Add a guarded "Sign & notarize macOS app" step to build.yml that signs dist/DataTools.app with the Developer ID (hardened runtime + entitlements + secure timestamp), notarizes via notarytool, and staples the ticket — running before DMG packaging. The step exits 0 with a warning when the MACOS_* secrets are absent, so dry-run dispatches still produce an (unsigned) build. Add build/macos/entitlements.plist with the hardened-runtime entitlements a frozen PyInstaller/CPython app needs (JIT memory, library-validation disabled for bundled .so/.dylib + Tesseract). Update build/README.md to reflect that macOS signing is now wired and only needs the secrets. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
9.6 KiB
9.6 KiB