use different keys for native code signing and app signing

Detailed build instructions including Java, Ant, Brew setup

See merge request i2p-hackers/i2p-jpackage-mac!2

BUILD.md

@@ -26,8 +26,8 @@ and automatically configure your `JAVA_HOME`.
 Currently, bundles are built with OpenJDK 19.
 
 ```sh
-sdk install java 1.19.0-open
-sdk use java 1.19.0-open
+sdk install java 19.0.1-open
+sdk use java 19.0.1-open
 ```
 
 Will automatically set up your OpenJDK 19.
@@ -72,6 +72,7 @@ In order to configure your release environment, you must set the following
 environment variables:
 
  - `I2P_SIGNER` should be the [Apple Developer ID of the signer](https://developer.apple.com/support/developer-id/)
+ - `I2P_CODE_SIGNER` should be the Apple Developer ID for Code Signing of the signer(Usually find this with `security find-identity -v -p codesigning`)
  - `I2P_VERSION` should be the version of the I2P router that you want to use
  - `I2P_BUILD_NUMBER` should be an integer greater than `0`.
 

README.md

@@ -30,10 +30,16 @@ In order to build an AppBundle that can work from anywhere, it is necessary to u
 1. You need an "app-specific password" which you can create at https://appleid.apple.com
 2. Execute 
 ```
-xcrun altool --eval-app --primary-bundle-id net.i2p.router -u <your Apple id> -f <name of the .dmg file>
+xcrun notarytool store-credentials "$AC_PASSWORD"
+               --apple-id "$AC_USERNAME"
+               --team-id "$WWDRTeamID"
+               --password "$secret_2FA_password"
 ```
-This will ask you for the password you generated in step 1 and will return a long UUID string you can use to check the progress.
-
+ - In this example command:
+ - `AC_PASSWORD` is the name of the credentials config.
+ - `AC_USERNAME` is the username of the Apple Account.
+ - `WWDRTeamID` is the developer/team ID available from the Apple Account.
+ - `secret_2FA_Password` is the app-specific password you set up in the first step.
 3. Periodically execute the following to check the progress of the notarisation:
 ```
 xcrun altool --eval-info <the long UUID string> -u <your Apple id>

build.sh

@@ -21,7 +21,6 @@ fi
 
 if [ -z "${I2P_SIGNER}" ]; then
     echo "I2P_SIGNER variable not set, can't sign. Script will terminate after unsigned app-image generation"
-    exit 1
 fi
 
 if [ -z ${I2P_VERSION} ]; then
@@ -67,17 +66,25 @@ cd ..
 echo "compiling native lib"
 cc -v -Wl,-lobjc -mmacosx-version-min=10.9 -I"$JAVA_HOME/include" -I"$JAVA_HOME/include/darwin" -Ic -o build/libMacLauncher.jnilib -shared c/net_i2p_router_MacLauncher.c 
 
-echo "signing jbigi libs"
-mkdir jbigi
-cp $I2P_JARS/jbigi.jar jbigi
-cd jbigi
-unzip jbigi.jar
-for lib in *.jnilib; do
-    codesign --force -s $I2P_SIGNER -v $lib
-    jar uf jbigi.jar $lib
-done
-cp jbigi.jar ../build
-cd ..
+if [ -z $I2P_SIGNER ]; then
+    echo "I2P_SIGNER is unset, not proceeding to sign jbigi libs"
+    cp $I2P_JARS/jbigi.jar build
+else
+    echo "signing jbigi libs"
+    mkdir jbigi
+    cp $I2P_JARS/jbigi.jar jbigi
+    cd jbigi
+    unzip jbigi.jar
+    for lib in *.jnilib; do
+        codesign --force -s $I2P_SIGNER -v $lib
+        jar uf jbigi.jar $lib
+    done
+    cp jbigi.jar ../build
+    cd ..
+fi
+
+
+
 
 I2P_VERSION=$(java -cp build/router.jar net.i2p.router.RouterVersion | sed "s/.*: //" | head -n 1)
 echo "preparing to invoke jpackage for I2P version $I2P_VERSION build $I2P_BUILD_NUMBER"
@@ -127,15 +134,21 @@ if [ -z $I2P_SIGNER ]; then
     exit 0 
 fi
 
-if [ $I2P_SIGNER = signer@mail.i2p]; then
+
+echo "signing the runtime libraries"
+
+if [ $I2P_CODE_SIGNER = signer@mail.i2p ]; then
+    echo "I2P_CODE_SIGNER is unset, not signing dylibs or jnilibs, app will fail notarization"
+else
+    find I2P.app -name *.dylib -exec codesign --force -s $I2P_CODE_SIGNER -v '{}' \;
+    find I2P.app -name *.jnilib -exec codesign --force -s $I2P_CODE_SIGNER -v '{}' \;
+fi
+
+if [ $I2P_SIGNER = signer@mail.i2p ]; then
     echo "I2P_SIGNER is unset, not proceeding to signing phase"
     exit 0 
 fi
 
-echo "signing the runtime libraries"
-find I2P.app -name *.dylib -exec codesign --force -s $I2P_SIGNER -v '{}' \;
-find I2P.app -name *.jnilib -exec codesign --force -s $I2P_SIGNER -v '{}' \;
-
 echo "signing the bundle"
 codesign --force -d --deep -f \
     --options=runtime \

config.sh

@@ -1,5 +1,26 @@
 #! /usr/bin/env sh
 
-I2P_SIGNER=signer@mail.i2p
-I2P_VERSION=2.0.0
-I2P_BUILD_NUMBER=1
+if [ -z $I2P_SIGNER ]; then
+    # This is the team ID of the Apple account associated with the app. It is used to sign the DMG.
+    # it is a unique ID which is a short, random-looking string.
+    I2P_SIGNER=signer@mail.i2p
+fi
+if [ -z $I2P_CODE_SIGNER ]; then
+    # This is the code signing ID of the team associated with the Apple Account. it is used to sign the libraries.
+    # it is a unique ID which is a short, random-looking string.
+    I2P_SIGNER=signer@mail.i2p
+fi
+if [ -z $I2P_VERSION ]; then
+    I2P_VERSION=2.0.0
+fi
+if [ -z $I2P_BUILD_NUMBER ]; then
+    I2P_BUILD_NUMBER=1
+fi
+# Uncomment/Edit this line to include the signer in the config file
+# I2P_SIGNER=signer@mail.i2p
+# Uncomment/Edit this line to include the code signer in the config file
+# I2P_CODE_SIGNER=signer@mail.i2p
+# Uncomment/Edit this line to include the version number in the config file
+# I2P_VERSION=2.0.0
+# Uncomment/Edit this line to include the build number in the config file
+# I2P_BUILD_NUMBER=1