chore: macos code signing

Author: Julusian

.github/workflows/macos.yaml

@@ -11,6 +11,7 @@ jobs:
         runs-on: macos-11
 
         strategy:
+          fail-fast: false
           matrix:
             arch: [arm64, x86_64]
 
@@ -26,13 +27,43 @@ jobs:
                 tools: 'tools_ifw tools_cmake'
                 modules: 'qtwebsockets qt5compat'
 
+            - name: Install the Apple certificate and provisioning profile
+              env:
+                APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
+                APPLE_P12_PASSWORD: ${{ secrets.APPLE_P12_PASSWORD }}
+                KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+              run: |
+                if [[ -n "$APPLE_CERTIFICATE_BASE64" ]]; then
+                  # create variables
+                  CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+                  KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+
+                  # import certificate and provisioning profile from secrets
+                  echo -n "$APPLE_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
+
+                  # create temporary keychain
+                  security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+                  security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+                  security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+                  # import certificate to keychain
+                  security import $CERTIFICATE_PATH -P "$APPLE_P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+                  security list-keychain -d user -s $KEYCHAIN_PATH
+
+                  # list signing identities
+                  # security find-identity -v -p codesigning
+                fi
             - name: Run build
               run: |
                   ./tools/build-macos.sh ${{ matrix.arch }}
               env:
                   CI: 1
                   BUILD_QT_PATH: ${{ github.workspace }}/Qt/6.5.3/macos
                   BUILD_PARALLEL_THREADS: 2
+                  MACOS_SIGN_NAME: ${{ secrets.MACOS_SIGN_NAME }}
+                  APPLEID: ${{ secrets.APPLEID }}
+                  APPLEIDPASS: ${{ secrets.APPLEIDPASS }}
+                  APPLEIDTEAM: ${{ secrets.APPLEIDTEAM }}
 
             - name: Rename build
               id: "rename-build"

resources/macos/entitlements.plist

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+  </dict>
+</plist>

tools/build-macos.sh

@@ -51,12 +51,27 @@ mkdir "$CLIENT_FOLDER" || fail "Could not create $CLIENT_FOLDER"
 # Copy app bundle
 mv staging/casparcg-client.app "$CLIENT_FOLDER/$CLIENT_FOLDER.app" || fail "Could not move app bundle"
 
+# Sign app bundle
+if [ -n "$MACOS_SIGN_NAME" ]; then
+    echo "Signing..."
+    codesign --deep --timestamp --options runtime -s "$MACOS_SIGN_NAME" --entitlements "../resources/macos/entitlements.plist" "$CLIENT_FOLDER/$CLIENT_FOLDER.app"
+fi
+
 # Copy documentation
 echo Copying documentation...
 cp -f ../CHANGELOG "$CLIENT_FOLDER/" || fail "Could not copy CHANGELOG"
 cp -f ../LICENSE "$CLIENT_FOLDER/" || fail "Could not copy LICENSE"
+ln -s /Applications "$CLIENT_FOLDER/"
 
 # Create dmg file
 echo Creating dmg...
-hdiutil create -size "$BUILD_HDIUTILS_WORKAROUND_SIZE" -volname "$CLIENT_FOLDER" -srcfolder "$CLIENT_FOLDER" -ov -format UDZO "$BUILD_ARCHIVE_NAME-$ARCH.dmg" || fail "Could not create dmg"
+DMG_NAME="$BUILD_ARCHIVE_NAME-macos-$ARCH.dmg"
+hdiutil create -size "$BUILD_HDIUTILS_WORKAROUND_SIZE" -volname "$CLIENT_FOLDER" -srcfolder "$CLIENT_FOLDER" -ov -format UDZO "$DMG_NAME" || fail "Could not create dmg"
+ 
+# notarize dmg
+if [ -n "$APPLEID" ]; then
+    echo "Notarizing..."
+    xcrun notarytool submit "$DMG_NAME" --wait --apple-id "$APPLEID" --password "$APPLEIDPASS" --team-id "$APPLEIDTEAM"
+    xcrun stapler staple "$DMG_NAME"
+fi