Update [Sign Test for macOS]

thecompez · thecompez · commit ded3394a87af · 2026-05-16T10:32:35.000+03:30
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -27,8 +27,6 @@ jobs:
             macos_deployment_target: "14.0"
 
           # macOS Intel
-          # If this runner label is not available in your account,
-          # replace it with your available Intel macOS runner label.
           - name: macos-x86_64
             os: macos-15-intel
             qt_version: "6.11.0"
@@ -54,6 +52,7 @@ jobs:
 
     env:
       CMAKE_VERSION: "4.2.3"
+      APP_VERSION: "1.3.0"
 
     steps:
       - name: Checkout
@@ -185,7 +184,127 @@ jobs:
             fi
           done
 
+      - name: Re-sign macOS app ad-hoc and create DMG
+        if: runner.os == 'macOS'
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          APP="build/bin/GenyConnect.app"
+          OUT_DIR="build/final/macos-${{ matrix.target_arch }}"
+          DMG_NAME="GenyConnect-${APP_VERSION}-macos-${{ matrix.target_arch }}.dmg"
+          DMG_PATH="${OUT_DIR}/${DMG_NAME}"
+
+          if [[ ! -d "$APP" ]]; then
+            echo "App not found: $APP"
+            exit 1
+          fi
+
+          mkdir -p "$OUT_DIR"
+
+          echo "Cleaning previous DMG..."
+          rm -f "$DMG_PATH"
+
+          echo "Cleaning extended attributes..."
+          xattr -cr "$APP" || true
+
+          echo "Fixing executable permissions..."
+          chmod +x "$APP/Contents/MacOS/GenyConnect" || true
+          chmod +x "$APP/Contents/MacOS/GenyConnectUpdater" || true
+          chmod +x "$APP/Contents/MacOS/GenyConnectTunHelper" || true
+          chmod +x "$APP/Contents/MacOS/xray-core" || true
+
+          echo "Removing old signatures from app bundle where possible..."
+          codesign --remove-signature "$APP" || true
+
+          echo "Ad-hoc signing nested Mach-O files..."
+
+          while IFS= read -r file_path; do
+            if file "$file_path" | grep -q "Mach-O"; then
+              echo "Signing Mach-O: $file_path"
+              codesign --force --sign - "$file_path" || true
+            fi
+          done < <(find "$APP/Contents" -type f)
+
+          echo "Ad-hoc signing frameworks..."
+          while IFS= read -r framework_path; do
+            echo "Signing framework: $framework_path"
+            codesign --force --sign - "$framework_path" || true
+          done < <(find "$APP/Contents" -type d -name "*.framework" | sort -r)
+
+          echo "Ad-hoc signing bundles/plugins..."
+          while IFS= read -r bundle_path; do
+            echo "Signing bundle/plugin: $bundle_path"
+            codesign --force --sign - "$bundle_path" || true
+          done < <(find "$APP/Contents" $begin:math:text$ \-name \"\*\.bundle\" \-o \-name \"\*\.plugin\" \-o \-name \"\*\.appex\" $end:math:text$ -type d | sort -r)
+
+          echo "Signing main app..."
+          codesign --force --deep --sign - "$APP"
+
+          echo "Verifying app signature..."
+          codesign --verify --deep --strict --verbose=4 "$APP"
+
+          echo "Gatekeeper check. Expected to fail without Developer ID/notarization:"
+          spctl --assess --type execute --verbose=4 "$APP" || true
+
+          echo "Creating clean DMG..."
+          STAGING="$(mktemp -d)"
+
+          cp -R "$APP" "$STAGING/GenyConnect.app"
+          ln -s /Applications "$STAGING/Applications"
+
+          hdiutil create \
+            -volname "GenyConnect" \
+            -srcfolder "$STAGING" \
+            -ov \
+            -format UDZO \
+            "$DMG_PATH"
+
+          rm -rf "$STAGING"
+
+          echo "Verifying DMG..."
+          hdiutil verify "$DMG_PATH"
+
+          echo "Created DMG:"
+          ls -lh "$DMG_PATH"
+
+      - name: Verify macOS package
+        if: runner.os == 'macOS'
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          DMG="$(find build/final -type f -name "*.dmg" | head -n 1)"
+
+          if [[ -z "$DMG" ]]; then
+            echo "No DMG found."
+            exit 1
+          fi
+
+          echo "Verifying DMG: $DMG"
+          hdiutil verify "$DMG"
+
+          MOUNT_DIR="$(mktemp -d)"
+          hdiutil attach "$DMG" -mountpoint "$MOUNT_DIR" -nobrowse -quiet
+
+          APP="$(find "$MOUNT_DIR" -maxdepth 2 -name "GenyConnect.app" -type d | head -n 1)"
+
+          if [[ -z "$APP" ]]; then
+            echo "GenyConnect.app not found inside DMG."
+            hdiutil detach "$MOUNT_DIR" -quiet || true
+            exit 1
+          fi
+
+          echo "Verifying app inside DMG: $APP"
+          codesign --verify --deep --strict --verbose=4 "$APP"
+
+          echo "Gatekeeper check. Expected to fail without Developer ID/notarization:"
+          spctl --assess --type execute --verbose=4 "$APP" || true
+
+          hdiutil detach "$MOUNT_DIR" -quiet
+
       - name: Package
+        if: runner.os != 'macOS'
         run: cpack --config build/CPackConfig.cmake -C Release
 
       - name: Collect packages
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -831,7 +831,21 @@ if(APPLE AND GENYCONNECT_MACOS_POSTBUILD_DEPLOY)
     list(APPEND _macdeployqt_args "-no-strip")
   endif()
 
-  set(_codesign_common "--force" "--deep" "--sign" "${GENYCONNECT_CODESIGN_IDENTITY}")
+  if(GENYCONNECT_CODESIGN_IDENTITY STREQUAL "-")
+    set(_codesign_common
+      "--force"
+      "--deep"
+      "--sign" "${GENYCONNECT_CODESIGN_IDENTITY}"
+    )
+  else()
+    set(_codesign_common
+      "--force"
+      "--deep"
+      "--options" "runtime"
+      "--timestamp"
+      "--sign" "${GENYCONNECT_CODESIGN_IDENTITY}"
+    )
+  endif()
 
   set(_codesign_ent "")
   if(GENYCONNECT_CODESIGN_ENTITLEMENTS AND EXISTS "${GENYCONNECT_CODESIGN_ENTITLEMENTS}")
