ci: add macOS notarization

.github/workflows/build.yml

@@ -43,6 +43,14 @@ jobs:
       run: |
         sudo apt-get update -y -qq
         sudo apt-get install libsdl2-dev libgtksourceview2.0-dev libgtk2.0-dev libao-dev libopenal-dev   
+    - name: "macOS: Import Certificate"
+      if: runner.os == 'macOS'
+      uses: devbotsxyz/import-signing-certificate@2ac4f44d28045073d23153256efbb4c4b2d8aa22    # Don't use rolling branch for security reasons
+      with:
+        certificate-data: ${{ secrets.MACOS_CERTIFICATE_DATA }}
+        certificate-passphrase: ${{ secrets.MACOS_CERTIFICATE_PASSPHRASE }}
+        keychain-name: ares-macos-keychain
+        keychain-password: ${{ secrets.MACOS_KEYCHAIN_PASSWORD }}
     - uses: actions/checkout@v2
     - name: Install macOS Dependencies
       if: runner.os == 'macOS'
@@ -50,16 +58,29 @@ jobs:
         brew install make
         echo "MAKE=gmake" >> $GITHUB_ENV
         pushd thirdparty/MoltenVK
-        ./build-moltenvk.sh
+        #./build-moltenvk.sh
         popd
     - name: Make
       if: runner.os != 'macOS'
       run: ${MAKE:-make} -j4 -C desktop-ui build=optimized local=false compiler=${{ matrix.platform.compiler }}
-    - name: Make universal app
+    - name: "macOS: Make universal app"
       if: runner.os == 'macOS'
       run: scripts/macos-make-universal.sh
       env:
         MAKEFLAGS: -j3
+        MACOS_CERTIFICATE_NAME: ${{ secrets.MACOS_CERTIFICATE_NAME }}
+        MACOS_KEYCHAIN_NAME: ares-macos-keychain
+        MACOS_KEYCHAIN_PASSWORD: ${{ secrets.MACOS_KEYCHAIN_PASSWORD }}
+    - name: "macOS: notarize"
+      if: runner.os == 'macOS'
+      run: |
+        ditto -c -k --keepParent desktop-ui/out/ares.app /tmp/ares.zip
+        xcrun notarytool submit /tmp/ares.zip --apple-id "$MACOS_NOTARIZATION_USERNAME" --password "$MACOS_NOTARIZATION_PASSWORD" --team-id "$MACOS_NOTARIZATION_TEAMID" --wait
+        xcrun stapler staple desktop-ui/out/ares.app
+      env:
+        MACOS_NOTARIZATION_USERNAME: ${{ secrets.MACOS_NOTARIZATION_USERNAME }}
+        MACOS_NOTARIZATION_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PASSWORD }}
+        MACOS_NOTARIZATION_TEAMID: ${{ secrets.MACOS_NOTARIZATION_TEAMID }}
     - name: Upload
       uses: actions/upload-artifact@v2
       with:

scripts/macos-make-universal.sh

@@ -27,11 +27,15 @@ lipo -create -output desktop-ui/out/ares.app/Contents/MacOS/ares \
     desktop-ui/out-amd64/ares.app/Contents/MacOS/ares \
     desktop-ui/out-arm64/ares.app/Contents/MacOS/ares
 
-if [ "${CERTIFICATE_NAME:-}" == "" ]; then
+if [ "${MACOS_KEYCHAIN_PASSWORD:-}" != "" ]; then
+    security unlock-keychain -p "$MACOS_KEYCHAIN_PASSWORD" "$MACOS_KEYCHAIN_NAME"
+fi
+
+if [ "${MACOS_CERTIFICATE_NAME:-}" == "" ]; then
     echo "Signing using self-signed"
     ENTITLEMENTS=desktop-ui/resource/ares.selfsigned.entitlements
 else
-    echo "Signing using certificate: ${CERTIFICATE_NAME}"
+    echo "Signing using certificate: ${MACOS_CERTIFICATE_NAME}"
     ENTITLEMENTS=desktop-ui/resource/ares.entitlements
 fi
-codesign --force --deep --options runtime --entitlements "${ENTITLEMENTS}" --sign "${CERTIFICATE_NAME:--}" desktop-ui/out/ares.app
+codesign --force --deep --options runtime --entitlements "${ENTITLEMENTS}" --sign "${MACOS_CERTIFICATE_NAME:--}" desktop-ui/out/ares.app