diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml index 1a2e079..fae1468 100644 --- a/.github/workflows/build-packages.yml +++ b/.github/workflows/build-packages.yml @@ -66,7 +66,37 @@ jobs: if: runner.os == 'Linux' run: sudo apt-get install -y fakeroot - # ── 4. Build fat JAR + native installer ────────────────────────────── + # ── 4a. macOS: import Developer ID certificate into a temp keychain ── + # Prérequis : créer un certificat "Developer ID Application" sur + # https://developer.apple.com/account/resources/certificates/add + # (section Software → Developer ID Application), puis l'exporter + # depuis Keychain Access en .p12 (clic droit → Exporter). + # + # Secrets requis (optionnels – DMG non signé si absents) : + # MACOS_CERTIFICATE base64 du .p12 → base64 -i cert.p12 | pbcopy + # MACOS_CERTIFICATE_PWD mot de passe choisi lors de l'export .p12 + - name: Import Developer ID certificate (macOS) + if: runner.os == 'macOS' + env: + MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }} + MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }} + run: | + if [[ -z "${MACOS_CERTIFICATE:-}" ]]; then + echo "::notice::MACOS_CERTIFICATE not configured – DMG will be unsigned" + exit 0 + fi + echo "$MACOS_CERTIFICATE" | base64 --decode > /tmp/cert.p12 + security create-keychain -p "" build.keychain + security default-keychain -s build.keychain + security unlock-keychain -p "" build.keychain + security import /tmp/cert.p12 -k build.keychain \ + -P "$MACOS_CERTIFICATE_PWD" \ + -T /usr/bin/codesign \ + -T "$(which jpackage 2>/dev/null || true)" + security set-key-partition-list -S apple-tool:,apple: -s -k "" build.keychain + rm /tmp/cert.p12 + + # ── 4b. Build fat JAR + native installer ───────────────────────────── # The active OS profile (linux / mac / win) is detected automatically # by Maven via activation in pom.xml. # maven_extra_args overrides javafx.platform for the two macOS arches. @@ -85,10 +115,55 @@ jobs: - name: Build and package shell: bash + env: + MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }} run: | ARGS="${{ matrix.maven_extra_args }}" [[ -n "${JPACKAGE_APP_VERSION:-}" ]] && ARGS="$ARGS -Djpackage.app.version=$JPACKAGE_APP_VERSION" - mvn package -Ppackage $ARGS --batch-mode + # Enable Developer ID signing on macOS when the secret is configured + SIGN_ARGS=() + if [[ "$RUNNER_OS" == "macOS" ]] && [[ -n "${MACOS_SIGNING_IDENTITY:-}" ]]; then + SIGN_ARGS=(-Pmac-sign "-Djpackage.mac.signing.key=${MACOS_SIGNING_IDENTITY}") + fi + mvn package -Ppackage $ARGS "${SIGN_ARGS[@]}" --batch-mode + + # ── 4c. macOS: notarise and staple the DMG ──────────────────────────── + # Utilise un mot de passe d'app (app-specific password) — différent + # du vrai mot de passe Apple ID, généré sur : + # https://appleid.apple.com → Connexion & sécurité → Mots de passe + # d'app → "+" → nommer "marknote-notary" → copier le mot de passe. + # + # Secrets requis (optionnels – notarisation ignorée si absents) : + # APPLE_ID adresse e-mail du compte Apple Developer + # APPLE_TEAM_ID Team ID (visible sur developer.apple.com/account) + # APPLE_APP_SPECIFIC_PWD mot de passe d'app généré sur appleid.apple.com + - name: Notarize and staple DMG (macOS) + if: runner.os == 'macOS' + env: + APPLE_ID: ${{ secrets.APPLE_ID }} + APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} + APPLE_APP_SPECIFIC_PWD: ${{ secrets.APPLE_APP_SPECIFIC_PWD }} + run: | + if [[ -z "${APPLE_APP_SPECIFIC_PWD:-}" ]]; then + echo "::notice::APPLE_APP_SPECIFIC_PWD not configured – skipping notarization" + exit 0 + fi + DMG=$(ls target/dist/*.dmg 2>/dev/null | head -1) + if [[ -z "$DMG" ]]; then + echo "::error::No DMG found in target/dist/ – notarization skipped" + exit 1 + fi + xcrun notarytool submit "$DMG" \ + --apple-id "$APPLE_ID" \ + --team-id "$APPLE_TEAM_ID" \ + --password "$APPLE_APP_SPECIFIC_PWD" \ + --wait + xcrun stapler staple "$DMG" + + # ── 4d. Always clean up the temp keychain ──────────────────────────── + - name: Clean up keychain (macOS) + if: always() && runner.os == 'macOS' + run: security delete-keychain build.keychain 2>/dev/null || true # ── 5. Upload installer as workflow artifact ────────────────────────── # Artifact is available in the Actions run page for 90 days. diff --git a/.gitignore b/.gitignore index 2f7896d..946e390 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ target/ +notarize-poll.sh +notarization-error.log diff --git a/build b/build index f08ad9b..6a4e55d 100755 --- a/build +++ b/build @@ -1,4 +1,5 @@ #!/bin/bash +set -e #---- project parameters project_name=MarkNote project_version=0.1.5 @@ -6,7 +7,18 @@ main_class=Main JARS= JFX_VERSION=25 vendor_name="SNAPGAMES" -author_name="Frédéric Delorme" +author_name="Frédéric Delorme/JB Meyer" +# macOS signing + notarisation (optional) – set via env vars before calling: ./build package +# Signing : export MAC_SIGNING_IDENTITY="Developer ID Application: Nom (TEAMXXXX)" +# Certificat à créer sur developer.apple.com/account/resources/certificates/add +# → Software → Developer ID Application +# Notarisation locale : utilise un profil stocké dans le Keychain via : +# xcrun notarytool store-credentials "marknote-notary" \ +# --apple-id "votre@email.com" --team-id "TEAMXXXX" \ +# --password "xxxx-xxxx-xxxx-xxxx" ← mot de passe d'app (≠ mot de passe Apple ID) +# généré sur https://appleid.apple.com → Connexion & sécurité → Mots de passe d'app +mac_signing_identity="${MAC_SIGNING_IDENTITY:-}" +mac_notary_profile="${MAC_NOTARY_PROFILE:-marknote-notary}" # #--- DO NOT CHANGE THE FOLLOWING LINES --- # @@ -510,11 +522,25 @@ WIN_INSTALL_EOF2 [[ -f "${GENERATED_ICNS}" ]] && JPACKAGE_ICON_OPT=(--icon "${GENERATED_ICNS}") fi + # jpackage requires the first version digit to be >= 1 (e.g. 0.1.5 → 1.1.5) + local JPACKAGE_VERSION="${project_version}" + if [[ "${JPACKAGE_VERSION%%.*}" == "0" ]]; then + JPACKAGE_VERSION="1.${JPACKAGE_VERSION#*.}" + echo " Version ajustée pour jpackage : ${project_version} → ${JPACKAGE_VERSION}" + fi + + # Signing options (optional – set MAC_SIGNING_IDENTITY env var to enable) + local SIGN_OPTS=() + if [[ -n "${mac_signing_identity}" ]]; then + SIGN_OPTS=(--mac-sign --mac-signing-key-user-name "${mac_signing_identity}") + echo " Code signing enabled: ${mac_signing_identity}" + fi + mkdir -p "${TARGET}/dist" jpackage \ --type dmg \ --name "${project_name}" \ - --app-version "${project_version}" \ + --app-version "${JPACKAGE_VERSION}" \ --vendor "${vendor_name}" \ --description "Markdown Note Editor" \ --input "${JPACKAGE_INPUT}" \ @@ -526,7 +552,8 @@ WIN_INSTALL_EOF2 --dest "${TARGET}/dist" \ --mac-package-identifier "com.snapgames.marknote" \ --mac-package-name "${project_name}" \ - "${JPACKAGE_ICON_OPT[@]}" + "${JPACKAGE_ICON_OPT[@]}" \ + "${SIGN_OPTS[@]}" [[ -n "${ICON_TMPDIR}" ]] && rm -rf "${ICON_TMPDIR}" @@ -535,6 +562,19 @@ WIN_INSTALL_EOF2 if [[ -f "${DMG_FILE}" ]]; then echo -e "${GREEN}macOS DMG created: ${DMG_FILE}${NC}" echo "Package size: $(du -sh "${DMG_FILE}" | cut -f1)" + # Notarisation (uniquement si signing activé) + if [[ -n "${mac_signing_identity}" ]]; then + echo " Submitting DMG for notarization (keychain-profile: ${mac_notary_profile})..." + if xcrun notarytool submit "${DMG_FILE}" \ + --keychain-profile "${mac_notary_profile}" \ + --wait; then + echo " Notarization successful. Stapling ticket to DMG..." + xcrun stapler staple "${DMG_FILE}" + echo -e "${GREEN} DMG notarisé et agrafé.${NC}" + else + echo -e "${YELLOW} Notarization failed – DMG signé mais non notarisé.${NC}" + fi + fi else echo -e "${YELLOW}Warning: DMG not found – check ${TARGET}/dist/${NC}" ls -lh "${TARGET}/dist/" 2>/dev/null || true diff --git a/libs/common/eddsa-0.3.0.jar b/libs/common/eddsa-0.3.0.jar new file mode 100644 index 0000000..31a271d Binary files /dev/null and b/libs/common/eddsa-0.3.0.jar differ diff --git a/libs/common/javafx-base-24.jar b/libs/common/javafx-base-24.jar deleted file mode 100644 index 05060a9..0000000 Binary files a/libs/common/javafx-base-24.jar and /dev/null differ diff --git a/libs/common/javafx-controls-24.jar b/libs/common/javafx-controls-24.jar deleted file mode 100644 index 1a0c0d9..0000000 Binary files a/libs/common/javafx-controls-24.jar and /dev/null differ diff --git a/libs/common/javafx-fxml-24.jar b/libs/common/javafx-fxml-24.jar deleted file mode 100644 index f949eeb..0000000 Binary files a/libs/common/javafx-fxml-24.jar and /dev/null differ diff --git a/libs/common/javafx-graphics-24.jar b/libs/common/javafx-graphics-24.jar deleted file mode 100644 index c6b3174..0000000 Binary files a/libs/common/javafx-graphics-24.jar and /dev/null differ diff --git a/libs/common/javafx-media-24.jar b/libs/common/javafx-media-24.jar deleted file mode 100644 index 9eb5f00..0000000 Binary files a/libs/common/javafx-media-24.jar and /dev/null differ diff --git a/libs/common/javafx-web-24.jar b/libs/common/javafx-web-24.jar deleted file mode 100644 index 5eed452..0000000 Binary files a/libs/common/javafx-web-24.jar and /dev/null differ diff --git a/libs/common/jcl-over-slf4j-1.7.36.jar b/libs/common/jcl-over-slf4j-1.7.36.jar new file mode 100644 index 0000000..3ecd7d5 Binary files /dev/null and b/libs/common/jcl-over-slf4j-1.7.36.jar differ diff --git a/libs/common/org.eclipse.jgit-7.1.0.202411261347-r.jar b/libs/common/org.eclipse.jgit-7.1.0.202411261347-r.jar new file mode 100644 index 0000000..f9da479 Binary files /dev/null and b/libs/common/org.eclipse.jgit-7.1.0.202411261347-r.jar differ diff --git a/libs/common/org.eclipse.jgit.ssh.apache-7.1.0.202411261347-r.jar b/libs/common/org.eclipse.jgit.ssh.apache-7.1.0.202411261347-r.jar new file mode 100644 index 0000000..ac7fd7e Binary files /dev/null and b/libs/common/org.eclipse.jgit.ssh.apache-7.1.0.202411261347-r.jar differ diff --git a/libs/common/slf4j-api-1.7.36.jar b/libs/common/slf4j-api-1.7.36.jar new file mode 100644 index 0000000..7d3ce68 Binary files /dev/null and b/libs/common/slf4j-api-1.7.36.jar differ diff --git a/libs/common/sshd-osgi-2.14.0.jar b/libs/common/sshd-osgi-2.14.0.jar new file mode 100644 index 0000000..c1f732d Binary files /dev/null and b/libs/common/sshd-osgi-2.14.0.jar differ diff --git a/libs/common/sshd-sftp-2.14.0.jar b/libs/common/sshd-sftp-2.14.0.jar new file mode 100644 index 0000000..565445a Binary files /dev/null and b/libs/common/sshd-sftp-2.14.0.jar differ diff --git a/libs/mac/javafx-base-24-mac.jar b/libs/mac/javafx-base-24-mac-aarch64.jar similarity index 88% rename from libs/mac/javafx-base-24-mac.jar rename to libs/mac/javafx-base-24-mac-aarch64.jar index 1086d5f..ccc542e 100644 Binary files a/libs/mac/javafx-base-24-mac.jar and b/libs/mac/javafx-base-24-mac-aarch64.jar differ diff --git a/libs/mac/javafx-controls-24-mac.jar b/libs/mac/javafx-controls-24-mac-aarch64.jar similarity index 90% rename from libs/mac/javafx-controls-24-mac.jar rename to libs/mac/javafx-controls-24-mac-aarch64.jar index e6a1fe1..5a085b3 100644 Binary files a/libs/mac/javafx-controls-24-mac.jar and b/libs/mac/javafx-controls-24-mac-aarch64.jar differ diff --git a/libs/mac/javafx-fxml-24-mac.jar b/libs/mac/javafx-fxml-24-mac-aarch64.jar similarity index 91% rename from libs/mac/javafx-fxml-24-mac.jar rename to libs/mac/javafx-fxml-24-mac-aarch64.jar index 7329551..687977c 100644 Binary files a/libs/mac/javafx-fxml-24-mac.jar and b/libs/mac/javafx-fxml-24-mac-aarch64.jar differ diff --git a/libs/mac/javafx-graphics-24-mac.jar b/libs/mac/javafx-graphics-24-mac-aarch64.jar similarity index 83% rename from libs/mac/javafx-graphics-24-mac.jar rename to libs/mac/javafx-graphics-24-mac-aarch64.jar index 906d045..0f84c58 100644 Binary files a/libs/mac/javafx-graphics-24-mac.jar and b/libs/mac/javafx-graphics-24-mac-aarch64.jar differ diff --git a/libs/mac/javafx-media-24-mac-aarch64.jar b/libs/mac/javafx-media-24-mac-aarch64.jar new file mode 100644 index 0000000..742b2fb Binary files /dev/null and b/libs/mac/javafx-media-24-mac-aarch64.jar differ diff --git a/libs/mac/javafx-media-24-mac.jar b/libs/mac/javafx-media-24-mac.jar deleted file mode 100644 index 1e268a6..0000000 Binary files a/libs/mac/javafx-media-24-mac.jar and /dev/null differ diff --git a/libs/mac/javafx-web-24-mac.jar b/libs/mac/javafx-web-24-mac-aarch64.jar similarity index 72% rename from libs/mac/javafx-web-24-mac.jar rename to libs/mac/javafx-web-24-mac-aarch64.jar index 9b6154e..018cb6e 100644 Binary files a/libs/mac/javafx-web-24-mac.jar and b/libs/mac/javafx-web-24-mac-aarch64.jar differ diff --git a/pom.xml b/pom.xml index c46daee..22dccf4 100644 --- a/pom.xml +++ b/pom.xml @@ -24,7 +24,7 @@ Jean-Baptiste Meyer - unfixed11_scarab@icloud.com + jib@jibstudios.com @@ -74,6 +74,9 @@ false false false + + false + + + mac-sign + + true + ${env.MAC_SIGNING_IDENTITY} + + + ${jpackage.bundle.id} ${project.name} + + ${jpackage.mac.sign} + ${jpackage.mac.signing.key}