diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cabb5a2..295c9ba 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,6 +32,7 @@ jobs: - uses: apple-actions/import-codesign-certs@v3 with: keychain: ${{ env.KEYCHAIN }} + # base64 enc of Developer ID Application + Developer ID Application with priv keys p12 p12-file-base64: ${{ secrets.CERTIFICATES_P12 }} p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }} @@ -101,6 +102,7 @@ jobs: CASK_SHA256=$(shasum --algorithm 256 "build/Release/MailTrackerBlocker.pkg" | awk '{print $1}') brew update + brew tap homebrew/cask --force brew bump-cask-pr --no-browse --sha256 ${CASK_SHA256} --version ${CASK_VERSION} --no-audit --no-style ${CASK_NAME} cd apparition47-homebrew-tap diff --git a/CHANGELOG.md b/CHANGELOG.md index 97f17be..79358d0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Changelog +## [0.8.9] - 2025-07-12 + +- Important: the signing certificate has changed so the auto-updater will fail to update. Please manually update. +- add beehiiv rule (thanks Damon S.) + ## [0.8.7] - 2025-02-04 - updated ruleset (thanks @Jee-Bee, James M. Damon S.) diff --git a/MailTrackerBlocker.xcodeproj/project.pbxproj b/MailTrackerBlocker.xcodeproj/project.pbxproj index 57152bb..d19c334 100644 --- a/MailTrackerBlocker.xcodeproj/project.pbxproj +++ b/MailTrackerBlocker.xcodeproj/project.pbxproj @@ -3730,6 +3730,7 @@ BUNDLE_LOADER = /System/Applications/Mail.app/Contents/MacOS/Mail; CLANG_ENABLE_OBJC_ARC = YES; CODE_SIGN_ENTITLEMENTS = ""; + "CODE_SIGN_IDENTITY[sdk=macosx*]" = "Developer ID Application"; COMBINE_HIDPI_IMAGES = YES; COPY_PHASE_STRIP = NO; DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; @@ -3779,6 +3780,7 @@ BUNDLE_LOADER = /System/Applications/Mail.app/Contents/MacOS/Mail; CLANG_ENABLE_OBJC_ARC = YES; CODE_SIGN_ENTITLEMENTS = ""; + "CODE_SIGN_IDENTITY[sdk=macosx*]" = "Developer ID Application"; COMBINE_HIDPI_IMAGES = YES; COPY_PHASE_STRIP = YES; DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; diff --git a/Source/MTBPackageValidator.m b/Source/MTBPackageValidator.m index 84e01d7..5bfc1fc 100644 --- a/Source/MTBPackageValidator.m +++ b/Source/MTBPackageValidator.m @@ -8,9 +8,11 @@ #import "MTBPackageValidator.h" #import -// PKCS#1 base64 enc output from SecKeyCopyExternalRepresentation -// of my Developer ID Installer (XXX) -const NSString *pinnedDevIDInstallerPKCS1PubKey = @"MIIBCgKCAQEA0vFlrhW0ldvlYKgQe8tQ+wsI6wzoKsjTF7M/fdnzx2SP0NqVQ/eLYk9wCiCQEJkZJXZznGyXzl1oeTjjQVfsH2TvMElhEzKXcyCEOd7axmEYGro/wwZlTlYEGOuR9GwgghCltHU9x/cSyOMDPOcM+ySG9Porea+GPbyeURzeT4QnSKMCE2y+Tdxo/aRgJfcn57DRXCFy/CEhMPJm8axr2bsoLfaj6RHA7TrQurphryvO9VBKL+2b1sbj9B8OXunlwe5t4Bq3DfXpjzhPWt1pXdve+q8qbtIatrLgYcpq1yOfhToMVQzMBf2NHteqPhhaHRDEG0gmjzoUD9r6sAwwRQIDAQAB"; +// Use the public key of your Developer ID Installer +// Derived from PKCS#1 base64 enc output from SecKeyCopyExternalRepresentation of my Developer ID Installer (XXX) +// OR command to get without ASN.1 parsing output: +// $ security find-certificate -c "Developer ID Installer: Name (TEAM_ID)" -p | openssl x509 -pubkey -noout | openssl asn1parse -strparse 19 -noout -out - | base64 +const NSString *pinnedDevIDInstallerPKCS1PubKey = @"MIIBCgKCAQEAxTrGKLRw9XGmHprzbVYQyvApHGlqz7lm0/P3VOMUqHcvZR/hnL3qrM7BISbyqbFFygFrpEiy1HBwbGKPEa3WOaxo+FWFK1EuVPLCWX45JA7uyc5xusdcPjnYWkPeZ3teaRfEKPvTZGpKs33iUmfwNu+3xFH7kqBJjacV3IPn25rmQDsoEirfy0te8Tjxzj6ORJUlwcNn1qjjdOLwDhRAYZrskGFNE2ZUQ26iVHW0/PCt8B4zQNyujwOe80Sw14S1pw+MLUw2JSbQ/hKsn4iWAnWRmNh1zkjlwwQf8l5bSa444bpaXqUaTcKvBd/iEehlXfSkoTXf6Fdr/+QL9xYfnwIDAQAB"; @implementation MTBPackageValidator +(BOOL)isPkgSignatureValidAtURL:(NSURL *)url { diff --git a/Version.config b/Version.config index 8ffb0f4..47f5c94 100644 --- a/Version.config +++ b/Version.config @@ -1,7 +1,7 @@ TOOL=MailTrackerBlocker_#MACOS_VERSION# MAJOR=0 MINOR=8 -REVISION=8 +REVISION=9 unset PRERELEASE VERSION="${MAJOR}.${MINOR}${REVISION:+.$REVISION}${PRERELEASE}"