fix(actions): enhance macOS build workflow by adding DMG signing and notarization steps

.gitea/workflows/test-macos-build.yml

@@ -347,6 +347,71 @@ jobs:
           echo "Creating DMG file..."
           hdiutil create -volname "$APP_NAME" -srcfolder "$STAPLED_APP_PATH" -ov -format UDZO "$DMG_FILE"
           
+          # Sign the DMG with the same certificate
+          echo "Signing DMG file..."
+          # Extract certificate info from the previously signed app
+          CERT_IDENTITY=$(codesign -dvv "$STAPLED_APP_PATH" 2>&1 | grep "Authority" | head -1 | sed -e 's/.*Authority=//g')
+          echo "Using certificate identity: $CERT_IDENTITY"
+          
+          # Sign the DMG
+          codesign --sign "$CERT_IDENTITY" --options runtime --timestamp "$DMG_FILE"
+          
+          # Verify DMG signature
+          echo "Verifying DMG signature..."
+          codesign -vvv "$DMG_FILE"
+          
+          # Notarize the DMG
+          echo "Notarizing DMG file..."
+          # Select which authentication method to use for notarization
+          if [ -n "${{ secrets.NOTARY_API_KEY_ID }}" ] && [ -n "${{ secrets.NOTARY_API_KEY_ISSUER_ID }}" ]; then
+            # Use API Key authentication (preferred)
+            echo "Using Notary API Key authentication..."
+            UUID=$(xcrun notarytool submit "$DMG_FILE" \
+              --key "${{ secrets.NOTARY_API_KEY_PATH }}" \
+              --key-id "${{ secrets.NOTARY_API_KEY_ID }}" \
+              --issuer "${{ secrets.NOTARY_API_KEY_ISSUER_ID }}" \
+              --wait | grep "id:" | awk '{print $2}')
+          elif [ -n "${{ secrets.APPLE_ID }}" ] && [ -n "${{ secrets.APPLE_TEAM_ID }}" ]; then
+            # Use Apple ID authentication
+            echo "Using Apple ID authentication..."
+            UUID=$(xcrun notarytool submit "$DMG_FILE" \
+              --apple-id "${{ secrets.APPLE_ID }}" \
+              --password "${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}" \
+              --team-id "${{ secrets.APPLE_TEAM_ID }}" \
+              --wait | grep "id:" | awk '{print $2}')
+          else
+            echo "⚠️ No notarization credentials available. DMG will not be notarized."
+            UUID=""
+          fi
+          
+          echo "Notarization UUID: $UUID"
+          
+          # Check notarization status
+          if [ -n "$UUID" ]; then
+            # Use the same authentication method for UUID info
+            if [ -n "${{ secrets.NOTARY_API_KEY_ID }}" ] && [ -n "${{ secrets.NOTARY_API_KEY_ISSUER_ID }}" ]; then
+              xcrun notarytool info "$UUID" \
+                --key "${{ secrets.NOTARY_API_KEY_PATH }}" \
+                --key-id "${{ secrets.NOTARY_API_KEY_ID }}" \
+                --issuer "${{ secrets.NOTARY_API_KEY_ISSUER_ID }}"
+            elif [ -n "${{ secrets.APPLE_ID }}" ] && [ -n "${{ secrets.APPLE_TEAM_ID }}" ]; then
+              xcrun notarytool info "$UUID" \
+                --apple-id "${{ secrets.APPLE_ID }}" \
+                --password "${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}" \
+                --team-id "${{ secrets.APPLE_TEAM_ID }}"
+            fi
+            
+            # Staple the DMG
+            echo "Stapling notarization ticket to DMG..."
+            xcrun stapler staple "$DMG_FILE"
+            
+            # Verify stapling
+            echo "Verifying DMG stapling..."
+            xcrun stapler validate "$DMG_FILE"
+          else
+            echo "⚠️ Notarization UUID not found. DMG may not be properly notarized."
+          fi
+          
           echo "DMG file created at: $DMG_FILE"
           echo "STAPLED_APP_DMG=$DMG_FILE" >> "$GITHUB_ENV"
         shell: bash