ci: publish signed pkg (#174)

.github/workflows/build.yml

@@ -9,9 +9,6 @@ on:
 permissions:
   contents: write
 
-env:
-  APK_BUILD_DIR: /tmp/build
-
 jobs:
   get-flutter-version:
     runs-on: ubuntu-latest
@@ -33,6 +30,9 @@ jobs:
 
     needs: get-flutter-version
 
+    env:
+      APK_BUILD_DIR: /tmp/build
+
     steps:
       - uses: actions/checkout@v4
 
@@ -119,6 +119,11 @@ jobs:
 
     needs: get-flutter-version
 
+    env:
+      APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_ISSUER_ID }}
+      APP_STORE_CONNECT_KEY_IDENTIFIER: ${{ secrets.APP_STORE_CONNECT_KEY_IDENTIFIER }}
+      APP_STORE_CONNECT_PRIVATE_KEY: ${{ secrets.APP_STORE_CONNECT_PRIVATE_KEY }}
+
     steps:
       - uses: actions/checkout@v4
 
@@ -169,11 +174,9 @@ jobs:
 
       - name: Dump AuthKey
         if: startsWith(github.ref, 'refs/tags/')
-        uses: timheuer/base64-to-file@v1
-        with:
-          fileName: AuthKey_${{ secrets.APP_STORE_CONNECT_KEY_IDENTIFIER }}.p8
-          fileDir: private_keys
-          encodedString: ${{ secrets.APP_STORE_CONNECT_PRIVATE_KEY_BASE64 }}
+        run: |
+          mkdir private_keys
+          echo $APP_STORE_CONNECT_PRIVATE_KEY > AuthKey_$APP_STORE_CONNECT_KEY_IDENTIFIER.p8
 
       - name: Create IPA
         if: startsWith(github.ref, 'refs/tags/')
@@ -183,21 +186,9 @@ jobs:
           -archivePath ios/Runner.xcarchive
           -exportOptionsPlist ios/ExportOptions.plist
           -allowProvisioningUpdates
-          -authenticationKeyIssuerID ${{ secrets.APP_STORE_CONNECT_ISSUER_ID }}
-          -authenticationKeyID ${{ secrets.APP_STORE_CONNECT_KEY_IDENTIFIER }}
-          -authenticationKeyPath $(pwd)/private_keys/AuthKey_${{ secrets.APP_STORE_CONNECT_KEY_IDENTIFIER }}.p8
-
-      - name: Install codemagic-cli-tools
-        if: startsWith(github.ref, 'refs/tags/')
-        run: pip install codemagic-cli-tools
-
-      - name: Publish IPA
-        if: startsWith(github.ref, 'refs/tags/')
-        run: >
-          app-store-connect publish
-          --testflight
-          --issuer-id ${{ secrets.APP_STORE_CONNECT_ISSUER_ID }}
-          --key-id ${{ secrets.APP_STORE_CONNECT_KEY_IDENTIFIER }}
+          -authenticationKeyIssuerID $APP_STORE_CONNECT_ISSUER_ID
+          -authenticationKeyID $APP_STORE_CONNECT_KEY_IDENTIFIER
+          -authenticationKeyPath $(pwd)/private_keys/AuthKey_$APP_STORE_CONNECT_KEY_IDENTIFIER.p8
 
   build-windows-x64:
     runs-on: windows-latest
@@ -269,9 +260,44 @@ jobs:
 
     needs: get-flutter-version
 
+    env:
+      APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_ISSUER_ID }}
+      APP_STORE_CONNECT_KEY_IDENTIFIER: ${{ secrets.APP_STORE_CONNECT_KEY_IDENTIFIER }}
+      APP_STORE_CONNECT_PRIVATE_KEY: ${{ secrets.APP_STORE_CONNECT_PRIVATE_KEY }}
+
     steps:
       - uses: actions/checkout@v4
 
+      - name: Dump cert_key
+        run: echo "${{ secrets.CERT_KEY }}" > cert_key
+
+      - name: Install codemagic-cli-tools
+        run: pip install codemagic-cli-tools
+
+      - name: Fetch signing files
+        run: >
+          app-store-connect fetch-signing-files com.poppingmoon.aria
+          --platform MAC_OS
+          --type MAC_APP_STORE
+          --certificate-key=@file:cert_key
+          --create
+
+      - name: Fetch certificates
+        run: >
+          app-store-connect certificates list
+          --type MAC_INSTALLER_DISTRIBUTION
+          --certificate-key=@file:cert_key
+          --save
+
+      - name: Set up keychain
+        run: keychain initialize
+
+      - name: Add certificates
+        run: keychain add-certificates
+
+      - name: Update Xcode project settings
+        run: xcode-project use-profiles
+
       - name: Install Flutter
         uses: subosito/flutter-action@v2
         with:
@@ -311,6 +337,26 @@ jobs:
           files: aria-${{ github.ref_name }}.dmg
           draft: true
 
+      - name: Create package
+        run: |
+          xcrun productbuild \
+            --component build/macos/Build/Products/Release/aria.app \
+            /Applications/ unsigned.pkg
+          INSTALLER_CERT_NAME=$(keychain list-certificates \
+            | jq '[.[]
+              | select(.common_name
+              | contains("Mac Developer Installer"))
+              | .common_name][0]' \
+            | xargs)
+          xcrun productsign \
+            --sign "$INSTALLER_CERT_NAME" \
+            unsigned.pkg \
+            aria-${{ github.ref_name }}.app.pkg
+
+      - name: Publish package
+        if: startsWith(github.ref, 'refs/tags/')
+        run: app-store-connect publish --path aria-${{ github.ref_name }}.app.pkg
+
   build-linux-arm64:
     runs-on: ubuntu-latest
 

macos/Podfile.lock

@@ -112,19 +112,19 @@ SPEC CHECKSUMS:
   connectivity_plus: ddd7f30999e1faaef5967c23d5b6d503d10434db
   flutter_image_compress_macos: c26c3c13ea0f28ae6dea4e139b3292e7729f99f1
   flutter_inappwebview_macos: 9600c9df9fdb346aaa8933812009f8d94304203d
-  flutter_secure_storage_macos: d56e2d218c1130b262bef8b4a7d64f88d7f9c9ea
+  flutter_secure_storage_macos: 59459653abe1adb92abbc8ea747d79f8d19866c9
   FlutterMacOS: 8f6f14fa908a6fb3fba0cd85dbd81ec4b251fb24
   gal: 61e868295d28fe67ffa297fae6dacebf56fd53e1
   image_editor_common: 1b11f59fad8909bafcdaa0f31cc9373425b58600
   just_audio: 9b67ca7b97c61cfc9784ea23cd8cc55eb226d489
   OrderedSet: aaeb196f7fef5a9edf55d89760da9176ad40b93c
   package_info_plus: fa739dd842b393193c5ca93c26798dff6e3d0e0c
-  path_provider_foundation: 3784922295ac71e43754bd15e0653ccfd36a147c
+  path_provider_foundation: 2b6b4c569c0fb62ec74538f866245ac84301af46
   share_plus: 36537c04ce0c3e3f5bd297ce4318b6d5ee5fd6cf
-  shared_preferences_foundation: b4c3b4cddf1c21f02770737f147a3f5da9d39695
+  shared_preferences_foundation: fcdcbc04712aee1108ac7fda236f363274528f78
   sqflite: 673a0e54cc04b7d6dba8d24fb8095b31c3a99eec
-  url_launcher_macos: d2691c7dd33ed713bf3544850a623080ec693d95
-  video_player_avfoundation: 2b4384f3b157206b5e150a0083cdc0c905d260d3
+  url_launcher_macos: 5f437abeda8c85500ceb03f5c1938a8c5a705399
+  video_player_avfoundation: 7c6c11d8470e1675df7397027218274b6d2360b3
   wakelock_plus: 4783562c9a43d209c458cb9b30692134af456269
 
 PODFILE CHECKSUM: c2e95c8c0fe03c5c57e438583cae4cc732296009

macos/Runner.xcodeproj/project.pbxproj

@@ -567,8 +567,10 @@
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CLANG_ENABLE_MODULES = YES;
 				CODE_SIGN_ENTITLEMENTS = Runner/DebugProfile.entitlements;
+				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
+				DEVELOPMENT_TEAM = 7P4C63VUYA;
 				INFOPLIST_FILE = Runner/Info.plist;
 				INFOPLIST_KEY_LSApplicationCategoryType = "public.app-category.social-networking";
 				LD_RUNPATH_SEARCH_PATHS = (
@@ -695,8 +697,10 @@
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CLANG_ENABLE_MODULES = YES;
 				CODE_SIGN_ENTITLEMENTS = Runner/DebugProfile.entitlements;
+				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
+				DEVELOPMENT_TEAM = 7P4C63VUYA;
 				INFOPLIST_FILE = Runner/Info.plist;
 				INFOPLIST_KEY_LSApplicationCategoryType = "public.app-category.social-networking";
 				LD_RUNPATH_SEARCH_PATHS = (
@@ -717,8 +721,10 @@
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CLANG_ENABLE_MODULES = YES;
 				CODE_SIGN_ENTITLEMENTS = Runner/Release.entitlements;
+				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
+				DEVELOPMENT_TEAM = 7P4C63VUYA;
 				INFOPLIST_FILE = Runner/Info.plist;
 				INFOPLIST_KEY_LSApplicationCategoryType = "public.app-category.social-networking";
 				LD_RUNPATH_SEARCH_PATHS = (

macos/Runner/DebugProfile.entitlements

@@ -10,5 +10,7 @@
 	<true/>
 	<key>com.apple.security.network.server</key>
 	<true/>
+	<key>keychain-access-groups</key>
+	<array/>
 </dict>
 </plist>

macos/Runner/Release.entitlements

@@ -8,5 +8,7 @@
 	<true/>
 	<key>com.apple.security.network.server</key>
 	<true/>
+	<key>keychain-access-groups</key>
+	<array/>
 </dict>
 </plist>