Apple signed binaries

2026-03-10 08:31:19 +00:00 · 2025-12-12 18:27:06 -06:00
parent db2fc1a7ca
commit b8d557e7c2
6 changed files with 127 additions and 81 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -109,38 +109,38 @@ jobs:
        run: mkdir -p release
        shell: bash

+      # Import Apple certificate for code signing
+      - name: Import Apple certificate
+        if: matrix.platform == 'mac'
+        env:
+          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+        run: |
+          # Create temporary keychain
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          KEYCHAIN_PASSWORD=$(openssl rand -base64 32)
+
+          # Create keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+          # Import certificate
+          echo "$APPLE_CERTIFICATE" | base64 --decode > $RUNNER_TEMP/certificate.p12
+          security import $RUNNER_TEMP/certificate.p12 -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
+          security list-keychain -d user -s "$KEYCHAIN_PATH"
+
+          # Allow codesign to access the key
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
      - name: Package for macOS
        if: matrix.platform == 'mac'
        run: npx electron-builder --mac --publish never --config.extraMetadata.version=${{ steps.version.outputs.VERSION }}
        env:
-          CSC_IDENTITY_AUTO_DISCOVERY: false
-          CSC_LINK: ""
          DEBUG: electron-builder
-
-      # Ad-hoc sign macOS apps and re-create archives
-      # Fixes "code has no resources but signature indicates they must be present"
-      - name: Ad-hoc sign macOS apps
-        if: matrix.platform == 'mac'
-        run: |
-          VERSION=${{ steps.version.outputs.VERSION }}
-
-          # Sign x64 app and recreate zip
-          if [ -d "release/mac/Maestro.app" ]; then
-            echo "Ad-hoc signing: release/mac/Maestro.app"
-            codesign --sign - --deep --force "release/mac/Maestro.app"
-            echo "Re-creating ZIP for x64..."
-            rm -f "release/Maestro-${VERSION}-mac.zip"
-            cd release/mac && zip -r -y "../Maestro-${VERSION}-mac.zip" Maestro.app && cd ../..
-          fi
-
-          # Sign arm64 app and recreate zip
-          if [ -d "release/mac-arm64/Maestro.app" ]; then
-            echo "Ad-hoc signing: release/mac-arm64/Maestro.app"
-            codesign --sign - --deep --force "release/mac-arm64/Maestro.app"
-            echo "Re-creating ZIP for arm64..."
-            rm -f "release/Maestro-${VERSION}-arm64-mac.zip"
-            cd release/mac-arm64 && zip -r -y "../Maestro-${VERSION}-arm64-mac.zip" Maestro.app && cd ../..
-          fi
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}

      - name: Package for Windows
        if: matrix.platform == 'win'