Update tgwatch signing

This commit is contained in:
isaac 2026-05-31 15:34:43 +02:00
parent d4736fe59f
commit 1120b9084e
4 changed files with 25 additions and 2 deletions

View file

@ -1746,6 +1746,14 @@ xcode_provisioning_profile(
apple_prebuilt_watchos_application(
name = "TelegramWatchApp",
# Watch bundle id tracks the host config ("<host>.watchkitapp"). The rule passes it
# to xcodebuild as PRODUCT_BUNDLE_IDENTIFIER (baked + signed); the watch Info.plist
# derives WKCompanionAppBundleIdentifier from it via $(PRODUCT_BUNDLE_IDENTIFIER:base),
# so the embedded watch app is correct for any host (ph.telegra.Telegraph,
# org.telegram.TelegramInternal, ...) with no post-build plist patching.
bundle_id = "{telegram_bundle_id}.watchkitapp".format(
telegram_bundle_id = telegram_bundle_id,
),
tags = ["manual"],
)

View file

@ -38,7 +38,7 @@
<key>WKApplication</key>
<true/>
<key>WKCompanionAppBundleIdentifier</key>
<string>ph.telegra.Telegraph</string>
<string>$(PRODUCT_BUNDLE_IDENTIFIER:base)</string>
<key>WKRunsIndependentlyOfCompanionApp</key>
<true/>
</dict>

View file

@ -70,6 +70,12 @@ def _apple_prebuilt_watchos_application_impl(ctx):
infoplist.path,
ctx.file.versions_json.path,
build_number,
# Watch app bundle id ("<host>.watchkitapp"). xcodebuild bakes it as
# PRODUCT_BUNDLE_IDENTIFIER so the signed CFBundleIdentifier matches the host
# config; the Info.plist derives WKCompanionAppBundleIdentifier from it via
# $(PRODUCT_BUNDLE_IDENTIFIER:base). Keeps the build dynamic across hosts with
# no post-build plist mutation (xcodebuild bakes, the worker signs once).
ctx.attr.bundle_id,
],
inputs = inputs,
outputs = [archive, infoplist],

View file

@ -17,9 +17,17 @@
# $4 api_hash TG_API_HASH build setting
# $5 identity Codesigning identity (SHA1 hash); empty => derived from $6's cert
# $6 profile Path to the watchkitapp .mobileprovision; empty => unsigned build
# $7 infoplist Path (declared by Bazel) to copy the built Info.plist to
# $8 versions_json versions.json (key 'app' => CFBundleShortVersionString)
# $9 build_number CFBundleVersion
# $10 watch_bundle_id PRODUCT_BUNDLE_IDENTIFIER for xcodebuild (the watch app id,
# "<host>.watchkitapp"); empty => keep the project default. xcodebuild
# bakes it into CFBundleIdentifier (and signs with it); the Info.plist
# derives WKCompanionAppBundleIdentifier from it via
# $(PRODUCT_BUNDLE_IDENTIFIER:base), so no post-build plist patching.
set -euo pipefail
SRC="$1"; OUT_ZIP="$2"; API_ID="$3"; API_HASH="$4"; IDENTITY="${5:-}"; PROFILE="${6:-}"; INFOPLIST_OUT="${7:-}"; VERSIONS_JSON="${8:-}"; BUILD_NUMBER="${9:-1}"
SRC="$1"; OUT_ZIP="$2"; API_ID="$3"; API_HASH="$4"; IDENTITY="${5:-}"; PROFILE="${6:-}"; INFOPLIST_OUT="${7:-}"; VERSIONS_JSON="${8:-}"; BUILD_NUMBER="${9:-1}"; WATCH_BUNDLE_ID="${10:-}"
if [ ! -e "$SRC/tgwatch.xcodeproj" ]; then
echo "error: no tgwatch.xcodeproj at $SRC (re-sync the Telegram/WatchApp snapshot via tgwatch/tools/export-sources.sh)" >&2
@ -53,6 +61,7 @@ xcodebuild \
CODE_SIGNING_ALLOWED=NO CODE_SIGNING_REQUIRED=NO CODE_SIGN_IDENTITY="" \
TG_API_ID="$API_ID" TG_API_HASH="$API_HASH" \
MARKETING_VERSION="$MARKETING_VERSION" CURRENT_PROJECT_VERSION="$BUILD_NUMBER" \
${WATCH_BUNDLE_ID:+PRODUCT_BUNDLE_IDENTIFIER="$WATCH_BUNDLE_ID"} \
build 1>&2
APP="$(find "$DD/Build/Products" -maxdepth 2 -name 'tgwatch Watch App.app' -type d | head -1)"