Test Mac build signing

l2l · l2l · commit cb8d4cb12ecc · 2025-02-04T14:36:47.000-08:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -35,11 +35,32 @@ jobs:
           CI: false
         run: npm run react-build
 
+      - name: Import certificate to Keychain
+        if: matrix.os == 'macos-latest'
+        run: |
+          echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12
+          KEYCHAIN_PASSWORD=$(uuidgen)
+          security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
+          security import ./certificate.p12 -k ~/Library/Keychains/build.keychain -P ${{ secrets.MACOS_CERTIFICATE_PASSWORD }} -T /usr/bin/codesign
+          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" ~/Library/Keychains/build.keychain
+        env:
+          MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
+
+      - name: Setup notarization credentials
+        if: matrix.os == 'macos-latest'
+        run: |
+          echo ${{ secrets.GODOT_MACOS_NOTARIZATION_API_KEY }} | base64 --decode > notarization_api_key.p8
+
       - name: Build Electron app
         if: matrix.os != 'ubuntu-latest-large'
         env:
           DEBUG: electron-builder
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          APPLE_API_KEY: ${{ secrets.GODOT_MACOS_NOTARIZATION_API_KEY }}
+          APPLE_API_KEY_ID: ${{ secrets.GODOT_MACOS_NOTARIZATION_API_KEY_ID }}
+          APPLE_API_KEY_ISSUER: ${{ secrets.GODOT_MACOS_NOTARIZATION_API_UUID }}
         run: npm run electron-build
 
       - name: Build Electron app (Linux)
diff --git a/package.json b/package.json
@@ -142,7 +142,14 @@
       ],
       "category": "public.app-category.developer-tools",
       "artifactName": "Drivechain-Launcher-${version}-${arch}.${ext}",
-      "icon": "public/icon.icns"
+      "icon": "public/icon.icns",
+      "hardenedRuntime": true,
+      "gatekeeperAssess": false,
+      "entitlements": "build/entitlements.mac.plist",
+      "entitlementsInherit": "build/entitlements.mac.plist",
+      "notarize": {
+        "teamId": "APPLE_TEAM_ID"
+      }
     }
   },
   "devDependencies": {
