build(ci): wire macOS code signing + notarization into release workflow
Add a guarded "Sign & notarize macOS app" step to build.yml that signs dist/DataTools.app with the Developer ID (hardened runtime + entitlements + secure timestamp), notarizes via notarytool, and staples the ticket — running before DMG packaging. The step exits 0 with a warning when the MACOS_* secrets are absent, so dry-run dispatches still produce an (unsigned) build. Add build/macos/entitlements.plist with the hardened-runtime entitlements a frozen PyInstaller/CPython app needs (JIT memory, library-validation disabled for bundled .so/.dylib + Tesseract). Update build/README.md to reflect that macOS signing is now wired and only needs the secrets. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -112,12 +112,15 @@ pyinstaller build/datatools.spec --clean --noconfirm
|
||||
|
||||
## Signing (Phase 2 — needs accounts/credentials)
|
||||
|
||||
Both code-signing steps are intentionally not in CI yet because they
|
||||
require credentials the owner sets up first.
|
||||
**macOS signing + notarization is now wired into `build.yml`** (the
|
||||
"Sign & notarize macOS app" step, with `build/macos/entitlements.plist`).
|
||||
It is guarded: if `MACOS_DEVELOPER_ID_CERT_P12_BASE64` is absent the step
|
||||
warns and exits 0, so dry-run dispatches still produce an unsigned build.
|
||||
To activate it, just add the secrets below — no code change needed.
|
||||
**Windows** code-signing is still not wired (accepted v1 friction).
|
||||
|
||||
**macOS** — Apple Developer Program enrollment ($99/yr). Once enrolled,
|
||||
add these GitHub Secrets and uncomment the `codesign` + `notarytool`
|
||||
steps in `build.yml`:
|
||||
add these GitHub Secrets to activate the signing step in `build.yml`:
|
||||
|
||||
| Secret | Value |
|
||||
|---|---|
|
||||
|
||||
28
build/macos/entitlements.plist
Normal file
28
build/macos/entitlements.plist
Normal file
@@ -0,0 +1,28 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
<!--
|
||||
Hardened-runtime entitlements for the notarized DataTools.app.
|
||||
|
||||
PyInstaller freezes a CPython interpreter that maps writable+executable
|
||||
memory and loads many unsigned .so/.dylib modules at runtime. Without
|
||||
these entitlements the hardened runtime kills the process on launch
|
||||
(or notarization rejects the bundle). Keep this list minimal — the app
|
||||
is a local-only Streamlit server, so no network-server/device/camera
|
||||
entitlements are needed.
|
||||
-->
|
||||
<plist version="1.0">
|
||||
<dict>
|
||||
<!-- CPython JIT-style writable/executable memory + ctypes trampolines -->
|
||||
<key>com.apple.security.cs.allow-jit</key>
|
||||
<true/>
|
||||
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
|
||||
<true/>
|
||||
<!-- Load the bundled C-extension .so / .dylib modules (pandas, pdfplumber,
|
||||
Pillow, the bundled Tesseract dylibs) that aren't Team-ID signed -->
|
||||
<key>com.apple.security.cs.disable-library-validation</key>
|
||||
<true/>
|
||||
<!-- Launcher sets DATATOOLS_*/TESSDATA_PREFIX/PYTHON* before exec -->
|
||||
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
|
||||
<true/>
|
||||
</dict>
|
||||
</plist>
|
||||
Reference in New Issue
Block a user