fix(actions): enhance macOS build workflow with additional verification and stapling steps for app notarization

.gitea/workflows/test-macos-build.yml

@@ -289,6 +289,37 @@ jobs:
           path: ${{ steps.sign-and-notarize.outputs.package-path }}
           retention-days: 30
           
+      # Additional verification and stapling to ensure the app opens without warning
+      - name: Verify and Staple App
+        if: steps.sign-and-notarize.outputs.notarized == 'true' && steps.sign-and-notarize.outputs.signed != 'none'
+        run: |
+          echo "🔒 Performing additional verification and stapling..."
+          APP_PATH="${{ env.APP_PATH }}"
+          
+          # Make sure the app is properly stapled
+          echo "Stapling notarization ticket to the app..."
+          xcrun stapler staple "$APP_PATH"
+          
+          # Verify the stapling
+          echo "Verifying stapling..."
+          xcrun stapler validate "$APP_PATH"
+          
+          # Perform deep verification of code signing
+          echo "Verifying code signature (deep)..."
+          codesign -vvv --deep "$APP_PATH"
+          
+          # Additional check for quarantine attributes
+          echo "Checking for quarantine attributes..."
+          if [ -n "$(xattr -l "$APP_PATH" | grep quarantine)" ]; then
+            echo "Removing quarantine attribute..."
+            xattr -d com.apple.quarantine "$APP_PATH"
+          else
+            echo "No quarantine attribute found, good!"
+          fi
+          
+          echo "✅ Verification and stapling completed!"
+        shell: bash
+          
       # Upload ZIP package if DMG was created (as a backup)
       - name: Upload ZIP Package
         uses: actions/upload-artifact@v3

scripts/mac_build.sh

@@ -146,4 +146,53 @@ if [ -n "$APP_PATH" ]; then
   fi
 fi
 
-echo "Completed post-build process ✅"
+# If this is a manual build (not in CI), attempt to sign the app locally
+if [ -z "$CI" ] && [ -n "$APP_PATH" ]; then
+  echo ""
+  echo "🔐 Attempting local code signing and stapling..."
+  
+  # Check if we have a valid Apple Developer identity
+  IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | sed -E 's/.*\) ([A-F0-9]+) "(.*)"/\2/')
+  
+  if [ -n "$IDENTITY" ]; then
+    echo "Found signing identity: $IDENTITY"
+    
+    # Sign the app
+    echo "Signing application..."
+    if [ -f "$PROJECT_ROOT/LuckyWorld.entitlements" ]; then
+      echo "Using entitlements file: $PROJECT_ROOT/LuckyWorld.entitlements"
+      codesign --force --options runtime --entitlements "$PROJECT_ROOT/LuckyWorld.entitlements" --sign "$IDENTITY" --deep "$APP_PATH"
+    else
+      codesign --force --options runtime --sign "$IDENTITY" --deep "$APP_PATH"
+    fi
+    
+    # Verify signature
+    echo "Verifying signature..."
+    codesign -vvv --deep "$APP_PATH"
+    
+    # Staple the app if notarization is successful
+    echo "Checking if notarization is needed..."
+    if xcrun altool --notarization-info $(uuidgen) -u "YOUR_APPLE_ID" 2>&1 | grep -q "success"; then
+      echo "App is notarized, stapling the ticket..."
+      xcrun stapler staple "$APP_PATH"
+      xcrun stapler validate "$APP_PATH"
+      
+      # Remove quarantine attribute if present
+      if [ -n "$(xattr -l "$APP_PATH" | grep quarantine)" ]; then
+        echo "Removing quarantine attribute..."
+        xattr -d com.apple.quarantine "$APP_PATH"
+      fi
+    else
+      echo "App is not notarized yet. Upload to Apple's notary service for full verification."
+    fi
+  else
+    echo "⚠️ No Developer ID Application certificate found for signing."
+    echo "Run 'security find-identity -v -p codesigning' to view available certificates."
+  fi
+else
+  echo "Skipping local signing (running in CI or app not found)"
+fi
+
+echo ""
+echo "✅ Build and post-processing completed!"
+echo "App location: $APP_PATH"