macos app签名和公证

签名脚本

function traverseCodesign() {
    targetDir="$1"

    echo "traverseCodesign in dir:$targetDir"
    echo "pwd:$(pwd)"

    # 检查目标目录是否存在
    if [ ! -d "$targetDir" ]; then
        echo "Error: Directory does not exist: $targetDir"
        return 1  # 返回错误码 1 表示目录不存在
    fi

    # 获取当前工作目录的名称
    current_dir=$(basename "${targetDir}")

    # 检查目录名称是否以 .framework 结尾
    if [[ "$current_dir" == *.framework ]]; then
        echo "codesign  ${targetDir}"
        codesign --force --options runtime --timestamp -s "${cert}" "${targetDir}"
        return 0
    fi

    # 进入目标目录
    cd "$targetDir" || return 1  # 如果 cd 失败，也返回错误码 1

    # 遍历当前目录下的所有文件和子目录
    for file in *; do
        # 使用 file 命令获取文件类型描述
        file_type=$(file "${file}")
        if [ -d "$file" ]; then
            # 如果是子目录，递归调用 traverseCodesign
            traverseCodesign "$file"
        # 签名动态库、静态库、可执行文件，其他文件不需要签名
        elif [[ "$file_type" =~ "Mach-O dynamically linked shared library" ]] || \
           [[ "$file_type" =~ "Mach-O 64-bit dynamically linked shared library" ]] || \
           [[ "$file_type" =~ "current ar archive" ]] || \
           [[ "$file_type" =~ "Mach-O executable" ]]; then
            # 移除可能存在的旧签名并重新签名
            codesign --remove-signature "$file" 2>/dev/null
            echo "codesign $file"
            codesign --force --options runtime --timestamp -s "${cert}" "$file"
        fi
    done

    # 返回上一级目录
    cd ..
}


codesign --deep --force --timestamp --options "runtime" -s "${cert}" ${apppath}/Contents/MacOS/appname
codesign --deep --force --timestamp --options "runtime" -s "${cert}" ${apppath}

验证签名是否生效的命令

codesign -vvv --deep ${apppath}
spctl  --verbose=4 --assess --type execute ${apppath}
codesign --verify --verbose ${apppath}

公证脚本

cp -RP name.app Applications
delete_if_exists Applications.zip
zip --symlinks -r -q -X Applications.zip ./Applications
echo "Submitting app for notarization..."
xcrun notarytool submit --apple-id "$USERNAME" --password "$PASSWORD" --team-id "$PROVIDER" --wait Applications.zip 2>&1 | tee tmp

# 检查提交是否成功
if [[ $? -ne 0 ]]; then
    echo "Failed to submit app for notarization."
    cat tmp
    exit 1
fi
echo tmp
# 提取 UUID
UUID=$(cat tmp | grep -Eo '\w{8}-(\w{4}-){3}\w{12}' | head -n 1)
echo "Submission successful. UUID: $UUID"

# 检查公证结果
while true; do
    echo "Checking notarization status..."
    xcrun notarytool info "$UUID" --apple-id "$USERNAME" --password "$PASSWORD" --team-id "$PROVIDER" 2>&1 | tee tmp
    cat tmp
    # 检查输出
    STATUS=$(cat tmp | grep "status" | awk '{print $2}' | tr -d '"')
    echo "Current status: $STATUS"

    if [[ "$STATUS" == "Accepted" ]]; then
        echo "Notarization successful!"
        break
    elif [[ "$STATUS" == "Invalid" ]]; then
        echo "Notarization failed."
        cat tmp
        exit 1
    else
        echo "Notarization not completed yet. Waiting 20 seconds..."
        sleep 20
    fi
done

# Staple 签名
echo "Stapling notarization ticket to app..."
xcrun stapler staple "$APP_NAME"

验证公证是否成功

xcrun stapler validate /path/to/YourApp.app
spctl -a -t open --context context:primary-signature -vvv /path/to/your.app