Add documentation and refactor macOS signing workflow

.github/autobuild/mac.sh

@@ -72,16 +72,16 @@ setup() {
 
 prepare_signing() {
     ##  Certificate types in use:
-    # - MACOS_CERTIFICATE - Developer ID Application - for codesigning for adhoc release
+    # - MACOS_CERTIFICATE_DEV_ID_APPLICATION - Developer ID Application - for codesigning for adhoc release
     # - MAC_STORE_APP_CERT - Mac App Distribution - codesigning for App Store submission
-    # - MAC_STORE_INST_CERT - Mac Installer Distribution - for signing installer pkg file for App Store submission
+    # - MACOS_CERTIFICATE_INST_DISTRIBUTION - Mac Installer Distribution - for signing installer pkg file for App Store submission
 
     [[ "${SIGN_IF_POSSIBLE:-0}" == "1" ]] || return 1
 
     # Signing was requested, now check all prerequisites:
-    [[ -n "${MACOS_CERTIFICATE:-}" ]] || return 1
-    [[ -n "${MACOS_CERTIFICATE_ID:-}" ]] || return 1
-    [[ -n "${MACOS_CERTIFICATE_PWD:-}" ]] || return 1
+    [[ -n "${MACOS_CERTIFICATE_DEV_ID_APPLICATION:-}" ]] || return 1
+    [[ -n "${MACOS_CERTIFICATE_DEV_ID_APPLICATION_ID:-}" ]] || return 1
+    [[ -n "${MACOS_CERTIFICATE_DEV_ID_APPLICATION_PWD:-}" ]] || return 1
     [[ -n "${NOTARIZATION_PASSWORD:-}" ]] || return 1
     [[ -n "${KEYCHAIN_PASSWORD:-}" ]] || return 1
 
@@ -97,7 +97,7 @@ prepare_signing() {
     echo "Signing was requested and all dependencies are satisfied"
 
     ## Put the certs to files
-    echo "${MACOS_CERTIFICATE}" | base64 --decode > macos_certificate.p12
+    echo "${MACOS_CERTIFICATE_DEV_ID_APPLICATION}" | base64 --decode > macos_certificate.p12
 
     # If set, put the CA public key into a file
     if [[ -n "${MACOS_CA_PUBLICKEY}" ]]; then
@@ -110,7 +110,7 @@ prepare_signing() {
     # Remove default re-lock timeout to avoid codesign hangs:
     security set-keychain-settings build.keychain
     security unlock-keychain -p "${KEYCHAIN_PASSWORD}" build.keychain
-    security import macos_certificate.p12 -k build.keychain -P "${MACOS_CERTIFICATE_PWD}" -A -T /usr/bin/codesign
+    security import macos_certificate.p12 -k build.keychain -P "${MACOS_CERTIFICATE_DEV_ID_APPLICATION_PWD}" -A -T /usr/bin/codesign
     security set-key-partition-list -S apple-tool:,apple: -s -k "${KEYCHAIN_PASSWORD}" build.keychain
 
     # Tell Github Workflow that we want signing
@@ -138,21 +138,21 @@ prepare_signing() {
         # MAC_STORE_APP_CERT already checked
         [[ -n "${MAC_STORE_APP_CERT_ID:-}" ]] || return 1
         [[ -n "${MAC_STORE_APP_CERT_PWD:-}" ]] || return 1
-        [[ -n "${MAC_STORE_INST_CERT:-}" ]] || return 1
-        [[ -n "${MAC_STORE_INST_CERT_ID:-}" ]] || return 1
-        [[ -n "${MAC_STORE_INST_CERT_PWD:-}" ]] || return 1
+        [[ -n "${MACOS_CERTIFICATE_INST_DISTRIBUTION:-}" ]] || return 1
+        [[ -n "${MACOS_CERTIFICATE_INST_DISTRIBUTION_ID:-}" ]] || return 1
+        [[ -n "${MACOS_CERTIFICATE_INST_DISTRIBUTION_PWD:-}" ]] || return 1
 
         # Put the certs to files
         echo "${MAC_STORE_APP_CERT}" | base64 --decode > macapp_certificate.p12
-        echo "${MAC_STORE_INST_CERT}" | base64 --decode > macinst_certificate.p12
+        echo "${MACOS_CERTIFICATE_INST_DISTRIBUTION}" | base64 --decode > macinst_certificate.p12
 
         echo "App Store distribution dependencies are satisfied, proceeding..."
 
         # Add additional certs to the keychain
         security set-keychain-settings build.keychain
         security unlock-keychain -p "${KEYCHAIN_PASSWORD}" build.keychain
         security import macapp_certificate.p12 -k build.keychain -P "${MAC_STORE_APP_CERT_PWD}" -A -T /usr/bin/codesign
-        security import macinst_certificate.p12 -k build.keychain -P "${MAC_STORE_INST_CERT_PWD}" -A -T /usr/bin/productbuild
+        security import macinst_certificate.p12 -k build.keychain -P "${MACOS_CERTIFICATE_INST_DISTRIBUTION_PWD}" -A -T /usr/bin/productbuild
         security set-key-partition-list -S apple-tool:,apple: -s -k "${KEYCHAIN_PASSWORD}" build.keychain
 
         # Tell Github Workflow that we are building for store submission
@@ -170,7 +170,7 @@ build_app_as_dmg_installer() {
     # Mac's bash version considers BUILD_ARGS unset without at least one entry:
     BUILD_ARGS=("")
     if prepare_signing; then
-        BUILD_ARGS=("-s" "${MACOS_CERTIFICATE_ID}" "-a" "${MAC_STORE_APP_CERT_ID}" "-i" "${MAC_STORE_INST_CERT_ID}" "-k" "${KEYCHAIN_PASSWORD}")
+        BUILD_ARGS=("-s" "${MACOS_CERTIFICATE_DEV_ID_APPLICATION_ID}" "-a" "${MAC_STORE_APP_CERT_ID}" "-i" "${MACOS_CERTIFICATE_INST_DISTRIBUTION_ID}" "-k" "${KEYCHAIN_PASSWORD}")
     fi
     TARGET_ARCHS="${TARGET_ARCHS}" ./mac/deploy_mac.sh "${BUILD_ARGS[@]}"
 }

.github/workflows/autobuild.yml

@@ -360,16 +360,23 @@ jobs:
         id:                         build
         run:                        ${{ matrix.config.base_command }} build
         env:
+          ## Creating certificates
+          #  Generate the certificates from Xcode. You can Manage Certificates in Apple Accounts settings or the Apple Developer account page.
+          #  In Xcode Settings: Right click on Developer ID Application, Mac App Distribution (does not exist, maybe also developer id application??) and Mac Installer Distribution certificates.
+          #  Select "Export Certificate"
+          #  Set a secure password.
+          #  For every certificate, export it as base64 encoded string with `base64 -i certificate.p12`
+          #  Set the certificates based on the variables below
           JAMULUS_BUILD_VERSION:    ${{ needs.create_release.outputs.build_version }}
-          MACOS_CERTIFICATE:        ${{ secrets.MACOS_CERT }} # Base64 encoded Developer ID Application certificate. See https://help.apple.com/xcode/mac/current/#/dev154b28f09
-          MACOS_CERTIFICATE_PWD:    ${{ secrets.MACOS_CERT_PWD }} # Password protecting secrets.MACOS_CERTIFICATE
-          MACOS_CERTIFICATE_ID:     ${{ secrets.MACOS_CERT_ID }} # Certificate ID of secrets.MACOS_CERTIFICATE. If unknown, import secrets.MACOS_CERT into keychain and get the hash via "security find-identity -v"
+          MACOS_CERTIFICATE_DEV_ID_APPLICATION:        ${{ secrets.MACOS_CERT }} # Base64 encoded Developer ID Application certificate. See https://help.apple.com/xcode/mac/current/#/dev154b28f09
+          MACOS_CERTIFICATE_DEV_ID_APPLICATION_PWD:    ${{ secrets.MACOS_CERT_PWD }} # Password protecting secrets.MACOS_CERTIFICATE_DEV_ID_APPLICATION
+          MACOS_CERTIFICATE_DEV_ID_APPLICATION_ID:     ${{ secrets.MACOS_CERT_ID }} # Certificate ID of secrets.MACOS_CERTIFICATE_DEV_ID_APPLICATION. If unknown, import secrets.MACOS_CERT into keychain and get the hash via "security find-identity -v"
+          MACOS_CERTIFICATE_INST_DISTRIBUTION:      ${{ secrets.MACAPP_INST_CERT }} # Base64 encoded Mac Installer Distribution certificate
+          MACOS_CERTIFICATE_INST_DISTRIBUTION_PWD:  ${{ secrets.MACAPP_INST_CERT_PWD }}
+          MACOS_CERTIFICATE_INST_DISTRIBUTION_ID:   ${{ secrets.MACAPP_INST_CERT_ID }}
           MAC_STORE_APP_CERT:       ${{ secrets.MACAPP_CERT }} # Base64 encoded Mac App Distribution certificate
           MAC_STORE_APP_CERT_PWD:   ${{ secrets.MACAPP_CERT_PWD }}
           MAC_STORE_APP_CERT_ID:    ${{ secrets.MACAPP_CERT_ID }}
-          MAC_STORE_INST_CERT:      ${{ secrets.MACAPP_INST_CERT }} # Base64 encoded Mac Installer Distribution certificate
-          MAC_STORE_INST_CERT_PWD:  ${{ secrets.MACAPP_INST_CERT_PWD }}
-          MAC_STORE_INST_CERT_ID:   ${{ secrets.MACAPP_INST_CERT_ID }}
           NOTARIZATION_PASSWORD:    ${{ secrets.NOTARIZATION_PASSWORD }}
           KEYCHAIN_PASSWORD:        ${{ secrets.KEYCHAIN_PASSWORD }}
           MACOS_CA_PUBLICKEY:       ${{ secrets.MACOS_CA_PUBKEY }}