Add code signing and notarization for macOS releases

revmischa · claude · revmischa · commit 68a5678ed318 · 2026-01-17T09:53:32.000-08:00
Signs the app bundle and .pkg installer with Developer ID certificates,
then notarizes both with Apple's notary service for Gatekeeper approval.

Uses App Store Connect API key for notarization credentials.
Replaces CPack with direct pkgbuild/productbuild for better signing control.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/release-macos.yaml b/.github/workflows/release-macos.yaml
@@ -117,14 +117,108 @@ jobs:
             '-DDEFAULT_TEXTURES_PATH=${application.dir}/../share/projectMSDL/textures/' \
             -DENABLE_INSTALL_BDEPS=ON
           cmake --build cmake-build-frontend-sdl2 --parallel
+          cmake --install cmake-build-frontend-sdl2 --prefix "${{ github.workspace }}/install"
+
+      - name: Import Code Signing Certificates
+        env:
+          MACOS_CERTIFICATE_APPLICATION: ${{ secrets.MACOS_CERTIFICATE_APPLICATION }}
+          MACOS_CERTIFICATE_INSTALLER: ${{ secrets.MACOS_CERTIFICATE_INSTALLER }}
+          MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
+        run: |
+          echo "$MACOS_CERTIFICATE_APPLICATION" | base64 --decode > app_cert.p12
+          echo "$MACOS_CERTIFICATE_INSTALLER" | base64 --decode > installer_cert.p12
+
+          KEYCHAIN_PASSWORD=$(openssl rand -base64 32)
+          security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
+
+          security import app_cert.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
+          security import installer_cert.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PASSWORD" -T /usr/bin/productsign
+
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
+
+          rm app_cert.p12 installer_cert.p12
+
+      - name: Sign Application Bundle
+        run: |
+          APP_PATH="${{ github.workspace }}/install/projectM.app"
+          IDENTITY="Developer ID Application: Mischa Spiegelmock (5926VBQM6Y)"
+
+          # Sign all dylibs first
+          find "$APP_PATH/Contents/PlugIns" -name "*.dylib" -exec \
+            codesign --force --options runtime --sign "$IDENTITY" {} \;
+
+          # Sign the main executable
+          codesign --force --options runtime --sign "$IDENTITY" \
+            "$APP_PATH/Contents/MacOS/projectMSDL"
+
+          # Sign the entire bundle
+          codesign --force --options runtime --sign "$IDENTITY" "$APP_PATH"
+
+          # Verify
+          codesign --verify --deep --strict "$APP_PATH"
+
+      - name: Notarize Application
+        env:
+          API_KEY: ${{ secrets.MACOS_NOTARY_API_KEY }}
+          API_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
+          API_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
+        run: |
+          mkdir -p ~/.private_keys
+          echo "$API_KEY" > ~/.private_keys/AuthKey_${API_KEY_ID}.p8
+
+          ditto -c -k --keepParent \
+            "${{ github.workspace }}/install/projectM.app" \
+            "projectM-notarize.zip"
+
+          xcrun notarytool submit "projectM-notarize.zip" \
+            --key ~/.private_keys/AuthKey_${API_KEY_ID}.p8 \
+            --key-id "$API_KEY_ID" \
+            --issuer "$API_ISSUER_ID" \
+            --wait
+
+          xcrun stapler staple "${{ github.workspace }}/install/projectM.app"
 
       - name: Package projectMSDL
         run: |
-          cd cmake-build-frontend-sdl2
-          cpack -G productbuild
+          # Get version from CMake
+          VERSION=$(grep "project(projectMSDL" frontend-sdl2/CMakeLists.txt | sed -E 's/.*VERSION ([0-9.]+).*/\1/')
+
+          # Build component package from signed app
+          pkgbuild \
+            --root "${{ github.workspace }}/install" \
+            --identifier "org.projectm-visualizer.projectmsdl" \
+            --version "$VERSION" \
+            --install-location "/Applications" \
+            --component-plist "frontend-sdl2/src/resources/projectMSDL-component.plist" \
+            "projectMSDL-component.pkg"
+
+          # Build product archive with installer UI
+          productbuild \
+            --distribution "frontend-sdl2/src/resources/distribution.xml" \
+            --package-path "." \
+            --resources "frontend-sdl2/src/resources" \
+            --sign "Developer ID Installer: Mischa Spiegelmock (5926VBQM6Y)" \
+            "projectM-${VERSION}-macOS-universal.pkg"
+
+      - name: Notarize Package
+        env:
+          API_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
+          API_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
+        run: |
+          PKG_FILE=$(ls projectM-*.pkg | head -1)
+
+          xcrun notarytool submit "$PKG_FILE" \
+            --key ~/.private_keys/AuthKey_${API_KEY_ID}.p8 \
+            --key-id "$API_KEY_ID" \
+            --issuer "$API_ISSUER_ID" \
+            --wait
+
+          xcrun stapler staple "$PKG_FILE"
 
       - name: Upload Artifact
         uses: actions/upload-artifact@v4
         with:
           name: projectMSDL-macOS-Universal
-          path: cmake-build-frontend-sdl2/*.pkg
+          path: projectM-*.pkg
diff --git a/packaging-macos.cmake b/packaging-macos.cmake
@@ -10,8 +10,8 @@ set(CPACK_RESOURCE_FILE_LICENSE "${CMAKE_CURRENT_SOURCE_DIR}/src/resources/gpl-3
 set(CPACK_STRIP_FILES TRUE)
 
 ### Productbuild configuration
-set(CPACK_PKGBUILD_IDENTITY_NAME "${CODESIGN_IDENTITY_INSTALLER}")
-set(CPACK_PRODUCTBUILD_IDENTITY_NAME "${CODESIGN_IDENTITY_INSTALLER}")
+set(CPACK_PKGBUILD_IDENTITY_NAME "$ENV{CODESIGN_IDENTITY_INSTALLER}")
+set(CPACK_PRODUCTBUILD_IDENTITY_NAME "$ENV{CODESIGN_IDENTITY_INSTALLER}")
 set(CPACK_PRODUCTBUILD_IDENTIFIER "org.projectm-visualizer.projectmsdl")
 
 string(REPLACE ";" "," INSTALL_ARCHITECTURES "${CMAKE_OSX_ARCHITECTURES}")
diff --git a/src/resources/distribution.xml b/src/resources/distribution.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<installer-gui-script minSpecVersion="2">
+    <title>projectM</title>
+    <organization>org.projectm-visualizer</organization>
+    <welcome file="macos-welcome.txt"/>
+    <readme file="macos-readme.txt"/>
+    <license file="gpl-3.0.rtf"/>
+    <options customize="never" require-scripts="false" hostArchitectures="x86_64,arm64"/>
+    <domains enable_anywhere="false" enable_currentUserHome="false" enable_localSystem="true"/>
+    <choices-outline>
+        <line choice="default"/>
+    </choices-outline>
+    <choice id="default" title="projectM">
+        <pkg-ref id="org.projectm-visualizer.projectmsdl"/>
+    </choice>
+    <pkg-ref id="org.projectm-visualizer.projectmsdl" version="0" onConclusion="none">projectMSDL-component.pkg</pkg-ref>
+</installer-gui-script>
diff --git a/src/resources/projectMSDL-component.plist b/src/resources/projectMSDL-component.plist
@@ -12,7 +12,7 @@
         <key>BundleOverwriteAction</key>
         <string>upgrade</string>
         <key>RootRelativeBundlePath</key>
-        <string>Applications/projectM.app</string>
+        <string>projectM.app</string>
     </dict>
 </array>
 </plist>
diff --git a/vendor/imgui b/vendor/imgui
@@ -1 +1 @@
-Subproject commit 45acd5e0e82f4c954432533ae9985ff0e1aad6d5
+Subproject commit d6cb3c923d28dcebb2d8d9605ccc7229ccef19eb
