feat: update to latest electron-builder best practices

- Changed identity from null to '-' for proper ad-hoc signing
- Switched to universal builds for better compatibility
- Improved signing process with proper order and hardened runtime
- Added quarantine attribute removal with xattr
- Use ditto for proper ZIP creation with resource forks
- Removed deprecated options (extends, buildDependenciesFromSource, etc.)

Based on electron-builder v24 documentation and 2025 best practices.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: ishikawa-pro

.github/workflows/build-and-release.yml

@@ -18,7 +18,6 @@ jobs:
 
     env:
       CSC_IDENTITY_AUTO_DISCOVERY: "false"
-      CSC_FOR_PULL_REQUEST: "true"
 
     steps:
       - name: Checkout code
@@ -43,25 +42,56 @@ jobs:
         run: npx electron-rebuild
 
       - name: Build application
-        run: npm run dist
+        run: npx electron-builder --mac --publish=never
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Fix code signing (macOS)
+      - name: Unify code signing (macOS)
         if: matrix.os == 'macos-latest'
         run: |
-          # Re-sign all apps with consistent ad-hoc signature
-          for APP in dist/mac*/Git\ Diff\ Viewer.app; do
-            if [ -d "$APP" ]; then
-              echo "Re-signing $APP with ad-hoc signature..."
-              # Remove all existing signatures
-              find "$APP" -type f -perm +111 -exec codesign --remove-signature {} \; 2>/dev/null || true
-              # Sign with ad-hoc
-              codesign --force --deep --sign - "$APP"
-              # Verify
-              codesign --verify --deep --verbose "$APP"
-            fi
-          done
+          APP="dist/mac/Git Diff Viewer.app"
+          if [ -d "$APP" ]; then
+            echo "======================================"
+            echo "Unifying code signatures for: $APP"
+            echo "======================================"
+            
+            # Remove all existing signatures
+            find "$APP" -type d -name '*.app' -exec codesign --remove-signature {} \; 2>/dev/null || true
+            find "$APP" -type f \( -perm /111 -o -name '*.dylib' -o -name '*.so' -o -name '*.node' \) \
+                 -exec codesign --remove-signature {} \; 2>/dev/null || true
+            
+            # Sign frameworks and libraries first
+            echo "Signing frameworks and libraries..."
+            find "$APP/Contents/Frameworks" -type f \( -perm /111 -o -name '*.dylib' -o -name '*.so' -o -name '*.node' \) \
+                 -exec codesign --force --sign - {} \; 2>/dev/null || true
+            
+            # Sign nested helper apps
+            echo "Signing helper apps..."
+            find "$APP/Contents/Frameworks" -type d -name '*.app' | while read -r helper; do
+              codesign --force --deep --sign - "$helper"
+            done
+            
+            # Sign main app with hardened runtime
+            echo "Signing main app with hardened runtime..."
+            codesign --force --deep --options runtime --timestamp=none --sign - "$APP"
+            
+            # Remove quarantine attributes
+            xattr -cr "$APP"
+            
+            # Verify signature
+            echo "======================================"
+            echo "Verifying signature..."
+            echo "======================================"
+            codesign --verify --deep --strict --verbose=2 "$APP"
+          fi
+          
+      - name: Create ZIP with ditto (macOS)
+        if: matrix.os == 'macos-latest'
+        run: |
+          APP="dist/mac/Git Diff Viewer.app"
+          if [ -d "$APP" ]; then
+            ditto -c -k --sequesterRsrc --keepParent "$APP" "dist/Git-Diff-Viewer-${GITHUB_REF##*/}-mac.zip"
+          fi
           
       - name: Upload artifacts (macOS)
         if: matrix.os == 'macos-latest'
@@ -70,9 +100,7 @@ jobs:
           name: macos-build
           path: |
             dist/*.dmg
-            dist/*.zip
             dist/*-mac.zip
-            dist/*-mac-*.zip
             
       - name: Upload artifacts (Windows)
         if: matrix.os == 'windows-latest'

electron-builder.json

@@ -1,38 +1,37 @@
 {
   "appId": "com.diffviewer.app",
   "productName": "Git Diff Viewer",
-  "extends": null,
   "directories": {
     "output": "dist"
   },
   "files": [
     "build/**/*",
     "package.json",
-    "cli.js"
+    "cli.js",
+    "!.vscode/**",
+    "!.git/**",
+    "!node_modules/.cache/**"
   ],
   "extraMetadata": {
     "main": "build/electron/main.js"
   },
   "npmRebuild": false,
-  "buildDependenciesFromSource": true,
-  "nodeGypRebuild": false,
   "mac": {
     "category": "public.app-category.developer-tools",
     "target": [
       {
         "target": "dmg",
-        "arch": ["x64", "arm64"]
+        "arch": ["universal"]
       },
       {
         "target": "zip",
-        "arch": ["x64", "arm64"]
+        "arch": ["universal"]
       }
     ],
     "icon": "logo.png",
-    "identity": null,
+    "identity": "-",
     "hardenedRuntime": true,
-    "gatekeeperAssess": false,
-    "artifactName": "${productName}-${version}-${os}-${arch}.${ext}"
+    "artifactName": "${productName}-${version}-${os}.${ext}"
   },
   "win": {
     "target": "nsis",
@@ -42,4 +41,4 @@
     "target": "AppImage",
     "icon": "logo.png"
   }
-} 
+}

package.json

@@ -1,6 +1,6 @@
 {
   "name": "diff-viewer",
-  "version": "0.1.16",
+  "version": "0.1.17",
   "description": "A rich Git diff viewer with syntax highlighting",
   "main": "build/electron/main.js",
   "homepage": "./",