From 6db6899e426297c425adabe852c053a07c7c352c Mon Sep 17 00:00:00 2001
From: Stef Tervelde <stef@steftervelde.nl>
Date: Fri, 6 Dec 2024 08:40:37 +0100
Subject: [PATCH 1/3] Sign the build commits so they can be used on macOS

---
 .github/workflows/build.yml        | 8 ++++++++
 .github/workflows/pull_request.yml | 8 ++++++++
 build/build.xml                    | 2 +-
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 29e165a392..79a3e0002e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -66,8 +66,16 @@ jobs:
           architecture: ${{ matrix.arch }}
       - name: Setup Ant
         uses: cedx/setup-ant@v3
+      - name: Install Certificates for Code Signing
+        if: ${{ matrix.os_prefix == 'macos' }}
+        uses: apple-actions/import-codesign-certs@v3
+        with:
+          p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
+          p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
       - name: Build Release
         run: ant -noinput -buildfile build/build.xml ${{ matrix.os_prefix }}-dist -Dversion="${{ github.sha }}"
+        with:
+          PROCESSING_APP_SIGNING: true
       - name: Add artifact
         uses: actions/upload-artifact@v4
         with:
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index 54ae96e71c..8b7cc07ff6 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -51,8 +51,16 @@ jobs:
           architecture: ${{ matrix.arch }}
       - name: Setup Ant
         uses: cedx/setup-ant@v3
+      - name: Install Certificates for Code Signing
+        if: ${{ matrix.os_prefix == 'macos' }}
+        uses: apple-actions/import-codesign-certs@v3
+        with:
+          p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
+          p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
       - name: Build Release
         run: ant -noinput -buildfile build/build.xml ${{ matrix.os_prefix }}-dist -Dversion="${{ github.sha }}"
+        with:
+          PROCESSING_APP_SIGNING: true
       - name: Add artifact
         uses: actions/upload-artifact@v3
         id: upload
diff --git a/build/build.xml b/build/build.xml
index 4d873869bb..abb29cc23b 100644
--- a/build/build.xml
+++ b/build/build.xml
@@ -778,7 +778,7 @@
     </exec>
   </target>
 
-  <target name="macos-dist-sign" if="env.PROCESSING_APP_PASSWORD">
+  <target name="macos-dist-sign" if="env.PROCESSING_APP_PASSWORD | env.PROCESSING_APP_SIGNING">
     <echo>
       Code signing will only work if you have a $99/yr Apple developer ID.
     </echo>

From 624c1716a1f99439ef7d45c66465e8381bb77df7 Mon Sep 17 00:00:00 2001
From: Stef Tervelde <stef@steftervelde.nl>
Date: Fri, 6 Dec 2024 08:41:47 +0100
Subject: [PATCH 2/3] env not with

---
 .github/workflows/build.yml        | 2 +-
 .github/workflows/pull_request.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 79a3e0002e..4d0a8f0b7e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -74,7 +74,7 @@ jobs:
           p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
       - name: Build Release
         run: ant -noinput -buildfile build/build.xml ${{ matrix.os_prefix }}-dist -Dversion="${{ github.sha }}"
-        with:
+        env:
           PROCESSING_APP_SIGNING: true
       - name: Add artifact
         uses: actions/upload-artifact@v4
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index 8b7cc07ff6..53caf7fb9e 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -59,7 +59,7 @@ jobs:
           p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
       - name: Build Release
         run: ant -noinput -buildfile build/build.xml ${{ matrix.os_prefix }}-dist -Dversion="${{ github.sha }}"
-        with:
+        env:
           PROCESSING_APP_SIGNING: true
       - name: Add artifact
         uses: actions/upload-artifact@v3

From b170b459c9f70c882363f22e14edf9c0a37e1a08 Mon Sep 17 00:00:00 2001
From: Stef Tervelde <stef@steftervelde.nl>
Date: Fri, 6 Dec 2024 08:59:39 +0100
Subject: [PATCH 3/3] simplified solution

---
 .github/workflows/release.yml | 1 +
 build/build.xml               | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b5712ab3e2..2e56749b25 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -104,6 +104,7 @@ jobs:
       - name: Build Release
         run: ant -noinput -buildfile build/build.xml ${{ matrix.os_prefix }}-dist -Dversion="${{ needs.version.outputs.version }}"
         env:
+          PROCESSING_APP_SIGNING: true
           PROCESSING_APP_PASSWORD: ${{ secrets.PROCESSING_APP_PASSWORD }}
           PROCESSING_APPLE_ID: ${{ secrets.PROCESSING_APPLE_ID }}
           PROCESSING_TEAM_ID: ${{ secrets.PROCESSING_TEAM_ID }}
diff --git a/build/build.xml b/build/build.xml
index abb29cc23b..ab22501d52 100644
--- a/build/build.xml
+++ b/build/build.xml
@@ -778,7 +778,7 @@
     </exec>
   </target>
 
-  <target name="macos-dist-sign" if="env.PROCESSING_APP_PASSWORD | env.PROCESSING_APP_SIGNING">
+  <target name="macos-dist-sign" if="env.PROCESSING_APP_SIGNING">
     <echo>
       Code signing will only work if you have a $99/yr Apple developer ID.
     </echo>