actually set our codesign ID

.github/actions/entitlements.plist

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+        <!-- These are required for binaries built by PyInstaller -->
+        <key>com.apple.security.cs.allow-jit</key>
+        <true/>
+        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+        <true/>
+        <key>com.apple.security.cs.disable-library-validation</key>
+        <true/>
+</dict>
+</plist>

.github/workflows/build.yml

@@ -201,6 +201,14 @@ jobs:
           #brew install swig
           #brew install ncurses
 
+      - name: MacOS import developer certificates for signing
+        if: runner.os == 'macOS'
+        uses: apple-actions/import-codesign-certs@v3
+        with:
+          keychain: signing_temp
+          p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
+          p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
+
       - name: Windows Configure VCode
         uses: ilammy/msvc-dev-cmd@v1
         if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -530,7 +538,10 @@ jobs:
           fi
           mkdir -p -v "${gampath}"
           if [[ "${RUNNER_OS}" == "macOS" ]]; then
-            # brew OpenSSL gets picked up by PyInstaller breaking our self-compiled version
+            # Tell our gam.spec to use our code sign certificate
+            export codesign_identity="Jay Lee"
+            # brew OpenSSL gets picked up by PyInstaller
+            # breaking our self-compiled version
             brew uninstall --ignore-dependencies openssl
             export gampath=$($PYTHON -c "import os; print(os.path.realpath('$gampath'))")
           elif [[ "${RUNNER_OS}" == "Windows" ]]; then
@@ -596,9 +607,27 @@ jobs:
               ;;
           esac
           echo "ldlib=${ldlib}"
-          $PYTHON -m staticx -l "${ldlib}" "${gam}" "${gam}-staticx"
-          rm -v "${gam}"
-          mv -v "${gam}-staticx" "${gam}"
+          $PYTHON -m staticx -l "${ldlib}" "$gam" "${gam}-staticx"
+          rm -v "$gam"
+          mv -v "${gam}-staticx" "$gam"
+
+      #- name: MacOS sign GAM binary
+      #  if: runner.os == 'macOS'
+      #  run: |
+      #    security find-identity -v signing_temp.keychain
+      #    codesign --force --deep --sign "Jay Lee" --options=runtime --entitlements "${GITHUB_WORKSPACE}/.github/actions/entitlements.plist" --timestamp "$gam"
+      #    codesign -dv --verbose=4 "$gam"
+
+      - name: MacOS send GAM binary for Apple notarization
+        if: runner.os == 'macOS'
+        env:
+          ASP_NOTARIZE: ${{ secrets.ASP_NOTARIZE }}
+        run: |
+          # Apple wants some kind of "package" submitted so just add gam to a .zip
+          # name it something we can track and link in Apple's notarize process
+          zipfilename="./gam-${RUNNER_ARCH}-${GITHUB_RUN_ID}-${GITHUB_RUN_NUMBER}.zip"
+          zip "$zipfilename" "$gam"
+          xcrun notarytool submit --apple-id "jay0lee@gmail.com" --password "$ASP_NOTARIZE" --team-id GZ85H2DRLM "$zipfilename"
 
       - name: Basic Tests all jobs
         id: basictests
@@ -715,7 +744,8 @@ jobs:
           done
           driveid=$($gam user $gam_user add shareddrive "${newbase}" returnidonly)
           echo "Created shared drive ${driveid}"
-          $gam create user $newuser firstname GHA lastname $JID displayname "Github Actions ${JID}" password random ou "${newou}" recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID languages en+,en-GB-
+          # 9/17/24 - temp create in root due to Google API issues creating users in new OUs
+          $gam create user $newuser firstname GHA lastname $JID displayname "Github Actions ${JID}" password random recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID languages en+,en-GB- # ou "${newou}"
           $gam user $newuser update photo https://dummyimage.com/400x600/000/fff
           $gam user $newuser get photo
           $gam user $newuser delete photo
@@ -734,7 +764,8 @@ jobs:
           $gam update group $newgroup add owner $gam_user
           $gam update group $newgroup add member $newuser
           $gam config enable_dasa false save
-          $gam create admin $newuser _GROUPS_EDITOR_ROLE CUSTOMER # condition nonsecuritygroup
+          # 9/17/24 temp disable due to Google API sluggishness to see new users for admin commands
+          # $gam create admin $newuser _GROUPS_EDITOR_ROLE CUSTOMER # condition nonsecuritygroup
           $gam create admin $newgroup _HELP_DESK_ADMIN_ROLE org_unit "${newou}"
           $gam config csv_output_row_filter "assignedToUser:regex:${newuser}" print admins | $gam csv - gam delete admin "~roleAssignmentId"
           $gam config csv_output_row_filter "assignedToGroup:regex:${newgroup}" print admins | $gam csv - gam delete admin "~roleAssignmentId"
@@ -858,7 +889,7 @@ jobs:
           echo "printer model count:"
           $gam print printermodels | wc -l
           $gam print printers
-          printerid=$($gam create printer displayname "${newbase}" uri ipp://localhost:631 driverless description "made by $(gam_user)" ou "${newou}" nodetails | awk '{print substr($2, 1, length($2)-1)}')
+          printerid=$($gam create printer displayname "${newbase}" uri ipp://localhost:631 driverless description "made by ${gam_user}" ou "${newou}" nodetails | awk '{print substr($2, 1, length($2)-1)}')
           $gam info printer "$printerid"
           $gam delete printer "$printerid"
           $gam delete ou "${newou}"

README.md

@@ -1,6 +1,6 @@
 GAM is a command line tool for Google Workspace admins to manage domain and user settings quickly and easily.
 
-![Build Status](https://github.com/GAM-team/GAM/workflows/Build%20and%20test%20GAM/badge.svg)
+[![Build StatusM](https://github.com/GAM-team/GAM/actions/workflows/build.yml/badge.svg)](https://github.com/GAM-team/GAM/actions/workflows/build.yml)
 
 # Quick Start
 

src/add_lib.py

@@ -0,0 +1,6 @@
+import os
+import sys
+
+
+sys.path.append(os.path.join(os.getcwd(), 'lib'))
+sys._MEIPASS=os.path.join(sys._MEIPASS, 'lib')

src/gam.spec

@@ -21,7 +21,9 @@ hiddenimports = [
      'gam.gamlib.yubikey',
      ]
 
-print(f"datas before analysis:\n{datas}")
+runtime_hooks = []
+if getenv('PYINSTALLER_BUILD_ONEDIR') == 'yes':
+    runtime_hooks.append('add_lib.py')
 a = Analysis(
     ['gam/__main__.py'],
     pathex=[],
@@ -30,7 +32,7 @@ a = Analysis(
     hiddenimports=hiddenimports,
     hookspath=[],
     hooksconfig={},
-    runtime_hooks=[],
+    runtime_hooks=runtime_hooks,
     excludes=[],
     win_no_prefer_redirects=False,
     win_private_assemblies=False,
@@ -48,12 +50,16 @@ pyz = PYZ(a.pure,
           cipher=None)
 # requires Python 3.10+ but no one should be compiling
 # GAM with older versions anyway
+target_arch = None
+codesign_identity = None
+entitlements_file = None
 match platform:
     case "darwin":
         if getenv('arch') == 'universal2':
             target_arch = "universal2"
-        else:
-            target_arch = None
+        codesign_identity = getenv('codesign_identity')
+        if codesign_identity:
+            entitlements_file = '../.github/actions/entitlements.plist'
         strip = True
     case "win32":
         target_arch = None
@@ -68,8 +74,6 @@ upx = False
 console = True
 disable_windowed_traceback = False
 argv_emulation = False
-codesign_identity = None
-entitlements_file = None
 if not getenv('PYINSTALLER_BUILD_ONEDIR') == 'yes':
     # Build one file
     exe = EXE(