Add macOS code signing and notarization #119
Conversation
revmischa
force-pushed
the
macos-codesigning
branch
from
030995e to
68a5678
Compare
There was a problem hiding this comment.
Pull request overview
This PR adds macOS code signing and notarization capabilities to the build pipeline. The changes enable the application bundle and installer package to be properly signed with Developer ID certificates and notarized through Apple's notary service to prevent Gatekeeper warnings for end users.
Changes:
- Updated CMake packaging configuration to read code signing identity from environment variable instead of CMake variable
- Added certificate import step to create and configure a temporary keychain with application and installer signing certificates
- Implemented application bundle signing with hardened runtime and deep verification
- Added notarization workflow for both the application bundle and final installer package using App Store Connect API credentials
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 9 comments.
| File | Description |
|---|---|
| packaging-macos.cmake | Changed code signing identity references from CMake variables to environment variables for runtime configuration |
| .github/workflows/release-macos.yaml | Added complete code signing and notarization workflow including certificate import, application signing, and dual notarization steps for app bundle and installer package |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
revmischa
force-pushed
the
macos-codesigning
branch
2 times, most recently
from
fc1d510 to
21328bb
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
revmischa
force-pushed
the
macos-codesigning
branch
4 times, most recently
from
a7e49fc to
9565baa
Compare
|
Thanks, that's a good starting point! I'll move most of the logic into CMake (app signing and notarization) so anyone having the proper keys on the machine can just build and sign it locally. The installer package is a separate thing, but this can be wrapped in a reusable script. I will also try to get rid of the |
|
I tested this at: b4ca62b On M1 Macbook Air - MacOS 15.7.2 Installation went fine, I got audio working in projectM-SDL. With Integrated Webcam; and BlackHole (3rd party software). I could not get a USB audio interface working in MacOS at all; including other programs so that may be my configuraiton. Nitpick: The name of the package file inside the artifact appears mangled: I think this may be in the GHA |
Signs the app bundle and .pkg installer with Developer ID certificates, then notarizes both with Apple's notary service for Gatekeeper approval. Uses App Store Connect API key for notarization credentials. Replaces CPack with direct pkgbuild/productbuild for better signing control. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds audio-input entitlement and NSMicrophoneUsageDescription so the app can request microphone access when running as a signed/notarized bundle. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Sign dylibs in Contents/Frameworks (SDL2, Poco) - Rename misleading build-deb job to build-pkg - Add missing newline at end of component plist Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
kblaschke
force-pushed
the
macos-codesigning
branch
4 times, most recently
from
605a01c to
51c2a55
Compare
|
Added DMG and a simple ZIP with the plain, notarized .app bundle. The latest build has all artifacts: |
kblaschke
force-pushed
the
macos-codesigning
branch
from
51c2a55 to
bf04173
Compare
3 participants
Signs the app bundle and .pkg installer with Developer ID certificates, then notarizes with Apple's notary service so users don't get Gatekeeper warnings.
Uses App Store Connect API key for notarization credentials.