From 7d3e732e5a44de2db7eba885cb1b229d8bb5974e Mon Sep 17 00:00:00 2001 From: Aaron Lee Date: Sat, 12 Jul 2025 16:57:47 +0900 Subject: [PATCH 1/6] ci: update install cert --- MailTrackerBlocker.xcodeproj/project.pbxproj | 2 ++ Source/MTBPackageValidator.m | 6 ++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/MailTrackerBlocker.xcodeproj/project.pbxproj b/MailTrackerBlocker.xcodeproj/project.pbxproj index 57152bb..d19c334 100644 --- a/MailTrackerBlocker.xcodeproj/project.pbxproj +++ b/MailTrackerBlocker.xcodeproj/project.pbxproj @@ -3730,6 +3730,7 @@ BUNDLE_LOADER = /System/Applications/Mail.app/Contents/MacOS/Mail; CLANG_ENABLE_OBJC_ARC = YES; CODE_SIGN_ENTITLEMENTS = ""; + "CODE_SIGN_IDENTITY[sdk=macosx*]" = "Developer ID Application"; COMBINE_HIDPI_IMAGES = YES; COPY_PHASE_STRIP = NO; DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; @@ -3779,6 +3780,7 @@ BUNDLE_LOADER = /System/Applications/Mail.app/Contents/MacOS/Mail; CLANG_ENABLE_OBJC_ARC = YES; CODE_SIGN_ENTITLEMENTS = ""; + "CODE_SIGN_IDENTITY[sdk=macosx*]" = "Developer ID Application"; COMBINE_HIDPI_IMAGES = YES; COPY_PHASE_STRIP = YES; DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; diff --git a/Source/MTBPackageValidator.m b/Source/MTBPackageValidator.m index 84e01d7..3f2d248 100644 --- a/Source/MTBPackageValidator.m +++ b/Source/MTBPackageValidator.m @@ -8,8 +8,10 @@ #import "MTBPackageValidator.h" #import -// PKCS#1 base64 enc output from SecKeyCopyExternalRepresentation -// of my Developer ID Installer (XXX) +// Use the public key of your Developer ID Installer +// Derived from PKCS#1 base64 enc output from SecKeyCopyExternalRepresentation of my Developer ID Installer (XXX) +// OR command to get without ASN.1 parsing output: +// $ security find-certificate -c "Developer ID Installer: Name (TEAM_ID)" -p | openssl x509 -pubkey -noout | openssl asn1parse -strparse 19 -noout -out - | base64 const NSString *pinnedDevIDInstallerPKCS1PubKey = @"MIIBCgKCAQEA0vFlrhW0ldvlYKgQe8tQ+wsI6wzoKsjTF7M/fdnzx2SP0NqVQ/eLYk9wCiCQEJkZJXZznGyXzl1oeTjjQVfsH2TvMElhEzKXcyCEOd7axmEYGro/wwZlTlYEGOuR9GwgghCltHU9x/cSyOMDPOcM+ySG9Porea+GPbyeURzeT4QnSKMCE2y+Tdxo/aRgJfcn57DRXCFy/CEhMPJm8axr2bsoLfaj6RHA7TrQurphryvO9VBKL+2b1sbj9B8OXunlwe5t4Bq3DfXpjzhPWt1pXdve+q8qbtIatrLgYcpq1yOfhToMVQzMBf2NHteqPhhaHRDEG0gmjzoUD9r6sAwwRQIDAQAB"; @implementation MTBPackageValidator From 2ff2112e398c036191a3f26d2609215f0258f246 Mon Sep 17 00:00:00 2001 From: Aaron Lee Date: Sat, 12 Jul 2025 17:30:34 +0900 Subject: [PATCH 2/6] note --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cabb5a2..4f39a40 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,6 +32,7 @@ jobs: - uses: apple-actions/import-codesign-certs@v3 with: keychain: ${{ env.KEYCHAIN }} + # base64 enc of Developer ID Application + Developer ID Application with priv keys p12 p12-file-base64: ${{ secrets.CERTIFICATES_P12 }} p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }} From 49126d9578ed9d542f7e727d38a0f32a404f93f3 Mon Sep 17 00:00:00 2001 From: Aaron Lee Date: Sat, 12 Jul 2025 17:30:39 +0900 Subject: [PATCH 3/6] test2 --- .github/workflows/release.yml | 54 ++--------------------------------- 1 file changed, 2 insertions(+), 52 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4f39a40..b4bbbf1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -36,57 +36,6 @@ jobs: p12-file-base64: ${{ secrets.CERTIFICATES_P12 }} p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }} - - name: build and package - run: | - make unsigntool - xcodebuild \ - -project MailTrackerBlocker.xcodeproj \ - -target MailTrackerBlocker \ - BUNDLE_LOADER=mail-app/14.0/Mail.app/Contents/MacOS/Mail \ - build - make pack - - - name: notarize and staple - env: - AC_USERNAME: ${{ secrets.AC_USERNAME }} - AC_PASSWORD: ${{ secrets.AC_PASSWORD }} - AC_TEAMID: CW298N32P4 - run: | - xcrun notarytool submit build/Release/MailTrackerBlocker.pkg \ - --apple-id "$AC_USERNAME" \ - --team-id "$AC_TEAMID" \ - --password "$AC_PASSWORD" \ - --wait - xcrun stapler staple build/Release/MailTrackerBlocker.pkg - - - name: generate release log - run: | - CURRENT_TAG=${{ inputs.version }} - awk -v ver=$CURRENT_TAG ' - /^#+ \[/ { if (p) { exit }; if ($2 == "["ver"]") { p=1; next} } p && NF - ' CHANGELOG.md > build/releaselog.md - - name: create release - id: create_release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: ${{ inputs.version }} - release_name: ${{ inputs.version }} Release - body_path: ./build/releaselog.md - draft: false - prerelease: false - - - name: upload release asset pkg - id: upload-pkg - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ./build/Release/MailTrackerBlocker.pkg - asset_name: MailTrackerBlocker.pkg - asset_content_type: application/x-newton-compatible-pkg - name: Checkout private Homebrew tap uses: actions/checkout@v2 @@ -99,9 +48,10 @@ jobs: run: | CASK_NAME=mailtrackerblocker CASK_VERSION=${{ inputs.version }} - CASK_SHA256=$(shasum --algorithm 256 "build/Release/MailTrackerBlocker.pkg" | awk '{print $1}') + CASK_SHA256=62b76c18d52789b0e80384781a9e0421effff5887677a4666c4d085c2b6659ea brew update + brew tap homebrew/cask --force brew bump-cask-pr --no-browse --sha256 ${CASK_SHA256} --version ${CASK_VERSION} --no-audit --no-style ${CASK_NAME} cd apparition47-homebrew-tap From 8197b982ede3e2836dacc1e18e83a15a618c9baf Mon Sep 17 00:00:00 2001 From: Aaron Lee Date: Sat, 12 Jul 2025 17:32:40 +0900 Subject: [PATCH 4/6] revert --- .github/workflows/release.yml | 53 ++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b4bbbf1..295c9ba 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -36,6 +36,57 @@ jobs: p12-file-base64: ${{ secrets.CERTIFICATES_P12 }} p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }} + - name: build and package + run: | + make unsigntool + xcodebuild \ + -project MailTrackerBlocker.xcodeproj \ + -target MailTrackerBlocker \ + BUNDLE_LOADER=mail-app/14.0/Mail.app/Contents/MacOS/Mail \ + build + make pack + + - name: notarize and staple + env: + AC_USERNAME: ${{ secrets.AC_USERNAME }} + AC_PASSWORD: ${{ secrets.AC_PASSWORD }} + AC_TEAMID: CW298N32P4 + run: | + xcrun notarytool submit build/Release/MailTrackerBlocker.pkg \ + --apple-id "$AC_USERNAME" \ + --team-id "$AC_TEAMID" \ + --password "$AC_PASSWORD" \ + --wait + xcrun stapler staple build/Release/MailTrackerBlocker.pkg + + - name: generate release log + run: | + CURRENT_TAG=${{ inputs.version }} + awk -v ver=$CURRENT_TAG ' + /^#+ \[/ { if (p) { exit }; if ($2 == "["ver"]") { p=1; next} } p && NF + ' CHANGELOG.md > build/releaselog.md + - name: create release + id: create_release + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + tag_name: ${{ inputs.version }} + release_name: ${{ inputs.version }} Release + body_path: ./build/releaselog.md + draft: false + prerelease: false + + - name: upload release asset pkg + id: upload-pkg + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_path: ./build/Release/MailTrackerBlocker.pkg + asset_name: MailTrackerBlocker.pkg + asset_content_type: application/x-newton-compatible-pkg - name: Checkout private Homebrew tap uses: actions/checkout@v2 @@ -48,7 +99,7 @@ jobs: run: | CASK_NAME=mailtrackerblocker CASK_VERSION=${{ inputs.version }} - CASK_SHA256=62b76c18d52789b0e80384781a9e0421effff5887677a4666c4d085c2b6659ea + CASK_SHA256=$(shasum --algorithm 256 "build/Release/MailTrackerBlocker.pkg" | awk '{print $1}') brew update brew tap homebrew/cask --force From e6d0e15b5ddd35cdc34f49942fb2461daf507fe5 Mon Sep 17 00:00:00 2001 From: Aaron Lee Date: Sat, 12 Jul 2025 17:39:59 +0900 Subject: [PATCH 5/6] update cert --- Source/MTBPackageValidator.m | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Source/MTBPackageValidator.m b/Source/MTBPackageValidator.m index 3f2d248..5bfc1fc 100644 --- a/Source/MTBPackageValidator.m +++ b/Source/MTBPackageValidator.m @@ -12,7 +12,7 @@ // Derived from PKCS#1 base64 enc output from SecKeyCopyExternalRepresentation of my Developer ID Installer (XXX) // OR command to get without ASN.1 parsing output: // $ security find-certificate -c "Developer ID Installer: Name (TEAM_ID)" -p | openssl x509 -pubkey -noout | openssl asn1parse -strparse 19 -noout -out - | base64 -const NSString *pinnedDevIDInstallerPKCS1PubKey = @"MIIBCgKCAQEA0vFlrhW0ldvlYKgQe8tQ+wsI6wzoKsjTF7M/fdnzx2SP0NqVQ/eLYk9wCiCQEJkZJXZznGyXzl1oeTjjQVfsH2TvMElhEzKXcyCEOd7axmEYGro/wwZlTlYEGOuR9GwgghCltHU9x/cSyOMDPOcM+ySG9Porea+GPbyeURzeT4QnSKMCE2y+Tdxo/aRgJfcn57DRXCFy/CEhMPJm8axr2bsoLfaj6RHA7TrQurphryvO9VBKL+2b1sbj9B8OXunlwe5t4Bq3DfXpjzhPWt1pXdve+q8qbtIatrLgYcpq1yOfhToMVQzMBf2NHteqPhhaHRDEG0gmjzoUD9r6sAwwRQIDAQAB"; +const NSString *pinnedDevIDInstallerPKCS1PubKey = @"MIIBCgKCAQEAxTrGKLRw9XGmHprzbVYQyvApHGlqz7lm0/P3VOMUqHcvZR/hnL3qrM7BISbyqbFFygFrpEiy1HBwbGKPEa3WOaxo+FWFK1EuVPLCWX45JA7uyc5xusdcPjnYWkPeZ3teaRfEKPvTZGpKs33iUmfwNu+3xFH7kqBJjacV3IPn25rmQDsoEirfy0te8Tjxzj6ORJUlwcNn1qjjdOLwDhRAYZrskGFNE2ZUQ26iVHW0/PCt8B4zQNyujwOe80Sw14S1pw+MLUw2JSbQ/hKsn4iWAnWRmNh1zkjlwwQf8l5bSa444bpaXqUaTcKvBd/iEehlXfSkoTXf6Fdr/+QL9xYfnwIDAQAB"; @implementation MTBPackageValidator +(BOOL)isPkgSignatureValidAtURL:(NSURL *)url { From 3a1e406e00a48b8317531d24ca011a362b14334b Mon Sep 17 00:00:00 2001 From: Aaron Lee Date: Sat, 12 Jul 2025 17:43:35 +0900 Subject: [PATCH 6/6] version bump --- CHANGELOG.md | 5 +++++ Version.config | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 97f17be..79358d0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Changelog +## [0.8.9] - 2025-07-12 + +- Important: the signing certificate has changed so the auto-updater will fail to update. Please manually update. +- add beehiiv rule (thanks Damon S.) + ## [0.8.7] - 2025-02-04 - updated ruleset (thanks @Jee-Bee, James M. Damon S.) diff --git a/Version.config b/Version.config index 8ffb0f4..47f5c94 100644 --- a/Version.config +++ b/Version.config @@ -1,7 +1,7 @@ TOOL=MailTrackerBlocker_#MACOS_VERSION# MAJOR=0 MINOR=8 -REVISION=8 +REVISION=9 unset PRERELEASE VERSION="${MAJOR}.${MINOR}${REVISION:+.$REVISION}${PRERELEASE}"