From 1d7e907c87fed146dc4f8b6b2d6eddfd6370f389 Mon Sep 17 00:00:00 2001
From: Pompurin404 <pompurin404@mihomo.party>
Date: Sun, 12 Jan 2025 21:02:54 +0800
Subject: [PATCH] try to sign pkg

---
 .github/workflows/build.yml | 40 +++++++++++++++++++++++++++++++++++--
 1 file changed, 38 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e37adc9..f7a3eb4 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -209,12 +209,29 @@ jobs:
           APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
           APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
           CSC_LINK: ${{ secrets.CSC_LINK }}
-          CSC_INSTALLER_LINK: ${{ secrets.CSC_LINK }}
           CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
-          CSC_INSTALLER_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
         run: |
           chmod +x build/pkg-scripts/postinstall
           pnpm build:mac --${{ matrix.arch }}
+      - name: Setup temporary installer signing keychain
+        uses: apple-actions/import-codesign-certs@v3
+        with:
+          p12-file-base64: ${{ secrets.CSC_LINK }}
+          p12-password: ${{ secrets.CSC_KEY_PASSWORD }}
+      - name: Sign the Apple pkg
+        run: |
+          for pkg_name in $(ls -1 dist/*.pkg); do
+            pkg_name=$(ls -1 dist/*.pkg)
+            mv $pkg_name Unsigned-Workbench.pkg
+            productsign --sign "Developer ID Installer: Prometheus Advertising Corp (489PDK5LP3)" Unsigned-Workbench.pkg $pkg_name
+            rm -f Unsigned-Workbench.pkg
+            xcrun notarytool submit $pkg_name --apple-id $APPLE_ID --team-id $APPLE_TEAM_ID --password $APPLE_APP_SPECIFIC_PASSWORD --wait
+          done
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
       - name: Generate checksums
         run: pnpm checksum .pkg
       - name: Upload Artifacts
@@ -276,6 +293,25 @@ jobs:
           sed -i "" -e "s/macos/catalina/" electron-builder.yml
           chmod +x build/pkg-scripts/postinstall
           pnpm build:mac --${{ matrix.arch }}
+      - name: Setup temporary installer signing keychain
+        uses: apple-actions/import-codesign-certs@v3
+        with:
+          p12-file-base64: ${{ secrets.CSC_LINK }}
+          p12-password: ${{ secrets.CSC_KEY_PASSWORD }}
+      - name: Sign the Apple pkg
+        run: |
+          for pkg_name in $(ls -1 dist/*.pkg); do
+            pkg_name=$(ls -1 dist/*.pkg)
+            mv $pkg_name Unsigned-Workbench.pkg
+            productsign --sign "Developer ID Installer: Prometheus Advertising Corp (489PDK5LP3)" Unsigned-Workbench.pkg $pkg_name
+            rm -f Unsigned-Workbench.pkg
+            xcrun notarytool submit $pkg_name --apple-id $APPLE_ID --team-id $APPLE_TEAM_ID --password $APPLE_APP_SPECIFIC_PASSWORD --wait
+          done
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
       - name: Generate checksums
         run: pnpm checksum .pkg
       - name: Upload Artifacts