISH_OUTPUT_DIRECTORY/." "$APP_NAME/Contents/MacOS"

echo "Packaged $APP_NAME successfully."

# Sign the app
# codesign --deep --force --verbose --sign "$SIGNING_IDENTITY" "$APP_NAME"
# echo "Packaged and signed $APP_NAME successfully."


# Zip the .app bundle
zip -r "$ZIP_FILE" "$APP_NAME"