.gitea/workflows/macos-build.yml

@@ -72,6 +72,79 @@ jobs:
           echo "Packaged releases:"
           ls -la PackagedReleases/
       
+      - name: Sign and Notarize macOS App
+        env:
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+          CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
+          CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+          API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }}
+          API_KEY_ID: ${{ secrets.NOTARY_API_KEY_ID }}
+          API_KEY_ISSUER_ID: ${{ secrets.NOTARY_API_KEY_ISSUER_ID }}
+        run: |
+          # Decode the base64 certificate
+          echo "Setting up certificate..."
+          echo $CERTIFICATE_BASE64 | base64 --decode > certificate.p12
+          
+          # Create keychain and import certificate
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          KEYCHAIN_PASSWORD=temporary
+          
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security import certificate.p12 -P "$CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
+          security list-keychain -d user -s "$KEYCHAIN_PATH"
+          
+          # Find app bundle
+          APP_PATH=$(find Builds -type d -name "*.app" | head -1)
+          
+          if [ -n "$APP_PATH" ]; then
+            echo "Signing app bundle: $APP_PATH"
+            
+            # Sign the application
+            /usr/bin/codesign --force --options runtime --sign "Developer ID Application: $APPLE_TEAM_ID" --deep --entitlements "./LuckyRobots.entitlements" "$APP_PATH"
+            
+            # Create a temporary file for notarization
+            NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip"
+            ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH"
+            
+            # Decode the API key from Base64 secret
+            echo "$API_KEY_PATH" | base64 --decode > api_key.p8
+            API_KEY_FILE="api_key.p8"
+            
+            # Submit for notarization using API key
+            echo "Submitting for notarization with API key..."
+            xcrun notarytool submit "$NOTARIZE_APP_PATH" --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" --wait
+            
+            # Check notarization result
+            NOTARIZATION_INFO=$(xcrun notarytool history --key "$API_KEY_FILE" --key-id "$API_KEY_ID" --issuer "$API_KEY_ISSUER_ID" | grep -E '(success|invalid)' | head -1)
+            
+            # Clean up the API key file
+            rm -f "$API_KEY_FILE"
+            
+            if echo "$NOTARIZATION_INFO" | grep -q "success"; then
+              echo "Notarization successful"
+              
+              # Staple the ticket to the application
+              xcrun stapler staple "$APP_PATH"
+              
+              # Repackage the notarized app
+              rm "PackagedReleases/LuckyRobots-macOS.zip"
+              (cd $(dirname "$APP_PATH") && zip -r "../../PackagedReleases/LuckyRobots-macOS.zip" "$(basename "$APP_PATH")")
+              echo "Repackaged notarized app"
+            else
+              echo "Notarization failed: $NOTARIZATION_INFO"
+              exit 1
+            fi
+          else
+            echo "No app bundle found for signing and notarization"
+            exit 1
+          fi
+          
+          # Clean up
+          rm -f certificate.p12
+          security delete-keychain "$KEYCHAIN_PATH"
+      
       - name: Upload macOS Build Artifact
         uses: actions/upload-artifact@v3
         if: success()

LuckyRobots.entitlements

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.device.audio-input</key>
+    <true/>
+    <key>com.apple.security.device.camera</key>
+    <true/>
+</dict>
+</plist>