actually set our codesign ID

only use add_lib.py on onedir
Have PyInstaller sign MacOS binaries
2026-06-21 22:51:37 +00:00 · 2024-09-17 21:50:04 -04:00 · 2024-09-17 21:45:10 -04:00 · 2024-09-17 21:35:47 -04:00
3 changed files with 26 additions and 13 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -538,7 +538,10 @@ jobs:
          fi
          mkdir -p -v "${gampath}"
          if [[ "${RUNNER_OS}" == "macOS" ]]; then
-            # brew OpenSSL gets picked up by PyInstaller breaking our self-compiled version
+            # Tell our gam.spec to use our code sign certificate
+            export codesign_identity="Jay Lee"
+            # brew OpenSSL gets picked up by PyInstaller
+            # breaking our self-compiled version
            brew uninstall --ignore-dependencies openssl
            export gampath=$($PYTHON -c "import os; print(os.path.realpath('$gampath'))")
          elif [[ "${RUNNER_OS}" == "Windows" ]]; then
@@ -608,12 +611,12 @@ jobs:
          rm -v "$gam"
          mv -v "${gam}-staticx" "$gam"

-      - name: MacOS sign GAM binary
-        if: runner.os == 'macOS'
-        run: |
-          security find-identity -v signing_temp.keychain
-          codesign --force --deep --sign "Jay Lee" --options=runtime --entitlements "${GITHUB_WORKSPACE}/.github/actions/entitlements.plist" --timestamp "$gam"
-          codesign -dv --verbose=4 "$gam"
+      #- name: MacOS sign GAM binary
+      #  if: runner.os == 'macOS'
+      #  run: |
+      #    security find-identity -v signing_temp.keychain
+      #    codesign --force --deep --sign "Jay Lee" --options=runtime --entitlements "${GITHUB_WORKSPACE}/.github/actions/entitlements.plist" --timestamp "$gam"
+      #    codesign -dv --verbose=4 "$gam"

      - name: MacOS send GAM binary for Apple notarization
        if: runner.os == 'macOS'
--- a/src/add_lib.py
+++ b/src/add_lib.py
@@ -0,0 +1,6 @@
+import os
+import sys
+
+
+sys.path.append(os.path.join(os.getcwd(), 'lib'))
+sys._MEIPASS=os.path.join(sys._MEIPASS, 'lib')
--- a/src/gam.spec
+++ b/src/gam.spec
@@ -21,7 +21,9 @@ hiddenimports = [
     'gam.gamlib.yubikey',
     ]

-print(f"datas before analysis:\n{datas}")
+runtime_hooks = []
+if getenv('PYINSTALLER_BUILD_ONEDIR') == 'yes':
+    runtime_hooks.append('add_lib.py')
 a = Analysis(
    ['gam/__main__.py'],
    pathex=[],
@@ -30,7 +32,7 @@ a = Analysis(
    hiddenimports=hiddenimports,
    hookspath=[],
    hooksconfig={},
-    runtime_hooks=[],
+    runtime_hooks=runtime_hooks,
    excludes=[],
    win_no_prefer_redirects=False,
    win_private_assemblies=False,
@@ -48,12 +50,16 @@ pyz = PYZ(a.pure,
          cipher=None)
 # requires Python 3.10+ but no one should be compiling
 # GAM with older versions anyway
+target_arch = None
+codesign_identity = None
+entitlements_file = None
 match platform:
    case "darwin":
        if getenv('arch') == 'universal2':
            target_arch = "universal2"
-        else:
-            target_arch = None
+        codesign_identity = getenv('codesign_identity')
+        if codesign_identity:
+            entitlements_file = '../.github/actions/entitlements.plist'
        strip = True
    case "win32":
        target_arch = None
@@ -68,8 +74,6 @@ upx = False
 console = True
 disable_windowed_traceback = False
 argv_emulation = False
-codesign_identity = None
-entitlements_file = None
 if not getenv('PYINSTALLER_BUILD_ONEDIR') == 'yes':
    # Build one file
    exe = EXE(
Author	SHA1	Message	Date
Jay Lee	a33b89788c	actually set our codesign ID	2024-09-17 21:50:04 -04:00
Jay Lee	54f815e503	only use add_lib.py on onedir	2024-09-17 21:45:10 -04:00
Jay Lee	e54d3d274a	Have PyInstaller sign MacOS binaries	2024-09-17 21:35:47 -04:00