Update Mac build signing

Author: CryptAxe

.github/workflows/build.yml

@@ -48,19 +48,67 @@ jobs:
         env:
           MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
 
-      - name: Setup notarization credentials
+      - name: Setup notarization credentials and entitlements
         if: matrix.os == 'macos-latest'
         run: |
-          echo ${{ secrets.GODOT_MACOS_NOTARIZATION_API_KEY }} | base64 --decode > notarization_api_key.p8
+          # Save API key to file
+          echo "${{ secrets.GODOT_MACOS_NOTARIZATION_API_KEY }}" | base64 --decode > ./notarization_api_key.p8
+          
+          # Verify API key file exists and has content
+          if [ -s "./notarization_api_key.p8" ]; then
+            echo "API key file created successfully"
+          else
+            echo "Error: API key file is empty or not created"
+            exit 1
+          fi
+          
+          # Create build directory and add entitlements file
+          mkdir -p build
+          cat > build/entitlements.mac.plist << 'EOL'
+          <?xml version="1.0" encoding="UTF-8"?>
+          <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+          <plist version="1.0">
+            <dict>
+              <key>com.apple.security.cs.allow-jit</key>
+              <true/>
+              <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+              <true/>
+              <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+              <true/>
+              <key>com.apple.security.cs.disable-library-validation</key>
+              <true/>
+              <key>com.apple.security.inherit</key>
+              <true/>
+              <key>com.apple.security.automation.apple-events</key>
+              <true/>
+            </dict>
+          </plist>
+          EOL
 
-      - name: Build Electron app
-        if: matrix.os != 'ubuntu-latest-large'
+      - name: Build Electron app (macOS)
+        if: matrix.os == 'macos-latest'
         env:
           DEBUG: electron-builder
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          APPLE_API_KEY: ${{ secrets.GODOT_MACOS_NOTARIZATION_API_KEY }}
           APPLE_API_KEY_ID: ${{ secrets.GODOT_MACOS_NOTARIZATION_API_KEY_ID }}
-          APPLE_API_KEY_ISSUER: ${{ secrets.GODOT_MACOS_NOTARIZATION_API_UUID }}
+          APPLE_API_KEY: ${{ secrets.GODOT_MACOS_NOTARIZATION_API_KEY }}
+          APPLE_API_ISSUER: ${{ secrets.GODOT_MACOS_NOTARIZATION_API_UUID }}
+        run: |
+          # Debug: Verify environment variables are set (without exposing values)
+          if [ -n "$APPLE_API_KEY" ]; then echo "APPLE_API_KEY is set"; else echo "APPLE_API_KEY is NOT set"; fi
+          if [ -n "$APPLE_API_KEY_ID" ]; then echo "APPLE_API_KEY_ID is set"; else echo "APPLE_API_KEY_ID is NOT set"; fi
+          if [ -n "$APPLE_API_ISSUER" ]; then echo "APPLE_API_ISSUER is set"; else echo "APPLE_API_ISSUER is NOT set"; fi
+          
+          # Print electron-builder version for debugging
+          npx electron-builder --version
+          
+          npm run electron-build
+
+      - name: Build Electron app (Windows)
+        if: matrix.os == 'windows-latest'
+        env:
+          DEBUG: electron-builder
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: npm run electron-build
 
       - name: Build Electron app (Linux)

package.json

@@ -145,10 +145,12 @@
       "icon": "public/icon.icns",
       "hardenedRuntime": true,
       "gatekeeperAssess": false,
-      "entitlements": "build/entitlements.mac.plist",
-      "entitlementsInherit": "build/entitlements.mac.plist",
+      "entitlements": "./build/entitlements.mac.plist",
+      "entitlementsInherit": "./build/entitlements.mac.plist",
       "notarize": {
-        "teamId": "APPLE_TEAM_ID"
+        "appleApiKey": "./notarization_api_key.p8",
+        "appleApiKeyId": "$APPLE_API_KEY_ID",
+        "appleApiIssuer": "$APPLE_API_ISSUER"
       }
     }
   },