feat: macOS code signing and notarization setup

Author: AnasProgrammer2

.github/workflows/release.yml

@@ -89,22 +89,24 @@ jobs:
           _APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
         run: |
           if [ -n "$_APPLE_CERTIFICATE" ]; then
-            echo "$_APPLE_CERTIFICATE" | base64 --decode > certificate.p12
-            security create-keychain -p "temp-keychain-password" build.keychain
-            security import certificate.p12 -k build.keychain \
-              -P "$_APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
-            security list-keychains -s build.keychain
-            security default-keychain -s build.keychain
-            security unlock-keychain -p "temp-keychain-password" build.keychain
+            KEYCHAIN_PASSWORD="$(openssl rand -hex 16)"
+            echo "$_APPLE_CERTIFICATE" | base64 --decode > /tmp/certificate.p12
+            security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
+            security set-keychain-settings -lut 21600 build.keychain
+            security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
+            security import /tmp/certificate.p12 -k build.keychain \
+              -P "$_APPLE_CERTIFICATE_PASSWORD" \
+              -T /usr/bin/codesign -T /usr/bin/security
+            security list-keychains -d user -s build.keychain login.keychain
             security set-key-partition-list \
-              -S apple-tool:,apple:,codesign: -s -k "temp-keychain-password" build.keychain
-            rm certificate.p12
+              -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
+            rm /tmp/certificate.p12
             echo "CSC_IDENTITY_AUTO_DISCOVERY=true" >> $GITHUB_ENV
-            echo "✓ Developer ID certificate imported — full signing enabled."
+            echo "✓ Developer ID certificate imported — full signing + notarization enabled."
           else
             echo "CSC_IDENTITY=-"                    >> $GITHUB_ENV
             echo "CSC_IDENTITY_AUTO_DISCOVERY=false" >> $GITHUB_ENV
-            echo "✓ No certificate — using ad-hoc signing."
+            echo "⚠ No certificate found — using ad-hoc signing (won't run on other Macs)."
           fi
 
       # Set Windows signing env only when the cert secret is actually configured.

package-lock.json

@@ -59,6 +59,7 @@
     "@electron-toolkit/eslint-config-prettier": "^2.0.0",
     "@electron-toolkit/eslint-config-ts": "^2.0.0",
     "@electron-toolkit/tsconfig": "^1.0.1",
+    "@electron/notarize": "^2.5.0",
     "@electron/rebuild": "^3.7.2",
     "@types/better-sqlite3": "^7.6.13",
     "@types/node": "^20.14.9",
@@ -100,13 +101,18 @@
       "node_modules/better-sqlite3-multiple-ciphers/**/*",
       "node_modules/@serialport/bindings-cpp/**/*"
     ],
+    "afterSign": "scripts/notarize.js",
     "mac": {
       "category": "public.app-category.developer-tools",
       "target": [
         "dmg",
         "zip"
       ],
-      "icon": "resources/icon.icns"
+      "icon": "resources/icon.icns",
+      "hardenedRuntime": true,
+      "gatekeeperAssess": false,
+      "entitlements": "resources/entitlements.mac.plist",
+      "entitlementsInherit": "resources/entitlements.mac.inherit.plist"
     },
     "win": {
       "target": [

package.json

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.network.client</key>
+    <true/>
+    <key>com.apple.security.network.server</key>
+    <true/>
+  </dict>
+</plist>

resources/entitlements.mac.inherit.plist

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.network.client</key>
+    <true/>
+    <key>com.apple.security.network.server</key>
+    <true/>
+  </dict>
+</plist>

resources/entitlements.mac.plist

@@ -0,0 +1,24 @@
+const { notarize } = require('@electron/notarize')
+
+exports.default = async function notarizing(context) {
+  if (context.electronPlatformName !== 'darwin') return
+  if (!process.env.APPLE_ID) {
+    console.log('Skipping notarization: APPLE_ID not set')
+    return
+  }
+
+  const appName = context.packager.appInfo.productFilename
+  const appPath = `${context.appOutDir}/${appName}.app`
+
+  console.log(`Notarizing ${appPath}...`)
+
+  await notarize({
+    tool: 'notarytool',
+    appPath,
+    appleId: process.env.APPLE_ID,
+    appleIdPassword: process.env.APPLE_APP_SPECIFIC_PASSWORD,
+    teamId: process.env.APPLE_TEAM_ID,
+  })
+
+  console.log('Notarization complete.')
+}