shithub: m8c

Download patch

ref: c3a336812cedf3024dfa1cdf059a0a91649830fc
parent: ce3f4db79fd038ca1030a04aae5a3a881d16ca37
author: Jonne Kokkonen <jonne.kokkonen@gmail.com>
date: Tue Jul 1 18:16:44 EDT 2025 

notarize the apple build only on releases (#196)



--- a/.github/workflows/build-macos-arm.yml
+++ b/.github/workflows/build-macos-arm.yml
@@ -3,6 +3,8 @@
 on:
   push:
   pull_request:
+  release:
+    types: [published]
   workflow_dispatch:
 
 jobs:
@@ -29,6 +31,7 @@
 
       - name: Create Custom Keychain
         id: createCustomKeychain
+        if: github.event_name == 'release'
         env:
           KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
         run: |
@@ -39,6 +42,8 @@
           security set-keychain-settings build.keychain      
 
       - name: Import Apple Developer Certificate
+        id: importAppleCertificate
+        if: github.event_name == 'release'
         env:
           CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
           KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
@@ -72,6 +77,8 @@
         run: cat /Users/runner/work/m8c/m8c/${{ env.BUILD_DIR }}/_CPack_Packages/Darwin/DragNDrop/PreinstallOutput.log
 
       - name: 'Notarize the App'
+        id: notarizeApp
+        if: github.event_name == 'release'
         run: |
           pushd ${{ env.BUILD_DIR }}
           APP_PATH=$(find package-output -maxdepth 1 -name "m8c*.dmg" | head -n 1)
@@ -88,8 +95,9 @@
           APPLE_PASSWORD: ${{ secrets.APP_SPECIFIC_PASSWORD }}
           TEAM_ID: ${{ secrets.TEAM_ID }}
 
-
       - name: 'Verify Stapling'
+        id: verifyStapling
+        if: github.event_name == 'release'
         run: |
           APP_PATH=$(find "${{ env.BUILD_DIR }}/package-output" -maxdepth 1 -name "m8c*.dmg" | head -n 1)
           echo "Verifying stapling on $APP_PATH"
@@ -96,7 +104,8 @@
           xcrun stapler validate "$APP_PATH"        
 
       - name: 'Delete Custom Keychain'
-        if: steps.createCustomKeychain.outcome == 'success'
+        id: deleteCustomKeychain
+        if: github.event_name == 'release' && steps.createCustomKeychain.outcome == 'success'
         run: |
           security delete-keychain build.keychain        
 
@@ -110,4 +119,4 @@
         with:
           name: m8c-${{ env.NOW }}-macos-applesilicon
           path: |
-            m8c-${{ env.NOW }}-macos-applesilicon.dmg
+            m8c-${{ env.NOW }}-macos-applesilicon.dmg
\ No newline at end of file
--- a/.github/workflows/build-macos-intel.yml
+++ b/.github/workflows/build-macos-intel.yml
@@ -3,6 +3,8 @@
 on:
   push:
   pull_request:
+  release:
+    types: [published]
   workflow_dispatch:
 
 jobs:
@@ -29,6 +31,7 @@
 
       - name: Create Custom Keychain
         id: createCustomKeychain
+        if: github.event_name == 'release'
         env:
           KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
         run: |
@@ -39,6 +42,8 @@
           security set-keychain-settings build.keychain      
 
       - name: Import Apple Developer Certificate
+        id: importAppleCertificate
+        if: github.event_name == 'release'
         env:
           CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
           KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
@@ -72,6 +77,8 @@
         run: cat /Users/runner/work/m8c/m8c/${{ env.BUILD_DIR }}/_CPack_Packages/Darwin/DragNDrop/PreinstallOutput.log
 
       - name: 'Notarize the App'
+        id: notarizeApp
+        if: github.event_name == 'release'
         run: |
           pushd ${{ env.BUILD_DIR }}
           APP_PATH=$(find package-output -maxdepth 1 -name "m8c*.dmg" | head -n 1)
@@ -88,8 +95,9 @@
           APPLE_PASSWORD: ${{ secrets.APP_SPECIFIC_PASSWORD }}
           TEAM_ID: ${{ secrets.TEAM_ID }}
 
-
       - name: 'Verify Stapling'
+        id: verifyStapling
+        if: github.event_name == 'release'
         run: |
           APP_PATH=$(find "${{ env.BUILD_DIR }}/package-output" -maxdepth 1 -name "m8c*.dmg" | head -n 1)
           echo "Verifying stapling on $APP_PATH"
@@ -96,7 +104,8 @@
           xcrun stapler validate "$APP_PATH"        
 
       - name: 'Delete Custom Keychain'
-        if: steps.createCustomKeychain.outcome == 'success'
+        id: deleteCustomKeychain
+        if: github.event_name == 'release' && steps.createCustomKeychain.outcome == 'success'
         run: |
           security delete-keychain build.keychain        
 
@@ -110,4 +119,4 @@
         with:
           name: m8c-${{ env.NOW }}-macos-intel
           path: |
-            m8c-${{ env.NOW }}-macos-intel.dmg
+            m8c-${{ env.NOW }}-macos-intel.dmg
\ No newline at end of file
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -91,9 +91,17 @@
 
     set(APPS "\${CMAKE_INSTALL_PREFIX}/${APP_NAME}.app")
 
-    install(CODE "include(BundleUtilities)
-    fixup_bundle(\"${APPS}\" \"\" \"\")
-    execute_process(COMMAND codesign --force --options runtime --deep --entitlements ../package/macos/Entitlements.plist --sign \"${CODESIGN_CERT_NAME}\" --timestamp  \${CMAKE_INSTALL_PREFIX}/${APP_NAME}.app)")
+    if(CODESIGN_CERT_NAME)
+        # Use the specified certificate
+        install(CODE "include(BundleUtilities)
+        fixup_bundle(\"${APPS}\" \"\" \"\")
+        execute_process(COMMAND codesign --force --options runtime --deep --entitlements ../package/macos/Entitlements.plist --sign \"${CODESIGN_CERT_NAME}\" --timestamp  \${CMAKE_INSTALL_PREFIX}/${APP_NAME}.app)")
+    else()
+        # Use ad-hoc signing (self-signed) when no certificate is specified
+        install(CODE "include(BundleUtilities)
+        fixup_bundle(\"${APPS}\" \"\" \"\")
+        execute_process(COMMAND codesign --force --options runtime --deep --entitlements ../package/macos/Entitlements.plist --sign - --timestamp  \${CMAKE_INSTALL_PREFIX}/${APP_NAME}.app)")
+    endif()
 
     set(CPACK_PACKAGE_NAME "m8c")
     set(CPACK_PACKAGE_VERSION ${PROJECT_VERSION})
@@ -100,5 +108,4 @@
     set(CPACK_PACKAGE_DIRECTORY "package-output")
     set(CPACK_GENERATOR "DragNDrop")
     include(CPack)
-endif ()
-
+endif ()
\ No newline at end of file
--