napari · liu-ziyang · Dec 13, 2022 · Dec 5, 2022 · Dec 6, 2022 · Dec 6, 2022
diff --git a/.github/workflows/make_bundle_conda.yml b/.github/workflows/make_bundle_conda.yml
@@ -6,6 +6,7 @@ on:
       - main
     paths:
       - 'build_installers.py'
+      - 'conda-recipe/*'
   workflow_call:
     inputs:
       event_name:
@@ -339,7 +340,10 @@ jobs:
       - name: Load signing certificate (MacOS)
         shell: bash -el {0}
         # We only sign pushes to main, nightlies, RCs and final releases
-        if: runner.os == 'macOS' && env.SIGNING_SECRETS_AVAILABLE && (inputs.event_name == 'schedule' || inputs.event_name == 'push')
+        if: >
+          runner.os == 'macOS'
+          && env.SIGNING_SECRETS_AVAILABLE
+          && (inputs.event_name == 'schedule' || inputs.event_name == 'push')
         run: |
           # create variables
           INSTALLER_CERTIFICATE_PATH="$RUNNER_TEMP/installer_developer_cert.p12"
@@ -376,7 +380,10 @@ jobs:
 
       - name: Load signing certificate (Windows)
         # We only sign pushes to main, nightlies, RCs and final releases
-        if: runner.os == 'Windows' && env.SIGNING_SECRETS_AVAILABLE && (inputs.event_name == 'schedule' || inputs.event_name == 'push')
+        if: >
+          runner.os == 'Windows'
+          && env.SIGNING_SECRETS_AVAILABLE
+          && (inputs.event_name == 'schedule' || inputs.event_name == 'push')
         # We are signing with Apple's certificate to provide _something_
         # This is not trusted by Windows so the warnings are still there, but curious users
         # will be able to check it's actually us if necessary
@@ -418,41 +425,56 @@ jobs:
       #     echo "LICENSES_ARTIFACT_NAME=$(basename ${licenses_zip_path})" >> $GITHUB_ENV
       #     echo "licenses_artifact=${licenses_zip_path}" >> $GITHUB_OUTPUT
 
-
       # - name: Upload License Artifact
       #   uses: actions/upload-artifact@v2
       #   with:
       #     path: ${{ env.LICENSES_ARTIFACT_PATH }}
       #     name: ${{ env.LICENSES_ARTIFACT_NAME }}
 
-      - name: Notarize Bundle (macOS)
+      - name: Notarize & staple PKG Installer (macOS)
         # We only sign pushes to main, nightlies, RCs and final releases
         if: >
-          runner.os == 'macOS' &&
-          env.SIGNING_SECRETS_AVAILABLE &&
-          (inputs.event_name == 'schedule' || inputs.event_name == 'push')
-        uses: devbotsxyz/xcode-notarize@v1
-        with:
-          product-path: ${{ github.workspace }}/napari-packaging/_work/napari-${{ env.version }}-${{ runner.os }}-${{ env.arch-suffix }}.${{ env.extension }}
-          appstore-connect-username: ${{ secrets.APPLE_NOTARIZATION_USERNAME }}
-          appstore-connect-password: ${{ secrets.APPLE_NOTARIZATION_PASSWORD }}
-          primary-bundle-id: org.napari.pkg
-          verbose: true
+          runner.os == 'macOS'
+          && env.SIGNING_SECRETS_AVAILABLE
+          && (inputs.event_name == 'schedule' || inputs.event_name == 'push')
+        env:
+          INSTALLER_PATH: ${{ github.workspace }}/napari-packaging/_work/napari-${{ env.version }}-${{ runner.os }}-${{ env.arch-suffix }}.${{ env.extension }}
+          APPLE_NOTARIZATION_USERNAME: ${{ secrets.APPLE_NOTARIZATION_USERNAME }}
+          # This needs to be an application-specific password
+          APPLE_NOTARIZATION_PASSWORD: ${{ secrets.APPLE_NOTARIZATION_PASSWORD }}
+        run: |
+          set -euxo pipefail
 
-      - name: Staple Bundle (macOS)
-        # We only sign pushes to main, nightlies, RCs and final releases
-        if: >
-          runner.os == 'macOS' &&
-          env.SIGNING_SECRETS_AVAILABLE &&
-          (inputs.event_name == 'schedule' || inputs.event_name == 'push')
-        uses: devbotsxyz/xcode-staple@v1
-        with:
-          product-path: ${{ github.workspace }}/napari-packaging/_work/napari-${{ env.version }}-${{ runner.os }}-${{ env.arch-suffix }}.${{ env.extension }}
+          # Check signatures. If this fails, there's no point.
+          pkgutil --check-signature "$INSTALLER_PATH"
+
+          # Submit for notarization to Apple servers
+          json_output_file="$RUNNER_TEMP/$(basename "$INSTALLER_PATH").notarization.json"
+          set +e
+          xcrun notarytool submit "$INSTALLER_PATH" \
+              -u "$APPLE_NOTARIZATION_USERNAME" \
+              -p "$APPLE_NOTARIZATION_PASSWORD" \
+              --output-format json \
+              --wait \
+              | tee "$json_output_file"
+          set -e
+          if [[ $? != 0 ]]; then
+            submission_id=$(jq -r '.id' "$json_output_file")
+            xcrun notarytool log "$submission_id" \
+                -u "$APPLE_NOTARIZATION_USERNAME" \
+                -p "$APPLE_NOTARIZATION_PASSWORD"
+          fi
+
+          # Staple
+          xcrun stapler staple --verbose "$INSTALLER_PATH"
+
+          # Check notarization status
+          spctl --assess -vv --type install "$INSTALLER_PATH" 2>&1 | tee /dev/stderr | grep accepted
 
       - name: Upload Artifact
         uses: actions/upload-artifact@v2
         # CI artifact uploads only on manual runs
-        # if: inputs.event_name == 'workflow_dispatch'
+        if: inputs.event_name == 'workflow_dispatch'
         with:
           name: napari-${{ env.version }}-${{ runner.os }}-${{ env.arch-suffix }}.${{ env.extension }}
           path: ${{ github.workspace }}/napari-packaging/_work/napari-${{ env.version }}-${{ runner.os }}-${{ env.arch-suffix }}.${{ env.extension }}

diff --git a/build_installers.py b/build_installers.py
@@ -120,6 +120,7 @@ def _version():
     "CONSTRUCTOR_INSTALLER_DEFAULT_PATH_STEM", f"{APP}-{_version()}"
 )
 
+
 def _generate_background_images(installer_type, outpath="./", napari_repo=HERE):
     """Requires pillow"""
     if installer_type == "sh":
@@ -235,6 +236,7 @@ def _definitions(version=_version(), extra_specs=None, napari_repo=HERE):
     empty_file = NamedTemporaryFile(delete=False)
     condarc = _get_condarc()
     env_state = _get_conda_meta_state()
+    env_state_path = os.path.join("envs", napari_env["name"], "conda-meta", "state")
     definitions = {
         "name": APP,
         "company": "Napari",
@@ -258,7 +260,7 @@ def _definitions(version=_version(), extra_specs=None, napari_repo=HERE):
             {os.path.join(resources, "bundle_readme.md"): "README.txt"},
             {empty_file.name: ".napari_is_bundled_constructor"},
             {condarc: ".condarc"},
-            {env_state: os.path.join("envs", napari_env["name"], "conda-meta", "state")},
+            {env_state: env_state_path},
         ],
     }
     if _use_local():