Add code signing and notarization for macOS releases

revmischa · claude · revmischa · commit 5c358feb0593 · 2026-01-17T09:40:32.000-08:00
Signs the app bundle and .pkg installer with Developer ID certificates,
then notarizes both with Apple's notary service for Gatekeeper approval.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/release-macos.yaml b/.github/workflows/release-macos.yaml
@@ -118,11 +118,79 @@ jobs:
             -DENABLE_INSTALL_BDEPS=ON
           cmake --build cmake-build-frontend-sdl2 --parallel
 
+      - name: Import Code Signing Certificates
+        env:
+          MACOS_CERTIFICATE_APPLICATION: ${{ secrets.MACOS_CERTIFICATE_APPLICATION }}
+          MACOS_CERTIFICATE_INSTALLER: ${{ secrets.MACOS_CERTIFICATE_INSTALLER }}
+          MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
+        run: |
+          echo "$MACOS_CERTIFICATE_APPLICATION" | base64 --decode > app_cert.p12
+          echo "$MACOS_CERTIFICATE_INSTALLER" | base64 --decode > installer_cert.p12
+
+          KEYCHAIN_PASSWORD=$(openssl rand -base64 32)
+          security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
+
+          security import app_cert.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
+          security import installer_cert.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PASSWORD" -T /usr/bin/productsign
+
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
+
+          rm app_cert.p12 installer_cert.p12
+
+      - name: Sign Application Bundle
+        run: |
+          APP_PATH="cmake-build-frontend-sdl2/projectM.app"
+          IDENTITY="Developer ID Application: Mischa Spiegelmock (5926VBQM6Y)"
+
+          find "$APP_PATH/Contents/PlugIns" -name "*.dylib" -exec \
+            codesign --force --options runtime --sign "$IDENTITY" {} \;
+
+          codesign --force --options runtime --sign "$IDENTITY" \
+            "$APP_PATH/Contents/MacOS/projectMSDL"
+
+          codesign --force --options runtime --sign "$IDENTITY" "$APP_PATH"
+
+          codesign --verify --deep --strict "$APP_PATH"
+
+      - name: Notarize Application
+        env:
+          APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
+          APPLE_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PASSWORD }}
+        run: |
+          xcrun notarytool store-credentials "notary-profile" \
+            --apple-id "$APPLE_ID" \
+            --password "$APPLE_PASSWORD" \
+            --team-id "5926VBQM6Y"
+
+          ditto -c -k --keepParent \
+            "cmake-build-frontend-sdl2/projectM.app" \
+            "projectM-notarize.zip"
+
+          xcrun notarytool submit "projectM-notarize.zip" \
+            --keychain-profile "notary-profile" \
+            --wait
+
+          xcrun stapler staple "cmake-build-frontend-sdl2/projectM.app"
+
       - name: Package projectMSDL
+        env:
+          CODESIGN_IDENTITY_INSTALLER: "Developer ID Installer: Mischa Spiegelmock (5926VBQM6Y)"
         run: |
           cd cmake-build-frontend-sdl2
           cpack -G productbuild
 
+      - name: Notarize Package
+        run: |
+          PKG_FILE=$(ls cmake-build-frontend-sdl2/*.pkg | head -1)
+
+          xcrun notarytool submit "$PKG_FILE" \
+            --keychain-profile "notary-profile" \
+            --wait
+
+          xcrun stapler staple "$PKG_FILE"
+
       - name: Upload Artifact
         uses: actions/upload-artifact@v4
         with:
diff --git a/packaging-macos.cmake b/packaging-macos.cmake
@@ -10,8 +10,8 @@ set(CPACK_RESOURCE_FILE_LICENSE "${CMAKE_CURRENT_SOURCE_DIR}/src/resources/gpl-3
 set(CPACK_STRIP_FILES TRUE)
 
 ### Productbuild configuration
-set(CPACK_PKGBUILD_IDENTITY_NAME "${CODESIGN_IDENTITY_INSTALLER}")
-set(CPACK_PRODUCTBUILD_IDENTITY_NAME "${CODESIGN_IDENTITY_INSTALLER}")
+set(CPACK_PKGBUILD_IDENTITY_NAME "$ENV{CODESIGN_IDENTITY_INSTALLER}")
+set(CPACK_PRODUCTBUILD_IDENTITY_NAME "$ENV{CODESIGN_IDENTITY_INSTALLER}")
 set(CPACK_PRODUCTBUILD_IDENTIFIER "org.projectm-visualizer.projectmsdl")
 
 string(REPLACE ";" "," INSTALL_ARCHITECTURES "${CMAKE_OSX_ARCHITECTURES}")
