build(ci): wire macOS code signing + notarization into release workflow

Add a guarded "Sign & notarize macOS app" step to build.yml that signs
dist/DataTools.app with the Developer ID (hardened runtime + entitlements
+ secure timestamp), notarizes via notarytool, and staples the ticket —
running before DMG packaging. The step exits 0 with a warning when the
MACOS_* secrets are absent, so dry-run dispatches still produce an
(unsigned) build.

Add build/macos/entitlements.plist with the hardened-runtime entitlements
a frozen PyInstaller/CPython app needs (JIT memory, library-validation
disabled for bundled .so/.dylib + Tesseract). Update build/README.md to
reflect that macOS signing is now wired and only needs the secrets.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-29 22:56:17 +00:00
parent 9943e6e537
commit 41ab2166ef
3 changed files with 104 additions and 4 deletions

View File

@@ -126,6 +126,75 @@ jobs:
DATATOOLS_TESS_STAGING: build/_tesseract/${{ matrix.platform }}
run: pyinstaller build/datatools.spec --clean --noconfirm
# ---- macOS code signing + notarization (before DMG packaging) -
# Signs dist/DataTools.app with the Developer ID, notarizes it,
# and staples the ticket so Gatekeeper passes offline. Wrapped in
# a guard: if the cert secret is absent the step prints a warning
# and exits 0, so dry-run dispatches still produce an (unsigned)
# build. Secret names match build/README.md "Signing".
- name: Sign & notarize macOS app
if: matrix.os == 'macos-latest'
env:
CERT_P12_BASE64: ${{ secrets.MACOS_DEVELOPER_ID_CERT_P12_BASE64 }}
CERT_PASSWORD: ${{ secrets.MACOS_DEVELOPER_ID_CERT_PASSWORD }}
NOTARY_APPLE_ID: ${{ secrets.MACOS_NOTARY_APPLE_ID }}
NOTARY_TEAM_ID: ${{ secrets.MACOS_NOTARY_TEAM_ID }}
NOTARY_PASSWORD: ${{ secrets.MACOS_NOTARY_PASSWORD }}
run: |
set -euo pipefail
if [ -z "${CERT_P12_BASE64:-}" ]; then
echo "::warning::MACOS_DEVELOPER_ID_CERT_P12_BASE64 not set — shipping an UNSIGNED build (Gatekeeper will warn buyers)."
exit 0
fi
APP="dist/DataTools.app"
# 1. Import the Developer ID cert into an ephemeral keychain.
KEYCHAIN="$RUNNER_TEMP/build.keychain-db"
KEYCHAIN_PW="$(uuidgen)"
security create-keychain -p "$KEYCHAIN_PW" "$KEYCHAIN"
security set-keychain-settings -lut 3600 "$KEYCHAIN"
security unlock-keychain -p "$KEYCHAIN_PW" "$KEYCHAIN"
echo "$CERT_P12_BASE64" | base64 --decode > "$RUNNER_TEMP/cert.p12"
security import "$RUNNER_TEMP/cert.p12" -k "$KEYCHAIN" -P "$CERT_PASSWORD" \
-T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PW" "$KEYCHAIN" >/dev/null
# Make the ephemeral keychain searchable (preserve the login keychain).
security list-keychains -d user -s "$KEYCHAIN" \
$(security list-keychains -d user | sed 's/"//g')
IDENTITY="$(security find-identity -v -p codesigning "$KEYCHAIN" \
| grep 'Developer ID Application' | head -1 | awk -F'"' '{print $2}')"
if [ -z "$IDENTITY" ]; then
echo "::error::No 'Developer ID Application' identity found in the imported cert."
exit 1
fi
echo "Signing with: $IDENTITY"
# 2. Sign the bundle (hardened runtime + secure timestamp + entitlements).
# --deep signs the nested dylibs/.so the PyInstaller bundle carries.
codesign --deep --force --options runtime --timestamp \
--entitlements build/macos/entitlements.plist \
--sign "$IDENTITY" "$APP"
codesign --verify --strict --verbose=2 "$APP"
# 3. Notarize the .app (notarytool needs a zip/dmg/pkg, not a bare .app),
# then staple so Gatekeeper validates offline.
if [ -n "${NOTARY_APPLE_ID:-}" ]; then
ditto -c -k --keepParent "$APP" "$RUNNER_TEMP/DataTools.zip"
xcrun notarytool submit "$RUNNER_TEMP/DataTools.zip" \
--apple-id "$NOTARY_APPLE_ID" \
--team-id "$NOTARY_TEAM_ID" \
--password "$NOTARY_PASSWORD" \
--wait
xcrun stapler staple "$APP"
xcrun stapler validate "$APP"
else
echo "::warning::Notary credentials not set — app is signed but NOT notarized (Gatekeeper will still warn)."
fi
rm -f "$RUNNER_TEMP/cert.p12"
# ---- Per-platform installer packaging ------------------------
- name: Package macOS DMG (installer)