Added macOS signing

.github/workflows/release-ci.yml

@@ -79,6 +79,36 @@ jobs:
         if: matrix.config.os == 'ubuntu-latest'
         run: sudo snap install snapcraft --classic
 
+      - name: Install the Apple certificate and provisioning profile
+        if: matrix.config.os == 'macos-latest'
+        env:
+          BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
+          P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
+          BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
+          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+        run: |
+          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+          PP_PATH=$RUNNER_TEMP/build_pp.mobileprovision
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+
+          # Import certificate and provisioning profile from secrets
+          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
+          echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH
+
+          # Create temporary keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+          # Import certificate to keychain
+          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
+
+          # Apply provisioning profile
+          mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
+          cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
+
       - name: Install dependencies
         run: npm install --quiet
 
@@ -94,6 +124,27 @@ jobs:
         if: matrix.config.os == 'macos-latest'
         run: npm run build:mac-$PLATFORM
 
+      - name: Sign the macOS Application
+        if: matrix.config.os == 'macos-latest'
+        run: codesign --deep --force --verify --verbose \
+          --sign "Developer ID Application: $SIGNING_IDENTITY" \
+          dist/Aesir-${{ env.VERSION }}.dmg
+        env:
+          SIGNING_IDENTITY: ${{ secrets.SIGNING_IDENTITY }}'
+
+      - name: Notarize macOS App
+        if: matrix.config.os == 'macos-latest'
+        run: xcrun altool --notarize-app --primary-bundle-id "org.kryptokrona.aesir" \
+          --username "$APPLE_ID" --password "$APP_SPECIFIC_PASSWORD" \
+          --file dist/Aesir-${{ env.VERSION }}.dmg
+        env:
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APP_SPECIFIC_PASSWORD: ${{ secrets.APP_SPECIFIC_PASSWORD }}
+
+      - name: Staple Notarization
+        if: matrix.config.os == 'macos-latest'
+        run: xcrun stapler staple dist/Aesir-${{ env.VERSION }}.app
+
       - name: Check artifacts --DEBUG--
         run: ls dist