@@ -73,6 +73,14 @@ cat > "$TEMP_DIR/$APP_BUNDLE/Contents/Info.plist" << EOF
7373 <true/>
7474 <key>LSBackgroundOnly</key>
7575 <false/>
76+ <key>NSHighResolutionCapable</key>
77+ <true/>
78+ <key>NSRequiresAquaSystemAppearance</key>
79+ <false/>
80+ <key>LSApplicationCategoryType</key>
81+ <string>public.app-category.utilities</string>
82+ <key>NSUserNotificationAlertStyle</key>
83+ <string>alert</string>
7684EOF
7785
7886if [ -n " $ICON_FILE " ]; then
9098# Create empty PkgInfo file (required for proper app bundle)
9199echo " APPLMCPP" > " $TEMP_DIR /$APP_BUNDLE /Contents/PkgInfo"
92100
93- # Sign the app bundle properly
94- echo " Signing app bundle..."
95-
96- # Use development entitlements if available, otherwise sign without entitlements
97- if [ -f " scripts/entitlements-dev.plist" ]; then
98- echo " Using development entitlements..."
99- codesign --force --deep --sign - --identifier " $BUNDLE_ID " --entitlements " scripts/entitlements-dev.plist" " $TEMP_DIR /$APP_BUNDLE "
101+ # Sign the app bundle properly with Developer ID certificate
102+ echo " Signing app bundle with Developer ID certificate..."
103+
104+ # Find the Developer ID certificate (same logic as in workflow)
105+ CERT_IDENTITY=$( security find-identity -v -p codesigning | grep " Developer ID Application" | head -1 | grep -o ' "[^"]*"' | tr -d ' "' )
106+
107+ if [ -n " ${CERT_IDENTITY} " ]; then
108+ echo " ✅ Found Developer ID certificate: ${CERT_IDENTITY} "
109+
110+ # Validate entitlements file formatting (Apple's recommendation)
111+ if [ -f " scripts/entitlements.plist" ]; then
112+ echo " === Validating entitlements file ==="
113+ if plutil -lint scripts/entitlements.plist; then
114+ echo " ✅ Entitlements file is properly formatted"
115+ else
116+ echo " ❌ Entitlements file has formatting issues"
117+ exit 1
118+ fi
119+
120+ # Convert to XML format if needed
121+ plutil -convert xml1 scripts/entitlements.plist
122+ echo " ✅ Entitlements converted to XML format"
123+ fi
124+
125+ # Sign with proper Developer ID certificate, hardened runtime, and production entitlements
126+ if [ -f " scripts/entitlements.plist" ]; then
127+ echo " Using production entitlements..."
128+ codesign --force --deep \
129+ --options runtime \
130+ --sign " ${CERT_IDENTITY} " \
131+ --identifier " $BUNDLE_ID " \
132+ --entitlements " scripts/entitlements.plist" \
133+ --timestamp \
134+ " $TEMP_DIR /$APP_BUNDLE "
135+ else
136+ echo " No entitlements file found, signing without..."
137+ codesign --force --deep \
138+ --options runtime \
139+ --sign " ${CERT_IDENTITY} " \
140+ --identifier " $BUNDLE_ID " \
141+ --timestamp \
142+ " $TEMP_DIR /$APP_BUNDLE "
143+ fi
144+
145+ # Verify signing using Apple's recommended methods
146+ echo " === Verifying app bundle signature ==="
147+ codesign --verify --verbose " $TEMP_DIR /$APP_BUNDLE "
148+
149+ # Apple's recommended strict verification for notarization
150+ echo " === Strict verification (matches notarization requirements) ==="
151+ if codesign -vvv --deep --strict " $TEMP_DIR /$APP_BUNDLE " ; then
152+ echo " ✅ App bundle strict verification PASSED - ready for notarization"
153+ else
154+ echo " ❌ App bundle strict verification FAILED - will not pass notarization"
155+ exit 1
156+ fi
157+
158+ # Check for secure timestamp
159+ echo " === Checking app bundle timestamp ==="
160+ TIMESTAMP_CHECK=$( codesign -dvv " $TEMP_DIR /$APP_BUNDLE " 2>&1 )
161+ if echo " $TIMESTAMP_CHECK " | grep -q " Timestamp=" ; then
162+ echo " ✅ App bundle has secure timestamp:"
163+ echo " $TIMESTAMP_CHECK " | grep " Timestamp="
164+ else
165+ echo " ❌ App bundle missing secure timestamp"
166+ fi
167+
168+ # Show detailed signature information
169+ echo " === App bundle signature details ==="
170+ codesign --display --verbose=4 " $TEMP_DIR /$APP_BUNDLE "
171+
172+ # Check entitlements
173+ echo " === App bundle entitlements ==="
174+ codesign --display --entitlements - " $TEMP_DIR /$APP_BUNDLE "
175+
100176else
101- echo " Signing without entitlements..."
177+ echo " ❌ No Developer ID certificate found - using ad-hoc signature"
178+ echo " This will NOT work for notarization!"
102179 codesign --force --deep --sign - --identifier " $BUNDLE_ID " " $TEMP_DIR /$APP_BUNDLE "
103180fi
104181
105- # Verify signing
106- codesign --verify --verbose " $TEMP_DIR /$APP_BUNDLE "
107- echo " App bundle signed successfully"
108-
109182# Create Applications symlink
110183ln -s /Applications " $TEMP_DIR /Applications"
111184
0 commit comments