Merge a6ca391ba1 into d5ea8d0f38

Fix default CA by enforcing it everywhere (#3719 )
macOS build workflow
2026-02-28 21:23:01 +00:00 · 2026-01-31 01:15:52 -05:00 · 2026-01-30 16:35:24 +01:00 · 2026-01-24 16:57:19 +03:30 · 2026-01-21 19:10:13 +03:30
4 changed files with 125 additions and 14 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -151,6 +151,96 @@ jobs:
          overwrite: true
          prerelease: true

+  # =================================
+  #  macOS Build (darwin)
+  # =================================
+  build-macos:
+    name: Build for macOS
+    permissions:
+      contents: write
+    strategy:
+      matrix:
+        include:
+          - arch: amd64
+            runner: macos-13
+          - arch: arm64
+            runner: macos-14
+    runs-on: ${{ matrix.runner }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          check-latest: true
+
+      - name: Build 3X-UI for macOS (CGO)
+        shell: bash
+        run: |
+          set -euo pipefail
+          export CGO_ENABLED=1
+          export GOOS=darwin
+          export GOARCH=${{ matrix.arch }}
+
+          go version
+          go env GOOS GOARCH CGO_ENABLED
+
+          go build -ldflags "-w -s" -o xui-release -v main.go
+          file xui-release
+
+          mkdir -p x-ui/bin
+          cp xui-release x-ui/x-ui
+          cp x-ui.sh x-ui/
+
+          # Download dependencies
+          cd x-ui/bin
+          Xray_URL="https://github.com/XTLS/Xray-core/releases/download/v26.1.18/"
+          if [ "${{ matrix.arch }}" = "amd64" ]; then
+            curl -fsSL -o Xray-macos-64.zip "${Xray_URL}Xray-macos-64.zip"
+            unzip -q Xray-macos-64.zip
+            rm -f Xray-macos-64.zip
+          elif [ "${{ matrix.arch }}" = "arm64" ]; then
+            curl -fsSL -o Xray-macos-arm64-v8a.zip "${Xray_URL}Xray-macos-arm64-v8a.zip"
+            unzip -q Xray-macos-arm64-v8a.zip
+            rm -f Xray-macos-arm64-v8a.zip
+          fi
+
+          rm -f geoip.dat geosite.dat
+          curl -fsSL -o geoip.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat
+          curl -fsSL -o geosite.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat
+          curl -fsSL -o geoip_IR.dat https://github.com/chocolate4u/Iran-v2ray-rules/releases/latest/download/geoip.dat
+          curl -fsSL -o geosite_IR.dat https://github.com/chocolate4u/Iran-v2ray-rules/releases/latest/download/geosite.dat
+          curl -fsSL -o geoip_RU.dat https://github.com/runetfreedom/russia-v2ray-rules-dat/releases/latest/download/geoip.dat
+          curl -fsSL -o geosite_RU.dat https://github.com/runetfreedom/russia-v2ray-rules-dat/releases/latest/download/geosite.dat
+
+          mv xray xray-macos-${{ matrix.arch }}
+          cd ../..
+
+      - name: Package
+        shell: bash
+        run: tar -zcvf x-ui-darwin-${{ matrix.arch }}.tar.gz x-ui
+
+      - name: Upload files to Artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: x-ui-darwin-${{ matrix.arch }}
+          path: ./x-ui-darwin-${{ matrix.arch }}.tar.gz
+
+      - name: Upload files to GH release
+        uses: svenstaro/upload-release-action@v2
+        if: |
+          (github.event_name == 'release' && github.event.action == 'published') ||
+          (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/'))
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          tag: ${{ github.ref }}
+          file: x-ui-darwin-${{ matrix.arch }}.tar.gz
+          asset_name: x-ui-darwin-${{ matrix.arch }}.tar.gz
+          overwrite: true
+          prerelease: true
+
  # =================================
  #  Windows Build
  # =================================
@ -173,14 +263,35 @@ jobs:
          go-version-file: go.mod
          check-latest: true

+      - name: Install MSYS2
+        uses: msys2/setup-msys2@v2
+        with:
+          msystem: MINGW64
+          update: true
+          install: >-
+            mingw-w64-x86_64-gcc
+            mingw-w64-x86_64-sqlite3
+            mingw-w64-x86_64-pkg-config
+
+      - name: Build 3X-UI for Windows (CGO)
+        shell: msys2 {0}
+        run: |
+          export PATH="/c/hostedtoolcache/windows/go/$(ls /c/hostedtoolcache/windows/go | sort -V | tail -n1)/x64/bin:$PATH"
+
+          export CGO_ENABLED=1
+          export GOOS=windows
+          export GOARCH=amd64
+          export CC=x86_64-w64-mingw32-gcc
+
+          which go
+          go version
+          gcc --version
+
+          go build -ldflags "-w -s" -o xui-release.exe -v main.go
+
      - name: Build 3X-UI for Windows
        shell: pwsh
-        run: |
-          $env:CGO_ENABLED="1"
-          $env:GOOS="windows"
-          $env:GOARCH="amd64"
-          go build -ldflags "-w -s" -o xui-release.exe -v main.go
-          
+        run: |          
          mkdir x-ui
          Copy-Item xui-release.exe x-ui\
          mkdir x-ui\bin
--- a/install.sh
+++ b/install.sh
@ -272,7 +272,7 @@ setup_ip_certificate() {

    # Issue certificate with shortlived profile
    echo -e "${green}Issuing IP certificate for ${ipv4}...${plain}"
-    ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt >/dev/null 2>&1
+    ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt --force >/dev/null 2>&1
    
    ~/.acme.sh/acme.sh --issue \
        ${domain_args} \
@ -414,7 +414,7 @@ ssl_cert_issue() {
    systemctl stop x-ui 2>/dev/null || rc-service x-ui stop 2>/dev/null

    # issue the certificate
-    ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
+    ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt --force
    ~/.acme.sh/acme.sh --issue -d ${domain} --listen-v6 --standalone --httpport ${WebPort} --force
    if [ $? -ne 0 ]; then
        echo -e "${red}Issuing certificate failed, please check logs.${plain}"
--- a/update.sh
+++ b/update.sh
@ -173,7 +173,7 @@ setup_ssl_certificate() {
    echo -e "${green}Issuing SSL certificate for ${domain}...${plain}"
    echo -e "${yellow}Note: Port 80 must be open and accessible from the internet${plain}"
    
-    ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt >/dev/null 2>&1
+    ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt --force >/dev/null 2>&1
    ~/.acme.sh/acme.sh --issue -d ${domain} --listen-v6 --standalone --httpport 80 --force
    
    if [ $? -ne 0 ]; then
@ -297,7 +297,7 @@ setup_ip_certificate() {

    # Issue certificate with shortlived profile
    echo -e "${green}Issuing IP certificate for ${ipv4}...${plain}"
-    ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt >/dev/null 2>&1
+    ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt --force >/dev/null 2>&1
    
    ~/.acme.sh/acme.sh --issue \
        ${domain_args} \
@ -437,7 +437,7 @@ ssl_cert_issue() {
    systemctl stop x-ui 2>/dev/null || rc-service x-ui stop 2>/dev/null

    # issue the certificate
-    ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
+    ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt --force
    ~/.acme.sh/acme.sh --issue -d ${domain} --listen-v6 --standalone --httpport ${WebPort} --force
    if [ $? -ne 0 ]; then
        echo -e "${red}Issuing certificate failed, please check logs.${plain}"
--- a/x-ui.sh
+++ b/x-ui.sh
@ -1226,7 +1226,7 @@ ssl_cert_issue_for_ip() {
    local reloadCmd="systemctl restart x-ui 2>/dev/null || rc-service x-ui restart 2>/dev/null"
    
    # issue the certificate for IP with shortlived profile
-    ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
+    ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt --force
    ~/.acme.sh/acme.sh --issue \
        ${domain_args} \
        --standalone \
@ -1391,7 +1391,7 @@ ssl_cert_issue() {
    LOGI "Will use port: ${WebPort} to issue certificates. Please make sure this port is open."

    # issue the certificate
-    ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
+    ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt --force
    ~/.acme.sh/acme.sh --issue -d ${domain} --listen-v6 --standalone --httpport ${WebPort} --force
    if [ $? -ne 0 ]; then
        LOGE "Issuing certificate failed, please check logs."
@ -1518,7 +1518,7 @@ ssl_cert_issue_CF() {
        LOGD "Your registered email address is: ${CF_AccountEmail}"

        # Set the default CA to Let's Encrypt
-        ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
+        ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt --force
        if [ $? -ne 0 ]; then
            LOGE "Default CA, Let'sEncrypt fail, script exiting..."
            exit 1
Author	SHA1	Message	Date
Ebrahim Tahernejad	d7c49f4379	Merge `a6ca391ba1` into `d5ea8d0f38`	2026-01-31 01:15:52 -05:00
Sam Mosleh	d5ea8d0f38	Fix default CA by enforcing it everywhere (#3719 ) Some checks are pending Release 3X-UI / build (386) (push) Waiting to run Details Release 3X-UI / build (amd64) (push) Waiting to run Details Release 3X-UI / build (arm64) (push) Waiting to run Details Release 3X-UI / build (armv5) (push) Waiting to run Details Release 3X-UI / build (armv6) (push) Waiting to run Details Release 3X-UI / build (armv7) (push) Waiting to run Details Release 3X-UI / build (s390x) (push) Waiting to run Details Release 3X-UI / Build for Windows (push) Waiting to run Details	2026-01-30 16:35:24 +01:00
Ebrahim Tahernejad	a6ca391ba1	macOS build workflow	2026-01-24 16:57:19 +03:30
Ebrahim Tahernejad	511684d289	Use MSYS2 to fix the runtime CGO problem	2026-01-21 19:10:13 +03:30