Fix remaining notarization issues from OpenMS#8486 (OpenMS#8494)

* address coderabbot issues from OpenMS#8486

* Add build.keychain to security list-keychains

Add build.keychain to the list of keychains for code signing.

* Change ctest verbosity level in CI workflow (OpenMS#8497)

* Add productsign to key-partition-list in CI workflow

* Update notarize.sh to include ASC_TEAMID parameter

TEAM_ID is now required even with only one team.

* Add teamID to notarize fix producbuild key permissions

* Add team ID to notarization log fetching

* Initial plan

* Add macOS code signing for thirdparty components for notarization

Co-authored-by: jpfeuffer <8102638+jpfeuffer@users.noreply.github.com>

* Add check for THIRDPARTY directory existence before signing

Co-authored-by: jpfeuffer <8102638+jpfeuffer@users.noreply.github.com>

* Sign each thirdparty component individually for macOS notarization

Co-authored-by: jpfeuffer <8102638+jpfeuffer@users.noreply.github.com>

---------

Co-authored-by: Julianus Pfeuffer <8102638+jpfeuffer@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

Author: 3 people

.github/workflows/openms_ci_matrix_full.yml

@@ -506,12 +506,14 @@ jobs:
         echo $APPLE_CERTIFICATE | base64 --decode > certificate.p12
         echo $INSTALLER_CERTIFICATE | base64 --decode > installer_certificate.p12
         security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
+        security list-keychains -d user -s build.keychain
         security default-keychain -s build.keychain
         security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
         security set-keychain-settings -t 3600 -u build.keychain
-        security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
-        security import installer_certificate.p12 -k build.keychain -P "$INSTALLER_CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/productsign
-        security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
+        security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/productbuild
+        security import installer_certificate.p12 -k build.keychain -P "$INSTALLER_CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/productsign -T /usr/bin/productbuild
+        security set-key-partition-list -S apple-tool:,apple:,codesign:,productsign:,productbuild: -s -k "$KEYCHAIN_PASSWORD" build.keychain
+        
         echo "=== Available signing identities ==="
         security find-identity -v -p codesigning build.keychain
 
@@ -521,7 +523,7 @@ jobs:
       run: |
           # do not fail immediately
           set +e
-          ${{ steps.set-vars.outputs.xvfb }} ctest --output-on-failure -V -S $GITHUB_WORKSPACE/OpenMS/tools/ci/cipackage.cmake
+          ${{ steps.set-vars.outputs.xvfb }} ctest --output-on-failure -VV -S $GITHUB_WORKSPACE/OpenMS/tools/ci/cipackage.cmake
           retVal=$?
           if [ $retVal -ne 0 ]; then
               echo -e "\033[0;31m Errors in packaging:"
@@ -552,6 +554,7 @@ jobs:
       shell: bash
       env:
         APPLE_APP_SPECIFIC_NOTARIZATION_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_NOTARIZATION_PASSWORD }}
+        TEAM_ID: "C64UCGJ5PL"
       run: |
         echo "=== Starting macOS package notarization ==="
         cd $GITHUB_WORKSPACE/OpenMS/bld/
@@ -572,6 +575,7 @@ jobs:
           "de.openms" \
           "apple@openms.de" \
           "APPLE_APP_SPECIFIC_NOTARIZATION_PASSWORD" \
+          "$TEAM_ID" \
           "$GITHUB_WORKSPACE/OpenMS/bld/"
 
         echo "=== Notarization complete ==="

cmake/MacOSX/notarize.sh

@@ -11,20 +11,24 @@
 #   password_env_var - Environment variable name containing app-specific password
 #   log_folder       - Optional: folder for log files (defaults to current directory)
 
+# Exit on error and fail on any error in a pipeline
 set -e
+set -o pipefail
 
 BUNDLE_PKG="$1"
 BUNDLE_ID="$2"
 ASC_USERNAME="$3"
 ASC_PASSWORD_ENVVAR="$4"
-LOG_FOLDER="${5:-.}"
+ASC_TEAMID="$5"
+LOG_FOLDER="${6:-.}"
 
 NOTARIZE_LOG="$LOG_FOLDER/notarize.log"
 
 mkdir -p "$LOG_FOLDER"
 touch "$NOTARIZE_LOG"
 
 REMOVE_PKG=false
+IS_ZIP=false
 
 echo "=== macOS Notarization Script ==="
 echo "Bundle: $BUNDLE_PKG"
@@ -55,7 +59,8 @@ elif [[ $BUNDLE_PKG == *.pkg ]]; then
     echo "Notarizing PKG: $BUNDLE_PKG"
 elif [[ $BUNDLE_PKG == *.zip ]]; then
     # For zip files, we need to unzip to staple, then re-zip
-    BUNDLE_FILE=${BUNDLE_PKG%.*}
+    BUNDLE_FILE="$BUNDLE_PKG"
+    IS_ZIP=true
     echo "Notarizing ZIP: $BUNDLE_PKG (will staple contents)"
 elif [[ $BUNDLE_PKG == *.app ]]; then
     # Apps need to be zipped for upload, then unzipped for stapling
@@ -82,10 +87,12 @@ echo "=== Submitting for notarization ==="
 
 # Submit for notarization using notarytool
 # --wait makes the command block until notarization is complete
-# Note: --team-id is optional if you only have one team
+# Ensure pipefail is set for this block in case of subshells
+set -o pipefail
 if xcrun notarytool submit "$BUNDLE_PKG" \
     --apple-id "$ASC_USERNAME" \
     --password "${!ASC_PASSWORD_ENVVAR}" \
+    --team-id "$ASC_TEAMID" \
     --wait \
     2>&1 | tee "$NOTARIZE_LOG"; then
 
@@ -102,7 +109,7 @@ if xcrun notarytool submit "$BUNDLE_PKG" \
 
         # Note: You cannot staple a .zip file directly
         # If the original was a zip, we need to handle it differently
-        if [[ "$BUNDLE_FILE" == *.zip ]]; then
+        if [[ "$IS_ZIP" = true ]]; then
             echo "Warning: Cannot staple a .zip file. The notarization is stored with Apple."
             echo "Users will need to be online for Gatekeeper to verify the notarization."
         else
@@ -139,6 +146,7 @@ if xcrun notarytool submit "$BUNDLE_PKG" \
             xcrun notarytool log "$SUBMISSION_ID" \
                 --apple-id "$ASC_USERNAME" \
                 --password "${!ASC_PASSWORD_ENVVAR}" \
+                --team-id "$ASC_TEAMID" \
                 "$LOG_FOLDER/notarization_details.json" 2>&1 || true
 
             if [[ -f "$LOG_FOLDER/notarization_details.json" ]]; then

cmake/package_dragndrop_dmg.cmake

@@ -119,15 +119,15 @@ if (DEFINED CMAKE_VERSION AND NOT "${CMAKE_VERSION}" VERSION_LESS "3.5")
   ## For notarization, SIGNING_EMAIL must also be set.
   if (DEFINED CPACK_BUNDLE_APPLE_CERT_APP AND DEFINED SIGNING_EMAIL)
     add_custom_target(signed_dist
-                      COMMAND codesign --deep --force --sign ${CPACK_BUNDLE_APPLE_CERT_APP} ${CPACK_PACKAGE_FILE_NAME}.dmg
+                      COMMAND codesign --deep --force --timestamp --sign ${CPACK_BUNDLE_APPLE_CERT_APP} ${CPACK_PACKAGE_FILE_NAME}.dmg
                       COMMAND ${OPENMS_HOST_DIRECTORY}/cmake/MacOSX/notarize.sh ${CPACK_PACKAGE_FILE_NAME}.dmg de.openms ${SIGNING_EMAIL} APPLE_APP_SPECIFIC_NOTARIZATION_PASSWORD ${OPENMS_HOST_BINARY_DIRECTORY}
                       WORKING_DIRECTORY ${PROJECT_BINARY_DIR}
                       COMMENT "Signing and notarizing ${CPACK_PACKAGE_FILE_NAME}.dmg as ${CPACK_BUNDLE_APPLE_CERT_APP}"
                       DEPENDS dist)
   elseif(DEFINED CPACK_BUNDLE_APPLE_CERT_APP)
     message(STATUS "SIGNING_EMAIL not set. DMG will be signed but not notarized.")
     add_custom_target(signed_dist
-                      COMMAND codesign --deep --force --sign ${CPACK_BUNDLE_APPLE_CERT_APP} ${CPACK_PACKAGE_FILE_NAME}.dmg
+                      COMMAND codesign --deep --force --timestamp --sign ${CPACK_BUNDLE_APPLE_CERT_APP} ${CPACK_PACKAGE_FILE_NAME}.dmg
                       WORKING_DIRECTORY ${PROJECT_BINARY_DIR}
                       COMMENT "Signing ${CPACK_PACKAGE_FILE_NAME}.dmg as ${CPACK_BUNDLE_APPLE_CERT_APP} (not notarized)"
                       DEPENDS dist)

cmake/package_mac_productbuild.cmake

@@ -124,6 +124,17 @@ install(CODE "
         COMPONENT library
         )
 
+## Sign thirdparty components
+foreach(component IN LISTS THIRDPARTY_COMPONENT_GROUP)
+  install(CODE "
+          if(EXISTS \${CMAKE_INSTALL_PREFIX}/${INSTALL_SHARE_DIR}/THIRDPARTY/${component}/)
+            execute_process(COMMAND find \${CMAKE_INSTALL_PREFIX}/${INSTALL_SHARE_DIR}/THIRDPARTY/${component}/ -type f -execdir codesign --force --options runtime -i de.openms.thirdparty.${component}.{} --sign \"${CPACK_BUNDLE_APPLE_CERT_APP}\" {} \\; OUTPUT_VARIABLE thirdparty_sign_out ERROR_VARIABLE thirdparty_sign_out)
+            message('\${thirdparty_sign_out}')
+          endif()"
+          COMPONENT ${component}
+          )
+endforeach()
+
 ## When Applications are installed (which is the FIRST in alphabetical order AND the main component),
 ## a postinstall script runs to set file icon
 install(FILES       ${PROJECT_SOURCE_DIR}/cmake/MacOSX/openms_logo_large_transparent.png

tools/ci/capture-env.sh

@@ -75,18 +75,32 @@ function write_file() {
   fi
 
   for var in "${vars_to_cache[@]}"; do
-    # This next line is a little tricky.  It says to evaluate $var and
-    # use its value as the name of another variable to evaluate
-    # (indirection).  The ":-" bit says to set the variable to an
-    # empty string if it is not already defined.
+    # Indirection: get value, default to empty
     val="${!var:-}"
 
-    if [ -n "${val}" ]; then
+    # Sanitize: trim CR, LF, and trailing whitespace
+    val_sane="$(printf '%s' "$val" | tr -d '\r\n' | sed 's/[[:space:]]*$//')"
+
+    if [ -n "$val_sane" ]; then
       if [ "$option_verbose" -eq 1 ]; then
-        echo "Found $var with value $val"
+        # Redact sensitive variables
+        case "$var" in
+          SIGNING_EMAIL|SIGNING_IDENTITY|CPACK_PRODUCTBUILD_IDENTITY_NAME)
+            # Mask: show first and last char, rest as asterisks (if length > 2)
+            len=${#val_sane}
+            if [ "$len" -le 2 ]; then
+              masked="$val_sane"
+            else
+              masked="${val_sane:0:1}***${val_sane: -1}"
+            fi
+            echo "Found $var with value $masked (redacted)"
+            ;;
+          *)
+            echo "Found $var with value $val_sane"
+            ;;
+        esac
       fi
-
-      printf '%s:STRING=%s\n' "$var" "${val}" >>"$file"
+      printf '%s:STRING=%s\n' "$var" "$val_sane" >>"$file"
     fi
   done
 }