Add code signing and notarization for macOS releases

revmischa · claude · revmischa · commit 9565baa9848d · 2026-01-17T12:38:02.000-08:00
Signs the app bundle and .pkg installer with Developer ID certificates,
then notarizes both with Apple's notary service for Gatekeeper approval.

Uses App Store Connect API key for notarization credentials.
Replaces CPack with direct pkgbuild/productbuild for better signing control.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/release-linux.yaml b/.github/workflows/release-linux.yaml
@@ -4,7 +4,9 @@
 # while POCO  will be linked statically.
 name: Build Release Package for Linux
 
-on: workflow_dispatch
+on:
+  workflow_dispatch:
+  workflow_call:
 
 jobs:
   build-deb:
diff --git a/.github/workflows/release-macos.yaml b/.github/workflows/release-macos.yaml
@@ -2,7 +2,22 @@
 # Builds a universal binary on macOS.
 name: Build Release Package for macOS
 
-on: workflow_dispatch
+on:
+  workflow_dispatch:
+  workflow_call:
+    secrets:
+      MACOS_CERTIFICATE_APPLICATION:
+        required: true
+      MACOS_CERTIFICATE_INSTALLER:
+        required: true
+      MACOS_CERTIFICATE_PASSWORD:
+        required: true
+      MACOS_NOTARY_API_KEY:
+        required: true
+      MACOS_NOTARY_KEY_ID:
+        required: true
+      MACOS_NOTARY_ISSUER_ID:
+        required: true
 
 jobs:
   build-deb:
@@ -112,19 +127,123 @@ jobs:
             "-DCMAKE_PREFIX_PATH=${GITHUB_WORKSPACE}/install-libprojectm;${GITHUB_WORKSPACE}/install-poco;${GITHUB_WORKSPACE}/install-libsdl2" \
             "-DPRESET_DIRS=${{ github.workspace }}/presets-cream-of-the-crop" \
             "-DTEXTURE_DIRS=${{ github.workspace }}/presets-milkdrop-texture-pack/textures" \
-            '-DDEFAULT_CONFIG_PATH=${application.dir}/../share/projectMSDL/' \
-            '-DDEFAULT_PRESETS_PATH=${application.dir}/../share/projectMSDL/presets/' \
-            '-DDEFAULT_TEXTURES_PATH=${application.dir}/../share/projectMSDL/textures/' \
             -DENABLE_INSTALL_BDEPS=ON
           cmake --build cmake-build-frontend-sdl2 --parallel
+          cmake --install cmake-build-frontend-sdl2 --prefix "${{ github.workspace }}/install"
+
+      - name: Import Code Signing Certificates
+        env:
+          MACOS_CERTIFICATE_APPLICATION: ${{ secrets.MACOS_CERTIFICATE_APPLICATION }}
+          MACOS_CERTIFICATE_INSTALLER: ${{ secrets.MACOS_CERTIFICATE_INSTALLER }}
+          MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
+        run: |
+          echo "$MACOS_CERTIFICATE_APPLICATION" | base64 --decode > app_cert.p12 && chmod 600 app_cert.p12
+          echo "$MACOS_CERTIFICATE_INSTALLER" | base64 --decode > installer_cert.p12 && chmod 600 installer_cert.p12
+
+          KEYCHAIN_PASSWORD=$(openssl rand -base64 32)
+          security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
+
+          security import app_cert.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
+          security import installer_cert.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PASSWORD" -T /usr/bin/productsign
+
+          security set-key-partition-list -S apple-tool:,apple:,codesign:,productbuild: -s -k "$KEYCHAIN_PASSWORD" build.keychain
+
+          rm app_cert.p12 installer_cert.p12
+
+      - name: Sign Application Bundle
+        run: |
+          APP_PATH="${{ github.workspace }}/install/projectM.app"
+          IDENTITY="Developer ID Application: Mischa Spiegelmock (5926VBQM6Y)"
+
+          # Sign all dylibs first (if PlugIns directory exists)
+          if [ -d "$APP_PATH/Contents/PlugIns" ]; then
+            find "$APP_PATH/Contents/PlugIns" -name "*.dylib" -exec \
+              codesign --force --options runtime --sign "$IDENTITY" {} \;
+          fi
+
+          # Sign the main executable
+          codesign --force --options runtime --sign "$IDENTITY" \
+            "$APP_PATH/Contents/MacOS/projectM"
+
+          # Sign the entire bundle
+          codesign --force --options runtime --sign "$IDENTITY" "$APP_PATH"
+
+          # Verify
+          codesign --verify --deep --strict "$APP_PATH"
+
+      - name: Notarize Application
+        env:
+          API_KEY_BASE64: ${{ secrets.MACOS_NOTARY_API_KEY }}
+          API_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
+          API_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
+        run: |
+          mkdir -p ~/.private_keys
+          echo "$API_KEY_BASE64" | base64 --decode > ~/.private_keys/AuthKey_${API_KEY_ID}.p8
+          chmod 600 ~/.private_keys/AuthKey_${API_KEY_ID}.p8
+
+          ditto -c -k --keepParent \
+            "${{ github.workspace }}/install/projectM.app" \
+            "projectM-notarize.zip"
+
+          xcrun notarytool submit "projectM-notarize.zip" \
+            --key ~/.private_keys/AuthKey_${API_KEY_ID}.p8 \
+            --key-id "$API_KEY_ID" \
+            --issuer "$API_ISSUER_ID" \
+            --wait
+
+          xcrun stapler staple "${{ github.workspace }}/install/projectM.app"
 
       - name: Package projectMSDL
         run: |
-          cd cmake-build-frontend-sdl2
-          cpack -G productbuild
+          # Get version from CMake
+          VERSION=$(grep "project(projectMSDL" frontend-sdl2/CMakeLists.txt | sed -E 's/.*VERSION ([0-9.]+).*/\1/')
+
+          # Build component package from signed app
+          pkgbuild \
+            --root "${{ github.workspace }}/install" \
+            --identifier "org.projectm-visualizer.projectmsdl" \
+            --version "$VERSION" \
+            --install-location "/Applications" \
+            --component-plist "frontend-sdl2/src/resources/projectMSDL-component.plist" \
+            "projectMSDL-component.pkg"
+
+          # Build unsigned product archive
+          productbuild \
+            --distribution "frontend-sdl2/src/resources/distribution.xml" \
+            --package-path "." \
+            --resources "frontend-sdl2/src/resources" \
+            "projectM-${VERSION}-macOS-universal-unsigned.pkg"
+
+          # Sign the package with productsign
+          productsign \
+            --sign "Developer ID Installer: Mischa Spiegelmock (5926VBQM6Y)" \
+            "projectM-${VERSION}-macOS-universal-unsigned.pkg" \
+            "projectM-${VERSION}-macOS-universal.pkg"
+
+          rm "projectM-${VERSION}-macOS-universal-unsigned.pkg"
+
+      - name: Notarize Package
+        env:
+          API_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
+          API_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
+        run: |
+          PKG_FILE=$(ls projectM-*.pkg | head -1)
+
+          xcrun notarytool submit "$PKG_FILE" \
+            --key ~/.private_keys/AuthKey_${API_KEY_ID}.p8 \
+            --key-id "$API_KEY_ID" \
+            --issuer "$API_ISSUER_ID" \
+            --wait
+
+          xcrun stapler staple "$PKG_FILE"
+
+          # Clean up API key
+          rm -f ~/.private_keys/AuthKey_${API_KEY_ID}.p8
 
       - name: Upload Artifact
         uses: actions/upload-artifact@v4
         with:
           name: projectMSDL-macOS-Universal
-          path: cmake-build-frontend-sdl2/*.pkg
+          path: projectM-*.pkg
diff --git a/.github/workflows/release-windows.yaml b/.github/workflows/release-windows.yaml
@@ -3,7 +3,9 @@
 # including projectM.
 name: Build Release Package for Windows
 
-on: workflow_dispatch
+on:
+  workflow_dispatch:
+  workflow_call:
 
 jobs:
   build:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,55 @@
+# Unified release workflow
+# Triggers on version tags, builds all platforms, and creates a GitHub release
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  build-linux:
+    name: Build Linux
+    uses: ./.github/workflows/release-linux.yaml
+
+  build-windows:
+    name: Build Windows
+    uses: ./.github/workflows/release-windows.yaml
+
+  build-macos:
+    name: Build macOS
+    uses: ./.github/workflows/release-macos.yaml
+    secrets:
+      MACOS_CERTIFICATE_APPLICATION: ${{ secrets.MACOS_CERTIFICATE_APPLICATION }}
+      MACOS_CERTIFICATE_INSTALLER: ${{ secrets.MACOS_CERTIFICATE_INSTALLER }}
+      MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
+      MACOS_NOTARY_API_KEY: ${{ secrets.MACOS_NOTARY_API_KEY }}
+      MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
+      MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
+
+  create-release:
+    name: Create Release
+    needs: [build-linux, build-windows, build-macos]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: artifacts
+
+      - name: Display artifacts
+        run: ls -R artifacts
+
+      - name: Create Release
+        uses: softprops/action-gh-release@v2
+        with:
+          generate_release_notes: true
+          files: |
+            artifacts/**/*.pkg
+            artifacts/**/*.deb
+            artifacts/**/*.tar.gz
+            artifacts/**/*.zip
+            artifacts/**/*.msi
diff --git a/packaging-macos.cmake b/packaging-macos.cmake
@@ -10,8 +10,8 @@ set(CPACK_RESOURCE_FILE_LICENSE "${CMAKE_CURRENT_SOURCE_DIR}/src/resources/gpl-3
 set(CPACK_STRIP_FILES TRUE)
 
 ### Productbuild configuration
-set(CPACK_PKGBUILD_IDENTITY_NAME "${CODESIGN_IDENTITY_INSTALLER}")
-set(CPACK_PRODUCTBUILD_IDENTITY_NAME "${CODESIGN_IDENTITY_INSTALLER}")
+set(CPACK_PKGBUILD_IDENTITY_NAME "$ENV{CODESIGN_IDENTITY_INSTALLER}")
+set(CPACK_PRODUCTBUILD_IDENTITY_NAME "$ENV{CODESIGN_IDENTITY_INSTALLER}")
 set(CPACK_PRODUCTBUILD_IDENTIFIER "org.projectm-visualizer.projectmsdl")
 
 string(REPLACE ";" "," INSTALL_ARCHITECTURES "${CMAKE_OSX_ARCHITECTURES}")
diff --git a/src/resources/distribution.xml b/src/resources/distribution.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<installer-gui-script minSpecVersion="2">
+    <title>projectM</title>
+    <organization>org.projectm-visualizer</organization>
+    <welcome file="macos-welcome.txt"/>
+    <readme file="macos-readme.txt"/>
+    <license file="gpl-3.0.rtf"/>
+    <options customize="never" require-scripts="false" hostArchitectures="x86_64,arm64"/>
+    <domains enable_anywhere="false" enable_currentUserHome="false" enable_localSystem="true"/>
+    <choices-outline>
+        <line choice="default"/>
+    </choices-outline>
+    <choice id="default" title="projectM">
+        <pkg-ref id="org.projectm-visualizer.projectmsdl"/>
+    </choice>
+    <pkg-ref id="org.projectm-visualizer.projectmsdl" version="0" onConclusion="none">projectMSDL-component.pkg</pkg-ref>
+</installer-gui-script>
diff --git a/src/resources/projectMSDL-component.plist b/src/resources/projectMSDL-component.plist
@@ -12,7 +12,7 @@
         <key>BundleOverwriteAction</key>
         <string>upgrade</string>
         <key>RootRelativeBundlePath</key>
-        <string>Applications/projectM.app</string>
+        <string>projectM.app</string>
     </dict>
 </array>
 </plist>
diff --git a/vendor/imgui b/vendor/imgui
@@ -1 +1 @@
-Subproject commit 45acd5e0e82f4c954432533ae9985ff0e1aad6d5
+Subproject commit d6cb3c923d28dcebb2d8d9605ccc7229ccef19eb
