feat: build with sign

Author: lighthx

.github/workflows/release.yml

@@ -27,35 +27,26 @@ jobs:
         with:
           key: ${{ matrix.target }}
           cache-on-failure: true
-      - name: Install the Apple certificate and provisioning profile
+
+      - name: Install the Apple certificate
         env:
           BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
           P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
-          BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
           KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
         run: |
-          # create variables
           CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
-          PP_PATH=$RUNNER_TEMP/build_pp.mobileprovision
           KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
 
-          # import certificate and provisioning profile from secrets
           echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
-          echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH
 
-          # create temporary keychain
           security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
           security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
           security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
 
-          # import certificate to keychain
           security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
-          security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
           security list-keychain -d user -s $KEYCHAIN_PATH
-
-          # apply provisioning profile
-          mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
-          cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
+          security default-keychain -s $KEYCHAIN_PATH
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
 
       - name: Install cargo-bundle
         run: cargo install cargo-bundle
@@ -64,30 +55,94 @@ jobs:
         run: |
           cargo bundle --release --target ${{ matrix.target }}
 
-      - name: Clean up keychain and provisioning profile
-        if: ${{ always() }}
+      - name: Sign and Notarize
+        env:
+          APPLE_DEVELOPER_ID: ${{ secrets.APPLE_DEVELOPER_ID }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
         run: |
-          security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
-          rm ~/Library/MobileDevice/Provisioning\ Profiles/build_pp.mobileprovision
+          cd target/${{ matrix.target }}/release/bundle/osx
+          
+          codesign --remove-signature Gomi.app/Contents/MacOS/Gomi || true
+          codesign --remove-signature Gomi.app || true
+          
+          codesign --force --options runtime \
+            --sign "$APPLE_DEVELOPER_ID" \
+            --timestamp \
+            --keychain "$RUNNER_TEMP/app-signing.keychain-db" \
+            --entitlements $GITHUB_WORKSPACE/resources/entitlements.plist \
+            Gomi.app/Contents/MacOS/Gomi
+          
+          find Gomi.app/Contents/MacOS -type f -perm +111 -exec \
+            codesign --force --options runtime \
+              --sign "$APPLE_DEVELOPER_ID" \
+              --timestamp \
+              --keychain "$RUNNER_TEMP/app-signing.keychain-db" \
+              --entitlements $GITHUB_WORKSPACE/resources/entitlements.plist \
+              {} \;
+          
+          codesign --force --options runtime \
+            --entitlements $GITHUB_WORKSPACE/resources/entitlements.plist \
+            --sign "$APPLE_DEVELOPER_ID" \
+            --deep --strict \
+            --timestamp \
+            --keychain "$RUNNER_TEMP/app-signing.keychain-db" \
+            Gomi.app
           
-      - name: Create ZIP
+          ditto -c -k --keepParent Gomi.app Gomi.zip
+          
+          NOTARIZATION_OUTPUT=$(xcrun notarytool submit Gomi.zip \
+            --apple-id "$APPLE_ID" \
+            --password "$APPLE_APP_SPECIFIC_PASSWORD" \
+            --team-id "$APPLE_TEAM_ID" \
+            --wait)
+          
+          SUBMISSION_ID=$(echo "$NOTARIZATION_OUTPUT" | grep "id:" | head -n1 | awk '{print $2}' | tr -d '[:space:]')
+          
+          if [ ! -z "$SUBMISSION_ID" ]; then
+            xcrun notarytool log \
+              --apple-id "$APPLE_ID" \
+              --password "$APPLE_APP_SPECIFIC_PASSWORD" \
+              --team-id "$APPLE_TEAM_ID" \
+              "$SUBMISSION_ID" notarization.log
+          else
+            exit 1
+          fi
+          
+          xcrun stapler staple Gomi.app
+
+      - name: Create DMG
+        env:
+          APPLE_DEVELOPER_ID: ${{ secrets.APPLE_DEVELOPER_ID }}
         run: |
           cd target/${{ matrix.target }}/release/bundle/osx
-          zip -r "Gomi-${{ matrix.target }}.zip" Gomi.app
+          hdiutil create -volname "Gomi" -srcfolder "Gomi.app" -ov -format UDZO "Gomi-${{ matrix.target }}.dmg"
+          codesign --force \
+            --sign "$APPLE_DEVELOPER_ID" \
+            --timestamp \
+            --keychain "$RUNNER_TEMP/app-signing.keychain-db" \
+            "Gomi-${{ matrix.target }}.dmg"
 
       - name: Upload Release
         uses: softprops/action-gh-release@v1
         if: startsWith(github.ref, 'refs/tags/')
         with:
           files: |
-            target/${{ matrix.target }}/release/bundle/osx/*.zip
+            target/${{ matrix.target }}/release/bundle/osx/*.dmg
         env:
           GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
 
       - name: Generate Checksums
         run: |
           cd target/${{ matrix.target }}/release/bundle/osx
-          shasum -a 256 *.zip > checksums.txt
+          shasum -a 256 *.dmg > checksums.txt
+
+      - name: Clean up keychain and provisioning profile
+        if: ${{ always() }}
+        run: |
+          security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
 
       - name: Upload Checksums
         uses: softprops/action-gh-release@v1

resources/entitlements.plist

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.app-sandbox</key>
+    <false/>
+    <key>com.apple.security.files.user-selected.read-write</key>
+    <true/>
+    <key>com.apple.security.files.downloads.read-write</key>
+    <true/>
+    <key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key>
+    <array>
+        <string>/.gomi.db</string>
+    </array>
+</dict>
+</plist> 

resources/info.plist

@@ -6,79 +6,6 @@
     <true/>
     <key>CFBundleDisplayName</key>
     <string>Gomi</string>
-    <key>CFBundleDocumentTypes</key>
-    <array>
-      <dict>
-        <key>CFBundleTypeExtensions</key>
-        <array>
-          <string>html</string>
-        </array>
-        <key>CFBundleTypeIconFile</key>
-        <string>icon.icns</string>
-        <key>CFBundleTypeName</key>
-        <string>HyperText Markup File</string>
-        <key>CFBundleTypeRole</key>
-        <string>Viewer</string>
-        <key>LSHandlerRank</key>
-        <string>Default</string>
-      </dict>
-      <dict>
-        <key>CFBundleTypeExtensions</key>
-        <array>
-          <string>xhtml</string>
-        </array>
-        <key>CFBundleTypeIconFile</key>
-        <string>icon.icns</string>
-        <key>CFBundleTypeName</key>
-        <string>Extensible HyperText Markup File</string>
-        <key>CFBundleTypeRole</key>
-        <string>Viewer</string>
-        <key>LSHandlerRank</key>
-        <string>Default</string>
-      </dict>
-      <dict>
-        <key>CFBundleTypeExtensions</key>
-        <array>
-          <string>htm</string>
-        </array>
-        <key>CFBundleTypeIconFile</key>
-        <string>icon.icns</string>
-        <key>CFBundleTypeName</key>
-        <string>HyperText Markup File</string>
-        <key>CFBundleTypeRole</key>
-        <string>Viewer</string>
-        <key>LSHandlerRank</key>
-        <string>Default</string>
-      </dict>
-      <dict>
-        <key>CFBundleTypeExtensions</key>
-        <array>
-          <string>shtml</string>
-        </array>
-        <key>CFBundleTypeIconFile</key>
-        <string>icon.icns</string>
-        <key>CFBundleTypeName</key>
-        <string>HyperText Markup File</string>
-        <key>CFBundleTypeRole</key>
-        <string>Viewer</string>
-        <key>LSHandlerRank</key>
-        <string>Default</string>
-      </dict>
-      <dict>
-        <key>CFBundleTypeExtensions</key>
-        <array>
-          <string>xht</string>
-        </array>
-        <key>CFBundleTypeIconFile</key>
-        <string>icon.icns</string>
-        <key>CFBundleTypeName</key>
-        <string>Extensible HyperText Markup File</string>
-        <key>CFBundleTypeRole</key>
-        <string>Viewer</string>
-        <key>LSHandlerRank</key>
-        <string>Default</string>
-      </dict>
-    </array>
     <key>CFBundleURLTypes</key>
     <array>
       <dict>
@@ -93,5 +20,13 @@
         </array>
       </dict>
     </array>
+    <key>LSMinimumSystemVersion</key>
+    <string>10.15</string>
+    <key>CFBundleVersion</key>
+    <string>0.1.0</string>
+    <key>CFBundleShortVersionString</key>
+    <string>0.1.0</string>
+    <key>CFBundleIdentifier</key>
+    <string>com.lighthx.gomi</string>
   </dict>
 </plist>