Update Mac build signing

Author: CryptAxe

.github/workflows/build.yml

@@ -52,15 +52,51 @@ jobs:
         if: matrix.os == 'macos-latest'
         run: |
           echo ${{ secrets.GODOT_MACOS_NOTARIZATION_API_KEY }} | base64 --decode > notarization_api_key.p8
+          
+          # Create build directory and add entitlements file
+          mkdir -p build
+          cat > build/entitlements.mac.plist << 'EOL'
+          <?xml version="1.0" encoding="UTF-8"?>
+          <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+          <plist version="1.0">
+            <dict>
+              <key>com.apple.security.cs.allow-jit</key>
+              <true/>
+              <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+              <true/>
+              <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+              <true/>
+              <key>com.apple.security.cs.disable-library-validation</key>
+              <true/>
+              <key>com.apple.security.inherit</key>
+              <true/>
+              <key>com.apple.security.automation.apple-events</key>
+              <true/>
+            </dict>
+          </plist>
+          EOL
 
-      - name: Build Electron app
-        if: matrix.os != 'ubuntu-latest-large'
+      - name: Build Electron app (macOS)
+        if: matrix.os == 'macos-latest'
         env:
           DEBUG: electron-builder
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           APPLE_API_KEY: ${{ secrets.GODOT_MACOS_NOTARIZATION_API_KEY }}
           APPLE_API_KEY_ID: ${{ secrets.GODOT_MACOS_NOTARIZATION_API_KEY_ID }}
-          APPLE_API_KEY_ISSUER: ${{ secrets.GODOT_MACOS_NOTARIZATION_API_UUID }}
+          APPLE_API_ISSUER: ${{ secrets.GODOT_MACOS_NOTARIZATION_API_UUID }}
+        run: |
+          # Debug: Verify environment variables are set (without exposing values)
+          if [ -n "$APPLE_API_KEY" ]; then echo "APPLE_API_KEY is set"; else echo "APPLE_API_KEY is NOT set"; fi
+          if [ -n "$APPLE_API_KEY_ID" ]; then echo "APPLE_API_KEY_ID is set"; else echo "APPLE_API_KEY_ID is NOT set"; fi
+          if [ -n "$APPLE_API_ISSUER" ]; then echo "APPLE_API_ISSUER is set"; else echo "APPLE_API_ISSUER is NOT set"; fi
+          
+          npm run electron-build
+
+      - name: Build Electron app (Windows)
+        if: matrix.os == 'windows-latest'
+        env:
+          DEBUG: electron-builder
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: npm run electron-build
 
       - name: Build Electron app (Linux)

package.json

@@ -145,11 +145,9 @@
       "icon": "public/icon.icns",
       "hardenedRuntime": true,
       "gatekeeperAssess": false,
-      "entitlements": "build/entitlements.mac.plist",
-      "entitlementsInherit": "build/entitlements.mac.plist",
-      "notarize": {
-        "teamId": "APPLE_TEAM_ID"
-      }
+      "entitlements": "./build/entitlements.mac.plist",
+      "entitlementsInherit": "./build/entitlements.mac.plist",
+      "notarize": true
     }
   },
   "devDependencies": {