feat: implement proper ad-hoc signing for macOS builds

- Set identity to '-' for ad-hoc signing in electron-builder
- Enable hardenedRuntime for Apple Silicon compatibility
- Simplify GitHub Actions workflow by removing manual signing steps
- Let electron-builder handle all signing automatically

This follows the recommended approach from electron-builder documentation
for distributing apps without Developer ID certificates.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: ishikawa-pro

.github/workflows/build-and-release.yml

@@ -9,12 +9,16 @@ on:
 jobs:
   build:
     runs-on: ${{ matrix.os }}
+    timeout-minutes: 30
 
     strategy:
       matrix:
         # os: [ubuntu-latest, windows-latest, macos-latest]
         os: [macos-latest]
 
+    env:
+      CSC_IDENTITY_AUTO_DISCOVERY: "false"
+        
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -34,76 +38,10 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y libnss3-dev libatk-bridge2.0-dev libdrm2 libxcomposite1 libxdamage1 libxrandr2 libgbm1 libxss1 libasound2-dev
           
-      - name: Rebuild native dependencies
-        run: npx electron-rebuild
-        
       - name: Build application
         run: npm run dist
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CSC_IDENTITY_AUTO_DISCOVERY: false
-          
-      - name: Ad-hoc sign macOS app
-        if: matrix.os == 'macos-latest'
-        run: |
-          # Process each architecture separately
-          for ARCH_DIR in dist/mac dist/mac-arm64; do
-            if [ -d "$ARCH_DIR" ]; then
-              APP_PATH="$ARCH_DIR/Git Diff Viewer.app"
-              if [ -d "$APP_PATH" ]; then
-                echo "Processing app at: $APP_PATH"
-                
-                # Remove extended attributes
-                xattr -cr "$APP_PATH"
-                
-                # Remove all existing signatures
-                find "$APP_PATH" -type f -perm +111 -exec codesign --remove-signature {} \; 2>/dev/null || true
-                find "$APP_PATH" -name "*.dylib" -exec codesign --remove-signature {} \; 2>/dev/null || true
-                find "$APP_PATH" -name "*.framework" -exec codesign --remove-signature {} \; 2>/dev/null || true
-                find "$APP_PATH" -name "*.app" -exec codesign --remove-signature {} \; 2>/dev/null || true
-                
-                # Sign in correct order: frameworks first
-                if [ -d "$APP_PATH/Contents/Frameworks" ]; then
-                  find "$APP_PATH/Contents/Frameworks" -name "*.framework" -type d | while read -r framework; do
-                    echo "Signing framework: $framework"
-                    codesign --force --deep --sign - "$framework"
-                  done
-                fi
-                
-                # Sign helper apps (they are inside Frameworks directory)
-                if [ -d "$APP_PATH/Contents/Frameworks" ]; then
-                  find "$APP_PATH/Contents/Frameworks" -name "*.app" -type d | while read -r helper; do
-                    echo "Signing helper app: $helper"
-                    codesign --force --deep --sign - "$helper"
-                  done
-                fi
-                
-                # Sign all libraries
-                find "$APP_PATH" -name "*.dylib" -o -name "*.so" | while read -r lib; do
-                  echo "Signing library: $lib"
-                  codesign --force --sign - "$lib"
-                done
-                
-                # Sign main executable
-                MAIN_EXEC="$APP_PATH/Contents/MacOS/Git Diff Viewer"
-                if [ -f "$MAIN_EXEC" ]; then
-                  echo "Signing main executable: $MAIN_EXEC"
-                  codesign --force --sign - "$MAIN_EXEC"
-                fi
-                
-                # Finally sign the main app bundle
-                echo "Signing main app bundle: $APP_PATH"
-                codesign --force --deep --sign - "$APP_PATH"
-                
-                # Verify
-                echo "Verifying signature..."
-                codesign --verify --deep --verbose "$APP_PATH"
-                
-                # Additional verification
-                spctl -a -t open --context context:primary-signature -v "$APP_PATH" 2>&1 || echo "Gatekeeper check failed (expected for ad-hoc signing)"
-              fi
-            fi
-          done
 
       - name: Upload artifacts (macOS)
         if: matrix.os == 'macos-latest'

electron-builder.json

@@ -29,13 +29,9 @@
       }
     ],
     "icon": "logo.png",
-    "binaries": [
-      "cli.js"
-    ],
-    "hardenedRuntime": false,
+    "identity": "-",
+    "hardenedRuntime": true,
     "gatekeeperAssess": false,
-    "identity": null,
-    "type": "development",
     "artifactName": "${productName}-${version}-${os}-${arch}.${ext}"
   },
   "win": {

package.json

@@ -1,6 +1,6 @@
 {
   "name": "diff-viewer",
-  "version": "0.1.12",
+  "version": "0.1.13",
   "description": "A rich Git diff viewer with syntax highlighting",
   "main": "build/electron/main.js",
   "homepage": "./",