.gitea/workflows/test-local-signing.yml

@@ -264,36 +264,83 @@ jobs:
         env:
           APPLE_ID: ${{ secrets.APPLE_NOTARY_USER }}
           APP_PASSWORD: ${{ secrets.APPLE_NOTARY_PASSWORD }}
+          API_KEY_ID: ${{ secrets.APPLE_NOTARY_API_KEY_ID }}
+          API_ISSUER_ID: ${{ secrets.APPLE_NOTARY_API_ISSUER_ID }}
+          API_KEY: ${{ secrets.APPLE_NOTARY_API_KEY }}
         run: |
           echo "📤 Notarizing app..."
           
-          # Make sure we have required secrets
-          if [ -z "$APPLE_ID" ] || [ -z "$APP_PASSWORD" ] || [ -z "$APPLE_TEAM_ID" ]; then
+          # Check if we have API key credentials
+          if [ -n "$API_KEY_ID" ] && [ -n "$API_ISSUER_ID" ] && [ -n "$API_KEY" ]; then
+            echo "Using App Store Connect API key for notarization..."
+            
+            # Create directory for API key
+            mkdir -p ~/private_keys
+            echo "$API_KEY" > ~/private_keys/AuthKey_${API_KEY_ID}.p8
+            
+            # Create zip for notarization
+            ZIP_PATH="TestApp-notarize.zip"
+            ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH"
+            
+            echo "Submitting for notarization with API key..."
+            xcrun notarytool submit "$ZIP_PATH" \
+              --key ~/private_keys/AuthKey_${API_KEY_ID}.p8 \
+              --key-id "$API_KEY_ID" \
+              --issuer "$API_ISSUER_ID" \
+              --wait
+              
+            # Staple the notarization ticket
+            echo "Stapling notarization ticket..."
+            xcrun stapler staple "$APP_PATH"
+            
+            # Verify notarization
+            echo "🔍 Verifying notarization..."
+            spctl --assess --verbose --type exec "$APP_PATH"
+            
+            echo "NOTARIZED=true" >> "$GITHUB_ENV"
+            
+            # Clean up
+            rm -rf ~/private_keys
+            
+          # Fall back to App-specific password if API key not available
+          elif [ -n "$APPLE_ID" ] && [ -n "$APP_PASSWORD" ] && [ -n "$APPLE_TEAM_ID" ]; then
+            echo "Using App-specific password for notarization..."
+            
+            # Create zip for notarization
+            ZIP_PATH="TestApp-notarize.zip"
+            ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH"
+            
+            echo "Submitting for notarization..."
+            xcrun notarytool submit "$ZIP_PATH" \
+              --apple-id "$APPLE_ID" \
+              --password "$APP_PASSWORD" \
+              --team-id "$APPLE_TEAM_ID" \
+              --wait
+            
+            # Staple the notarization ticket
+            echo "Stapling notarization ticket..."
+            xcrun stapler staple "$APP_PATH"
+            
+            # Verify notarization
+            echo "🔍 Verifying notarization..."
+            spctl --assess --verbose --type exec "$APP_PATH"
+            
+            echo "NOTARIZED=true" >> "$GITHUB_ENV"
+          else
             echo "⚠️ Missing notarization credentials. Skipping notarization."
+            echo "For App Store Connect API key method, set these secrets:"
+            echo "  - APPLE_NOTARY_API_KEY_ID: Your API key ID"
+            echo "  - APPLE_NOTARY_API_ISSUER_ID: Your API issuer ID"
+            echo "  - APPLE_NOTARY_API_KEY: Your API key content (p8 file)"
+            echo ""
+            echo "For App-specific password method, set these secrets:"
+            echo "  - APPLE_NOTARY_USER: Your Apple ID (email)"
+            echo "  - APPLE_NOTARY_PASSWORD: Your app-specific password"
+            echo "  - APPLE_TEAM_ID: Your Apple Developer team ID"
+            
             echo "NOTARIZED=false" >> "$GITHUB_ENV"
             exit 0
           fi
-          
-          # Create zip for notarization
-          ZIP_PATH="TestApp-notarize.zip"
-          ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH"
-          
-          echo "Submitting for notarization..."
-          xcrun notarytool submit "$ZIP_PATH" \
-            --apple-id "$APPLE_ID" \
-            --password "$APP_PASSWORD" \
-            --team-id "$APPLE_TEAM_ID" \
-            --wait
-          
-          # Staple the notarization ticket
-          echo "Stapling notarization ticket..."
-          xcrun stapler staple "$APP_PATH"
-          
-          # Verify notarization
-          echo "🔍 Verifying notarization..."
-          spctl --assess --verbose --type exec "$APP_PATH"
-          
-          echo "NOTARIZED=true" >> "$GITHUB_ENV"
         shell: bash
         
       - name: Package Signed App