From bf79d6b7e9846a1b49cbf0d95708ca774e3ee359 Mon Sep 17 00:00:00 2001 From: AnoF-Cyber Date: Fri, 20 Feb 2026 20:46:51 +0530 Subject: [PATCH 01/16] added apple sign for workflow --- .github/workflows/build-mac.yml | 109 ++++++++++++++++++++++++++++---- 1 file changed, 98 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build-mac.yml b/.github/workflows/build-mac.yml index 1b854af..5b53b4f 100644 --- a/.github/workflows/build-mac.yml +++ b/.github/workflows/build-mac.yml @@ -24,12 +24,49 @@ jobs: - name: Create xcconfig files run: | - cd MacOS/ProxyBridge - cp proxybridge-app.xcconfig Signing-Config-app.xcconfig - cp proxybridge-ext.xcconfig Signing-Config-ext.xcconfig - sed -i '' 's/DEVELOPMENT_TEAM = L.*/DEVELOPMENT_TEAM = /' Signing-Config-app.xcconfig - sed -i '' 's/DEVELOPMENT_TEAM = L.*/DEVELOPMENT_TEAM = /' Signing-Config-ext.xcconfig - + mkdir -p MacOS/ProxyBridge/config + echo "${{ secrets.MACOS_APP_XCCONFIG }}" > MacOS/ProxyBridge/config/Signing-Config-app.xcconfig + echo "${{ secrets.MACOS_EXT_XCCONFIG }}" > MacOS/ProxyBridge/config/Signing-Config-ext.xcconfig + + - name: Install Provisioning Profiles + run: | + mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles + + echo "${{ secrets.MACOS_APP_PROVISION_PROFILE }}" | base64 --decode > /tmp/app.provisionprofile + echo "${{ secrets.MACOS_EXT_PROVISION_PROFILE }}" | base64 --decode > /tmp/ext.provisionprofile + + APP_UUID=$(security cms -D -i /tmp/app.provisionprofile | plutil -extract UUID raw -) + EXT_UUID=$(security cms -D -i /tmp/ext.provisionprofile | plutil -extract UUID raw -) + + cp /tmp/app.provisionprofile ~/Library/MobileDevice/Provisioning\ Profiles/${APP_UUID}.provisionprofile + cp /tmp/ext.provisionprofile ~/Library/MobileDevice/Provisioning\ Profiles/${EXT_UUID}.provisionprofile + + echo "Installed app profile: ${APP_UUID}" + echo "Installed ext profile: ${EXT_UUID}" + + - name: Import Certificate + run: | + # Decode certificate + echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > /tmp/certificate.p12 + + # Create a temporary keychain + security create-keychain -p "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" build.keychain + security default-keychain -s build.keychain + security unlock-keychain -p "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" build.keychain + security set-keychain-settings -t 3600 -u build.keychain + + # Import certificate into the keychain + security import /tmp/certificate.p12 \ + -k build.keychain \ + -P "${{ secrets.MACOS_CERTIFICATE_PASSWORD }}" \ + -T /usr/bin/codesign + + # Allow codesign to access the keychain without prompting + security set-key-partition-list -S apple-tool:,apple: -s -k "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" build.keychain + + # Verify certificate is available + security find-identity -v -p codesigning build.keychain + - name: Build Universal Binary run: | cd MacOS/ProxyBridge @@ -40,14 +77,64 @@ jobs: -derivedDataPath build/DerivedData \ ARCHS="arm64 x86_64" \ ONLY_ACTIVE_ARCH=NO \ - CODE_SIGN_IDENTITY="-" \ - CODE_SIGNING_REQUIRED=NO \ - CODE_SIGNING_ALLOWED=NO \ + OTHER_CODE_SIGN_FLAGS="--keychain build.keychain" \ clean build - + - name: Verify Build run: | cd MacOS/ProxyBridge ls -la build/DerivedData/Build/Products/Release/ file build/DerivedData/Build/Products/Release/ProxyBridge.app/Contents/MacOS/ProxyBridge - lipo -archs build/DerivedData/Build/Products/Release/ProxyBridge.app/Contents/MacOS/ProxyBridge \ No newline at end of file + lipo -archs build/DerivedData/Build/Products/Release/ProxyBridge.app/Contents/MacOS/ProxyBridge + # Verify code signature + codesign -dv --verbose=4 build/DerivedData/Build/Products/Release/ProxyBridge.app + + - name: Notarize App + run: | + APP_PATH="MacOS/ProxyBridge/build/DerivedData/Build/Products/Release/ProxyBridge.app" + + # Zip the app for submission + ditto -c -k --keepParent "$APP_PATH" /tmp/ProxyBridge.zip + + # Submit for notarization and wait for result + xcrun notarytool submit /tmp/ProxyBridge.zip \ + --apple-id "${{ secrets.APPLE_ID }}" \ + --password "${{ secrets.APPLE_APP_PASSWORD }}" \ + --team-id "${{ secrets.APPLE_TEAM_ID }}" \ + --wait + + # Staple the notarization ticket to the app + xcrun stapler staple "$APP_PATH" + + # Verify notarization + spctl -a -vvv -t install "$APP_PATH" + + - name: Upload Notarized App + run: | + # Use ditto to zip preserving macOS metadata, symlinks and permissions + ditto -c -k --keepParent \ + "MacOS/ProxyBridge/build/DerivedData/Build/Products/Release/ProxyBridge.app" \ + /tmp/ProxyBridge-macOS.zip + + - name: Upload Notarized App Artifact + uses: actions/upload-artifact@v4 + with: + name: ProxyBridge-macOS + path: /tmp/ProxyBridge-macOS.zip + retention-days: 30 + + - name: Cleanup + if: always() + run: | + # Delete temporary keychain + security delete-keychain build.keychain || true + + # Remove provisioning profiles + rm -f ~/Library/MobileDevice/Provisioning\ Profiles/*.provisionprofile || true + + # Remove temp cert and profile files + rm -f /tmp/certificate.p12 /tmp/app.provisionprofile /tmp/ext.provisionprofile /tmp/ProxyBridge.zip /tmp/ProxyBridge-macOS.zip || true + + # Remove xcconfig files with sensitive data + rm -f MacOS/ProxyBridge/config/Signing-Config-app.xcconfig || true + rm -f MacOS/ProxyBridge/config/Signing-Config-ext.xcconfig || true \ No newline at end of file From 21714172187d479cfadd845ec0fa6cce8407f1de Mon Sep 17 00:00:00 2001 From: AnoF-Cyber Date: Fri, 20 Feb 2026 20:49:53 +0530 Subject: [PATCH 02/16] fixed workflow --- .github/workflows/build-mac.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-mac.yml b/.github/workflows/build-mac.yml index 5b53b4f..2d35d64 100644 --- a/.github/workflows/build-mac.yml +++ b/.github/workflows/build-mac.yml @@ -24,9 +24,8 @@ jobs: - name: Create xcconfig files run: | - mkdir -p MacOS/ProxyBridge/config - echo "${{ secrets.MACOS_APP_XCCONFIG }}" > MacOS/ProxyBridge/config/Signing-Config-app.xcconfig - echo "${{ secrets.MACOS_EXT_XCCONFIG }}" > MacOS/ProxyBridge/config/Signing-Config-ext.xcconfig + echo "${{ secrets.MACOS_APP_XCCONFIG }}" > MacOS/ProxyBridge/Signing-Config-app.xcconfig + echo "${{ secrets.MACOS_EXT_XCCONFIG }}" > MacOS/ProxyBridge/Signing-Config-ext.xcconfig - name: Install Provisioning Profiles run: | @@ -136,5 +135,5 @@ jobs: rm -f /tmp/certificate.p12 /tmp/app.provisionprofile /tmp/ext.provisionprofile /tmp/ProxyBridge.zip /tmp/ProxyBridge-macOS.zip || true # Remove xcconfig files with sensitive data - rm -f MacOS/ProxyBridge/config/Signing-Config-app.xcconfig || true - rm -f MacOS/ProxyBridge/config/Signing-Config-ext.xcconfig || true \ No newline at end of file + rm -f MacOS/ProxyBridge/Signing-Config-app.xcconfig || true + rm -f MacOS/ProxyBridge/Signing-Config-ext.xcconfig || true \ No newline at end of file From dc246bfc9a06918f26509429b74d288dec4c0ee7 Mon Sep 17 00:00:00 2001 From: AnoF-Cyber Date: Fri, 20 Feb 2026 20:53:49 +0530 Subject: [PATCH 03/16] fixed notarizared error --- .github/workflows/build-mac.yml | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-mac.yml b/.github/workflows/build-mac.yml index 2d35d64..bb38406 100644 --- a/.github/workflows/build-mac.yml +++ b/.github/workflows/build-mac.yml @@ -95,12 +95,33 @@ jobs: # Zip the app for submission ditto -c -k --keepParent "$APP_PATH" /tmp/ProxyBridge.zip - # Submit for notarization and wait for result - xcrun notarytool submit /tmp/ProxyBridge.zip \ + # Submit for notarization and wait for result, capture submission ID + SUBMIT_OUTPUT=$(xcrun notarytool submit /tmp/ProxyBridge.zip \ --apple-id "${{ secrets.APPLE_ID }}" \ --password "${{ secrets.APPLE_APP_PASSWORD }}" \ --team-id "${{ secrets.APPLE_TEAM_ID }}" \ - --wait + --wait 2>&1) + + echo "$SUBMIT_OUTPUT" + + # Extract submission ID + SUBMISSION_ID=$(echo "$SUBMIT_OUTPUT" | grep "^ id:" | head -1 | awk '{print $2}') + echo "Submission ID: $SUBMISSION_ID" + + # Always fetch the detailed log from Apple + if [ -n "$SUBMISSION_ID" ]; then + echo "--- Notarization Log ---" + xcrun notarytool log "$SUBMISSION_ID" \ + --apple-id "${{ secrets.APPLE_ID }}" \ + --password "${{ secrets.APPLE_APP_PASSWORD }}" \ + --team-id "${{ secrets.APPLE_TEAM_ID }}" 2>&1 || true + fi + + # Fail if notarization was not accepted + if ! echo "$SUBMIT_OUTPUT" | grep -q "status: Accepted"; then + echo "Notarization failed!" + exit 1 + fi # Staple the notarization ticket to the app xcrun stapler staple "$APP_PATH" From 32b6a8a2238be845124aed4c49cd65aa7a3cf8d6 Mon Sep 17 00:00:00 2001 From: AnoF-Cyber Date: Fri, 20 Feb 2026 20:57:59 +0530 Subject: [PATCH 04/16] fixed timestamp --- .github/workflows/build-mac.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-mac.yml b/.github/workflows/build-mac.yml index bb38406..af5ff73 100644 --- a/.github/workflows/build-mac.yml +++ b/.github/workflows/build-mac.yml @@ -76,7 +76,7 @@ jobs: -derivedDataPath build/DerivedData \ ARCHS="arm64 x86_64" \ ONLY_ACTIVE_ARCH=NO \ - OTHER_CODE_SIGN_FLAGS="--keychain build.keychain" \ + OTHER_CODE_SIGN_FLAGS="--keychain build.keychain --timestamp" \ clean build - name: Verify Build From 44fdb75d0231e67ae397f9b39a86f28a76124e3e Mon Sep 17 00:00:00 2001 From: AnoF-Cyber Date: Fri, 20 Feb 2026 21:12:44 +0530 Subject: [PATCH 05/16] added pkg inthe workflow --- .github/workflows/build-mac.yml | 46 ++++++++++++++++++++++++++++++--- 1 file changed, 42 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-mac.yml b/.github/workflows/build-mac.yml index af5ff73..2a77c68 100644 --- a/.github/workflows/build-mac.yml +++ b/.github/workflows/build-mac.yml @@ -54,16 +54,24 @@ jobs: security unlock-keychain -p "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" build.keychain security set-keychain-settings -t 3600 -u build.keychain - # Import certificate into the keychain + # Import Developer ID Application certificate security import /tmp/certificate.p12 \ -k build.keychain \ -P "${{ secrets.MACOS_CERTIFICATE_PASSWORD }}" \ -T /usr/bin/codesign - # Allow codesign to access the keychain without prompting + # Import Developer ID Installer certificate + echo "${{ secrets.MACOS_INSTALLER_CERTIFICATE }}" | base64 --decode > /tmp/installer.p12 + security import /tmp/installer.p12 \ + -k build.keychain \ + -P "${{ secrets.MACOS_INSTALLER_CERTIFICATE_PASSWORD }}" \ + -T /usr/bin/codesign \ + -T /usr/bin/productsign + + # Allow codesign and productsign to access the keychain without prompting security set-key-partition-list -S apple-tool:,apple: -s -k "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" build.keychain - # Verify certificate is available + # Verify both certificates are available security find-identity -v -p codesigning build.keychain - name: Build Universal Binary @@ -129,6 +137,33 @@ jobs: # Verify notarization spctl -a -vvv -t install "$APP_PATH" + - name: Build PKG Installer + run: | + # Create .env for build.sh + { + echo "APPLE_ID=\"${{ secrets.APPLE_ID }}\"" + echo "APPLE_APP_PASSWORD=\"${{ secrets.APPLE_APP_PASSWORD }}\"" + echo "SIGNING_IDENTITY=\"${{ secrets.MACOS_SIGNING_IDENTITY }}\"" + echo "TEAM_ID=\"${{ secrets.APPLE_TEAM_ID }}\"" + } > MacOS/ProxyBridge/.env + + # Copy notarized .app into output/ where build.sh expects it + mkdir -p MacOS/ProxyBridge/output + cp -R MacOS/ProxyBridge/build/DerivedData/Build/Products/Release/ProxyBridge.app \ + MacOS/ProxyBridge/output/ProxyBridge.app + + # Run build script to create, sign and notarize the pkg + cd MacOS/ProxyBridge + chmod +x build.sh + bash build.sh + + - name: Upload PKG Artifact + uses: actions/upload-artifact@v4 + with: + name: ProxyBridge-macOS-Installer + path: MacOS/ProxyBridge/output/ProxyBridge-*.pkg + retention-days: 30 + - name: Upload Notarized App run: | # Use ditto to zip preserving macOS metadata, symlinks and permissions @@ -153,7 +188,10 @@ jobs: rm -f ~/Library/MobileDevice/Provisioning\ Profiles/*.provisionprofile || true # Remove temp cert and profile files - rm -f /tmp/certificate.p12 /tmp/app.provisionprofile /tmp/ext.provisionprofile /tmp/ProxyBridge.zip /tmp/ProxyBridge-macOS.zip || true + rm -f /tmp/certificate.p12 /tmp/installer.p12 /tmp/app.provisionprofile /tmp/ext.provisionprofile /tmp/ProxyBridge.zip /tmp/ProxyBridge-macOS.zip || true + + # Remove .env with sensitive data + rm -f MacOS/ProxyBridge/.env || true # Remove xcconfig files with sensitive data rm -f MacOS/ProxyBridge/Signing-Config-app.xcconfig || true From d38305382791200490abe0a3eb5318e38cb4ca97 Mon Sep 17 00:00:00 2001 From: AnoF-Cyber Date: Fri, 20 Feb 2026 21:20:35 +0530 Subject: [PATCH 06/16] fixed pkg sign error --- .github/workflows/build-mac.yml | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build-mac.yml b/.github/workflows/build-mac.yml index 2a77c68..f03516a 100644 --- a/.github/workflows/build-mac.yml +++ b/.github/workflows/build-mac.yml @@ -71,6 +71,9 @@ jobs: # Allow codesign and productsign to access the keychain without prompting security set-key-partition-list -S apple-tool:,apple: -s -k "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" build.keychain + # Add build.keychain to the keychain search list so productsign can find the cert + security list-keychains -d user -s build.keychain login.keychain-db + # Verify both certificates are available security find-identity -v -p codesigning build.keychain @@ -164,20 +167,6 @@ jobs: path: MacOS/ProxyBridge/output/ProxyBridge-*.pkg retention-days: 30 - - name: Upload Notarized App - run: | - # Use ditto to zip preserving macOS metadata, symlinks and permissions - ditto -c -k --keepParent \ - "MacOS/ProxyBridge/build/DerivedData/Build/Products/Release/ProxyBridge.app" \ - /tmp/ProxyBridge-macOS.zip - - - name: Upload Notarized App Artifact - uses: actions/upload-artifact@v4 - with: - name: ProxyBridge-macOS - path: /tmp/ProxyBridge-macOS.zip - retention-days: 30 - - name: Cleanup if: always() run: | @@ -188,7 +177,7 @@ jobs: rm -f ~/Library/MobileDevice/Provisioning\ Profiles/*.provisionprofile || true # Remove temp cert and profile files - rm -f /tmp/certificate.p12 /tmp/installer.p12 /tmp/app.provisionprofile /tmp/ext.provisionprofile /tmp/ProxyBridge.zip /tmp/ProxyBridge-macOS.zip || true + rm -f /tmp/certificate.p12 /tmp/installer.p12 /tmp/app.provisionprofile /tmp/ext.provisionprofile /tmp/ProxyBridge.zip || true # Remove .env with sensitive data rm -f MacOS/ProxyBridge/.env || true From 3514db38383a9b80770fcd1d88dbaf2fe788a56e Mon Sep 17 00:00:00 2001 From: AnoF-Cyber Date: Fri, 20 Feb 2026 21:30:04 +0530 Subject: [PATCH 07/16] fixed pkg error --- .github/workflows/build-mac.yml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build-mac.yml b/.github/workflows/build-mac.yml index f03516a..0add704 100644 --- a/.github/workflows/build-mac.yml +++ b/.github/workflows/build-mac.yml @@ -142,20 +142,15 @@ jobs: - name: Build PKG Installer run: | - # Create .env for build.sh - { - echo "APPLE_ID=\"${{ secrets.APPLE_ID }}\"" - echo "APPLE_APP_PASSWORD=\"${{ secrets.APPLE_APP_PASSWORD }}\"" - echo "SIGNING_IDENTITY=\"${{ secrets.MACOS_SIGNING_IDENTITY }}\"" - echo "TEAM_ID=\"${{ secrets.APPLE_TEAM_ID }}\"" - } > MacOS/ProxyBridge/.env + # Write full PKG_ENV secret to .env + echo "${{ secrets.PKG_ENV }}" > MacOS/ProxyBridge/.env # Copy notarized .app into output/ where build.sh expects it mkdir -p MacOS/ProxyBridge/output cp -R MacOS/ProxyBridge/build/DerivedData/Build/Products/Release/ProxyBridge.app \ MacOS/ProxyBridge/output/ProxyBridge.app - # Run build script to create, sign and notarize the pkg + # Run build script — creates, signs and notarizes the pkg cd MacOS/ProxyBridge chmod +x build.sh bash build.sh From 86647b759d3356c3316419d9ba3c4fbdb78f02f2 Mon Sep 17 00:00:00 2001 From: AnoF-Cyber Date: Fri, 20 Feb 2026 21:36:18 +0530 Subject: [PATCH 08/16] fixed syntax error --- .github/workflows/build-mac.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-mac.yml b/.github/workflows/build-mac.yml index 0add704..6dc4903 100644 --- a/.github/workflows/build-mac.yml +++ b/.github/workflows/build-mac.yml @@ -141,9 +141,11 @@ jobs: spctl -a -vvv -t install "$APP_PATH" - name: Build PKG Installer + env: + PKG_ENV_CONTENT: ${{ secrets.PKG_ENV }} run: | - # Write full PKG_ENV secret to .env - echo "${{ secrets.PKG_ENV }}" > MacOS/ProxyBridge/.env + # Write full PKG_ENV secret to .env via env var to avoid shell parsing issues + printf '%s' "$PKG_ENV_CONTENT" > MacOS/ProxyBridge/.env # Copy notarized .app into output/ where build.sh expects it mkdir -p MacOS/ProxyBridge/output From 94e372e2ca4c4359ac679e25709027084428ac89 Mon Sep 17 00:00:00 2001 From: AnoF-Cyber Date: Fri, 20 Feb 2026 21:41:28 +0530 Subject: [PATCH 09/16] fixed pkg sign error --- .github/workflows/build-mac.yml | 46 ++++++++++++++++++++++++++++++--- 1 file changed, 43 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-mac.yml b/.github/workflows/build-mac.yml index 6dc4903..73dca80 100644 --- a/.github/workflows/build-mac.yml +++ b/.github/workflows/build-mac.yml @@ -144,19 +144,59 @@ jobs: env: PKG_ENV_CONTENT: ${{ secrets.PKG_ENV }} run: | - # Write full PKG_ENV secret to .env via env var to avoid shell parsing issues - printf '%s' "$PKG_ENV_CONTENT" > MacOS/ProxyBridge/.env + # Write PKG_ENV to .env but strip SIGNING_IDENTITY so build.sh skips signing + # (productsign inside build.sh cannot access build.keychain — we do it below) + printf '%s' "$PKG_ENV_CONTENT" | grep -v "^SIGNING_IDENTITY" > MacOS/ProxyBridge/.env # Copy notarized .app into output/ where build.sh expects it mkdir -p MacOS/ProxyBridge/output cp -R MacOS/ProxyBridge/build/DerivedData/Build/Products/Release/ProxyBridge.app \ MacOS/ProxyBridge/output/ProxyBridge.app - # Run build script — creates, signs and notarizes the pkg + # Run build script — creates the unsigned .pkg only cd MacOS/ProxyBridge chmod +x build.sh bash build.sh + PKG_VERSION="3.2.0" + PKG_UNSIGNED="output/ProxyBridge-v${PKG_VERSION}-Universal-Installer.pkg" + PKG_SIGNED="output/ProxyBridge-v${PKG_VERSION}-Universal-Installer-signed.pkg" + + # Sign pkg with explicit keychain path — no prompting + echo "Signing installer..." + productsign \ + --sign "${{ secrets.MACOS_SIGNING_IDENTITY }}" \ + --keychain ~/Library/Keychains/build.keychain-db \ + "$PKG_UNSIGNED" "$PKG_SIGNED" + mv "$PKG_SIGNED" "$PKG_UNSIGNED" + + # Notarize pkg + echo "Notarizing installer..." + PKG_SUBMIT_OUTPUT=$(xcrun notarytool submit "$PKG_UNSIGNED" \ + --apple-id "${{ secrets.APPLE_ID }}" \ + --password "${{ secrets.APPLE_APP_PASSWORD }}" \ + --team-id "${{ secrets.APPLE_TEAM_ID }}" \ + --wait 2>&1) + + echo "$PKG_SUBMIT_OUTPUT" + + PKG_SUBMISSION_ID=$(echo "$PKG_SUBMIT_OUTPUT" | grep "^ id:" | head -1 | awk '{print $2}') + if [ -n "$PKG_SUBMISSION_ID" ]; then + echo "--- PKG Notarization Log ---" + xcrun notarytool log "$PKG_SUBMISSION_ID" \ + --apple-id "${{ secrets.APPLE_ID }}" \ + --password "${{ secrets.APPLE_APP_PASSWORD }}" \ + --team-id "${{ secrets.APPLE_TEAM_ID }}" 2>&1 || true + fi + + if ! echo "$PKG_SUBMIT_OUTPUT" | grep -q "status: Accepted"; then + echo "PKG notarization failed!" + exit 1 + fi + + xcrun stapler staple "$PKG_UNSIGNED" + echo "PKG signed, notarized and stapled successfully" + - name: Upload PKG Artifact uses: actions/upload-artifact@v4 with: From f2d26ce96f0e85558da5f1416c4ebcb88635595f Mon Sep 17 00:00:00 2001 From: AnoF-Cyber Date: Fri, 20 Feb 2026 21:46:36 +0530 Subject: [PATCH 10/16] fixed pkg workflow --- .github/workflows/build-mac.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-mac.yml b/.github/workflows/build-mac.yml index 73dca80..7f118d1 100644 --- a/.github/workflows/build-mac.yml +++ b/.github/workflows/build-mac.yml @@ -162,11 +162,14 @@ jobs: PKG_UNSIGNED="output/ProxyBridge-v${PKG_VERSION}-Universal-Installer.pkg" PKG_SIGNED="output/ProxyBridge-v${PKG_VERSION}-Universal-Installer-signed.pkg" - # Sign pkg with explicit keychain path — no prompting + # Sign pkg with explicit keychain — no prompting echo "Signing installer..." + # Find actual keychain path and unlock it before productsign + KEYCHAIN_PATH=$(security list-keychains -d user | grep build | tr -d ' "') + echo "Using keychain: $KEYCHAIN_PATH" + security unlock-keychain -p "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" "$KEYCHAIN_PATH" productsign \ --sign "${{ secrets.MACOS_SIGNING_IDENTITY }}" \ - --keychain ~/Library/Keychains/build.keychain-db \ "$PKG_UNSIGNED" "$PKG_SIGNED" mv "$PKG_SIGNED" "$PKG_UNSIGNED" From 6b159a92f052302d3066cfaed5123b2e57523d38 Mon Sep 17 00:00:00 2001 From: AnoF-Cyber Date: Fri, 20 Feb 2026 21:52:32 +0530 Subject: [PATCH 11/16] pkg sign --- .github/workflows/build-mac.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-mac.yml b/.github/workflows/build-mac.yml index 7f118d1..0665166 100644 --- a/.github/workflows/build-mac.yml +++ b/.github/workflows/build-mac.yml @@ -164,10 +164,12 @@ jobs: # Sign pkg with explicit keychain — no prompting echo "Signing installer..." - # Find actual keychain path and unlock it before productsign KEYCHAIN_PATH=$(security list-keychains -d user | grep build | tr -d ' "') echo "Using keychain: $KEYCHAIN_PATH" security unlock-keychain -p "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" "$KEYCHAIN_PATH" + # Re-apply partition list here so productsign can access the key without UI prompt + security set-key-partition-list -S apple-tool:,apple: -s \ + -k "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" "$KEYCHAIN_PATH" productsign \ --sign "${{ secrets.MACOS_SIGNING_IDENTITY }}" \ "$PKG_UNSIGNED" "$PKG_SIGNED" From d84ec2d7736552cca48a6a49d8d11a0d497ac09a Mon Sep 17 00:00:00 2001 From: AnoF-Cyber Date: Fri, 20 Feb 2026 22:01:16 +0530 Subject: [PATCH 12/16] fixed keychain lock --- .github/workflows/build-mac.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-mac.yml b/.github/workflows/build-mac.yml index 0665166..fa8055e 100644 --- a/.github/workflows/build-mac.yml +++ b/.github/workflows/build-mac.yml @@ -52,7 +52,7 @@ jobs: security create-keychain -p "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" build.keychain security default-keychain -s build.keychain security unlock-keychain -p "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" build.keychain - security set-keychain-settings -t 3600 -u build.keychain + security set-keychain-settings build.keychain # Import Developer ID Application certificate security import /tmp/certificate.p12 \ @@ -170,8 +170,11 @@ jobs: # Re-apply partition list here so productsign can access the key without UI prompt security set-key-partition-list -S apple-tool:,apple: -s \ -k "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" "$KEYCHAIN_PATH" + # Ensure keychain is unlocked immediately before productsign (no timeout means it stays unlocked) + security unlock-keychain -p "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" "$KEYCHAIN_PATH" productsign \ --sign "${{ secrets.MACOS_SIGNING_IDENTITY }}" \ + --keychain "$KEYCHAIN_PATH" \ "$PKG_UNSIGNED" "$PKG_SIGNED" mv "$PKG_SIGNED" "$PKG_UNSIGNED" From adb1f8543e5ec8f8dfa7ba0d222cd3e7705089b8 Mon Sep 17 00:00:00 2001 From: AnoF-Cyber Date: Fri, 20 Feb 2026 22:05:35 +0530 Subject: [PATCH 13/16] added -A flag to productsign command for improved keychain access --- .github/workflows/build-mac.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-mac.yml b/.github/workflows/build-mac.yml index fa8055e..577a404 100644 --- a/.github/workflows/build-mac.yml +++ b/.github/workflows/build-mac.yml @@ -66,7 +66,8 @@ jobs: -k build.keychain \ -P "${{ secrets.MACOS_INSTALLER_CERTIFICATE_PASSWORD }}" \ -T /usr/bin/codesign \ - -T /usr/bin/productsign + -T /usr/bin/productsign \ + -A # Allow codesign and productsign to access the keychain without prompting security set-key-partition-list -S apple-tool:,apple: -s -k "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" build.keychain From 13126e67c61fba64e3aa901f7e797fb1c78281c1 Mon Sep 17 00:00:00 2001 From: AnoF-Cyber Date: Fri, 20 Feb 2026 22:12:18 +0530 Subject: [PATCH 14/16] fixed pkg sign --- .github/workflows/build-mac.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-mac.yml b/.github/workflows/build-mac.yml index 577a404..e77849d 100644 --- a/.github/workflows/build-mac.yml +++ b/.github/workflows/build-mac.yml @@ -58,7 +58,8 @@ jobs: security import /tmp/certificate.p12 \ -k build.keychain \ -P "${{ secrets.MACOS_CERTIFICATE_PASSWORD }}" \ - -T /usr/bin/codesign + -T /usr/bin/codesign \ + -A # Import Developer ID Installer certificate echo "${{ secrets.MACOS_INSTALLER_CERTIFICATE }}" | base64 --decode > /tmp/installer.p12 @@ -168,11 +169,6 @@ jobs: KEYCHAIN_PATH=$(security list-keychains -d user | grep build | tr -d ' "') echo "Using keychain: $KEYCHAIN_PATH" security unlock-keychain -p "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" "$KEYCHAIN_PATH" - # Re-apply partition list here so productsign can access the key without UI prompt - security set-key-partition-list -S apple-tool:,apple: -s \ - -k "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" "$KEYCHAIN_PATH" - # Ensure keychain is unlocked immediately before productsign (no timeout means it stays unlocked) - security unlock-keychain -p "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" "$KEYCHAIN_PATH" productsign \ --sign "${{ secrets.MACOS_SIGNING_IDENTITY }}" \ --keychain "$KEYCHAIN_PATH" \ From 3f8c985f00dbce6b95a2359ce0ab57108944571d Mon Sep 17 00:00:00 2001 From: AnoF-Cyber Date: Fri, 20 Feb 2026 22:19:50 +0530 Subject: [PATCH 15/16] added release workflow for mac --- .github/workflows/release-mac.yml | 233 ++++++++++++++++++++++++++++++ 1 file changed, 233 insertions(+) create mode 100644 .github/workflows/release-mac.yml diff --git a/.github/workflows/release-mac.yml b/.github/workflows/release-mac.yml new file mode 100644 index 0000000..24e77f5 --- /dev/null +++ b/.github/workflows/release-mac.yml @@ -0,0 +1,233 @@ +name: Release ProxyBridge macOS +permissions: + contents: write + +on: + release: + types: [published, created] + workflow_dispatch: + +jobs: + build-and-release: + runs-on: macos-latest + if: github.event_name == 'release' || (github.event_name == 'workflow_dispatch' && github.actor == github.repository_owner) + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Xcode + uses: maxim-lobanov/setup-xcode@v1 + with: + xcode-version: latest-stable + + - name: Create xcconfig files + run: | + echo "${{ secrets.MACOS_APP_XCCONFIG }}" > MacOS/ProxyBridge/Signing-Config-app.xcconfig + echo "${{ secrets.MACOS_EXT_XCCONFIG }}" > MacOS/ProxyBridge/Signing-Config-ext.xcconfig + + - name: Install Provisioning Profiles + run: | + mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles + + echo "${{ secrets.MACOS_APP_PROVISION_PROFILE }}" | base64 --decode > /tmp/app.provisionprofile + echo "${{ secrets.MACOS_EXT_PROVISION_PROFILE }}" | base64 --decode > /tmp/ext.provisionprofile + + APP_UUID=$(security cms -D -i /tmp/app.provisionprofile | plutil -extract UUID raw -) + EXT_UUID=$(security cms -D -i /tmp/ext.provisionprofile | plutil -extract UUID raw -) + + cp /tmp/app.provisionprofile ~/Library/MobileDevice/Provisioning\ Profiles/${APP_UUID}.provisionprofile + cp /tmp/ext.provisionprofile ~/Library/MobileDevice/Provisioning\ Profiles/${EXT_UUID}.provisionprofile + + echo "Installed app profile: ${APP_UUID}" + echo "Installed ext profile: ${EXT_UUID}" + + - name: Import Certificate + run: | + # Decode certificate + echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > /tmp/certificate.p12 + + # Create a temporary keychain + security create-keychain -p "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" build.keychain + security default-keychain -s build.keychain + security unlock-keychain -p "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" build.keychain + security set-keychain-settings build.keychain + + # Import Developer ID Application certificate + security import /tmp/certificate.p12 \ + -k build.keychain \ + -P "${{ secrets.MACOS_CERTIFICATE_PASSWORD }}" \ + -T /usr/bin/codesign \ + -A + + # Import Developer ID Installer certificate + echo "${{ secrets.MACOS_INSTALLER_CERTIFICATE }}" | base64 --decode > /tmp/installer.p12 + security import /tmp/installer.p12 \ + -k build.keychain \ + -P "${{ secrets.MACOS_INSTALLER_CERTIFICATE_PASSWORD }}" \ + -T /usr/bin/codesign \ + -T /usr/bin/productsign \ + -A + + # Allow codesign and productsign to access the keychain without prompting + security set-key-partition-list -S apple-tool:,apple: -s -k "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" build.keychain + + # Add build.keychain to the keychain search list so productsign can find the cert + security list-keychains -d user -s build.keychain login.keychain-db + + # Verify both certificates are available + security find-identity -v -p codesigning build.keychain + + - name: Build Universal Binary + run: | + cd MacOS/ProxyBridge + xcodebuild \ + -project ProxyBridge.xcodeproj \ + -scheme ProxyBridge \ + -configuration Release \ + -derivedDataPath build/DerivedData \ + ARCHS="arm64 x86_64" \ + ONLY_ACTIVE_ARCH=NO \ + OTHER_CODE_SIGN_FLAGS="--keychain build.keychain --timestamp" \ + clean build + + - name: Verify Build + run: | + cd MacOS/ProxyBridge + ls -la build/DerivedData/Build/Products/Release/ + file build/DerivedData/Build/Products/Release/ProxyBridge.app/Contents/MacOS/ProxyBridge + lipo -archs build/DerivedData/Build/Products/Release/ProxyBridge.app/Contents/MacOS/ProxyBridge + # Verify code signature + codesign -dv --verbose=4 build/DerivedData/Build/Products/Release/ProxyBridge.app + + - name: Notarize App + run: | + APP_PATH="MacOS/ProxyBridge/build/DerivedData/Build/Products/Release/ProxyBridge.app" + + # Zip the app for submission + ditto -c -k --keepParent "$APP_PATH" /tmp/ProxyBridge.zip + + # Submit for notarization and wait for result, capture submission ID + SUBMIT_OUTPUT=$(xcrun notarytool submit /tmp/ProxyBridge.zip \ + --apple-id "${{ secrets.APPLE_ID }}" \ + --password "${{ secrets.APPLE_APP_PASSWORD }}" \ + --team-id "${{ secrets.APPLE_TEAM_ID }}" \ + --wait 2>&1) + + echo "$SUBMIT_OUTPUT" + + # Extract submission ID + SUBMISSION_ID=$(echo "$SUBMIT_OUTPUT" | grep "^ id:" | head -1 | awk '{print $2}') + echo "Submission ID: $SUBMISSION_ID" + + # Always fetch the detailed log from Apple + if [ -n "$SUBMISSION_ID" ]; then + echo "--- Notarization Log ---" + xcrun notarytool log "$SUBMISSION_ID" \ + --apple-id "${{ secrets.APPLE_ID }}" \ + --password "${{ secrets.APPLE_APP_PASSWORD }}" \ + --team-id "${{ secrets.APPLE_TEAM_ID }}" 2>&1 || true + fi + + # Fail if notarization was not accepted + if ! echo "$SUBMIT_OUTPUT" | grep -q "status: Accepted"; then + echo "Notarization failed!" + exit 1 + fi + + # Staple the notarization ticket to the app + xcrun stapler staple "$APP_PATH" + + # Verify notarization + spctl -a -vvv -t install "$APP_PATH" + + - name: Build PKG Installer + env: + PKG_ENV_CONTENT: ${{ secrets.PKG_ENV }} + run: | + # Write PKG_ENV to .env but strip SIGNING_IDENTITY so build.sh skips signing + # (productsign inside build.sh cannot access build.keychain — we do it below) + printf '%s' "$PKG_ENV_CONTENT" | grep -v "^SIGNING_IDENTITY" > MacOS/ProxyBridge/.env + + # Copy notarized .app into output/ where build.sh expects it + mkdir -p MacOS/ProxyBridge/output + cp -R MacOS/ProxyBridge/build/DerivedData/Build/Products/Release/ProxyBridge.app \ + MacOS/ProxyBridge/output/ProxyBridge.app + + # Run build script — creates the unsigned .pkg only + cd MacOS/ProxyBridge + chmod +x build.sh + bash build.sh + + PKG_VERSION="3.2.0" + PKG_UNSIGNED="output/ProxyBridge-v${PKG_VERSION}-Universal-Installer.pkg" + PKG_SIGNED="output/ProxyBridge-v${PKG_VERSION}-Universal-Installer-signed.pkg" + + # Sign pkg with explicit keychain — no prompting + echo "Signing installer..." + KEYCHAIN_PATH=$(security list-keychains -d user | grep build | tr -d ' "') + echo "Using keychain: $KEYCHAIN_PATH" + security unlock-keychain -p "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" "$KEYCHAIN_PATH" + productsign \ + --sign "${{ secrets.MACOS_SIGNING_IDENTITY }}" \ + --keychain "$KEYCHAIN_PATH" \ + "$PKG_UNSIGNED" "$PKG_SIGNED" + mv "$PKG_SIGNED" "$PKG_UNSIGNED" + + # Notarize pkg + echo "Notarizing installer..." + PKG_SUBMIT_OUTPUT=$(xcrun notarytool submit "$PKG_UNSIGNED" \ + --apple-id "${{ secrets.APPLE_ID }}" \ + --password "${{ secrets.APPLE_APP_PASSWORD }}" \ + --team-id "${{ secrets.APPLE_TEAM_ID }}" \ + --wait 2>&1) + + echo "$PKG_SUBMIT_OUTPUT" + + PKG_SUBMISSION_ID=$(echo "$PKG_SUBMIT_OUTPUT" | grep "^ id:" | head -1 | awk '{print $2}') + if [ -n "$PKG_SUBMISSION_ID" ]; then + echo "--- PKG Notarization Log ---" + xcrun notarytool log "$PKG_SUBMISSION_ID" \ + --apple-id "${{ secrets.APPLE_ID }}" \ + --password "${{ secrets.APPLE_APP_PASSWORD }}" \ + --team-id "${{ secrets.APPLE_TEAM_ID }}" 2>&1 || true + fi + + if ! echo "$PKG_SUBMIT_OUTPUT" | grep -q "status: Accepted"; then + echo "PKG notarization failed!" + exit 1 + fi + + xcrun stapler staple "$PKG_UNSIGNED" + echo "PKG signed, notarized and stapled successfully" + + - name: Upload PKG to Release + uses: softprops/action-gh-release@v1 + with: + files: MacOS/ProxyBridge/output/ProxyBridge-*.pkg + + - name: Upload PKG Artifact + uses: actions/upload-artifact@v4 + with: + name: ProxyBridge-macOS-Installer + path: MacOS/ProxyBridge/output/ProxyBridge-*.pkg + retention-days: 30 + + - name: Cleanup + if: always() + run: | + # Delete temporary keychain + security delete-keychain build.keychain || true + + # Remove provisioning profiles + rm -f ~/Library/MobileDevice/Provisioning\ Profiles/*.provisionprofile || true + + # Remove temp cert and profile files + rm -f /tmp/certificate.p12 /tmp/installer.p12 /tmp/app.provisionprofile /tmp/ext.provisionprofile /tmp/ProxyBridge.zip || true + + # Remove .env with sensitive data + rm -f MacOS/ProxyBridge/.env || true + + # Remove xcconfig files with sensitive data + rm -f MacOS/ProxyBridge/Signing-Config-app.xcconfig || true + rm -f MacOS/ProxyBridge/Signing-Config-ext.xcconfig || true \ No newline at end of file From 15f4f068305db429963d0f0221b4dff3e16d189d Mon Sep 17 00:00:00 2001 From: Sourav Kalal Date: Fri, 20 Feb 2026 22:20:40 +0530 Subject: [PATCH 16/16] fixed windows linux release workflow --- .github/workflows/release-linux.yml | 3 +++ .github/workflows/release-windows.yml | 8 +++----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release-linux.yml b/.github/workflows/release-linux.yml index 4e2f9b6..8fe17c6 100644 --- a/.github/workflows/release-linux.yml +++ b/.github/workflows/release-linux.yml @@ -5,6 +5,9 @@ on: types: [published, created] workflow_dispatch: +permissions: + contents: write + jobs: build-and-release: runs-on: ubuntu-latest diff --git a/.github/workflows/release-windows.yml b/.github/workflows/release-windows.yml index cfd1307..6010e8d 100644 --- a/.github/workflows/release-windows.yml +++ b/.github/workflows/release-windows.yml @@ -5,6 +5,9 @@ on: types: [published, created] workflow_dispatch: +permissions: + contents: write + jobs: build-and-release: runs-on: self-hosted @@ -14,11 +17,6 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - - name: Setup .NET - uses: actions/setup-dotnet@v4 - with: - dotnet-version: '10.0.x' - - name: Verify WinDivert installation run: | if (Test-Path "C:\WinDivert-2.2.2-A") {