From 57bc195449f6c71c07b14a91e1b55ae6f8723a7a Mon Sep 17 00:00:00 2001
From: Peter Gammelgaard Poulsen <peter.gammelgaard@gmail.com>
Date: Thu, 28 Mar 2024 00:56:28 +0100
Subject: [PATCH 1/6] Added script for signing app

---
 scripts/sign-macos.sh | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100755 scripts/sign-macos.sh

diff --git a/scripts/sign-macos.sh b/scripts/sign-macos.sh
new file mode 100755
index 00000000..8047a390
--- /dev/null
+++ b/scripts/sign-macos.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+RELEASE_DIR="target/release"
+APP_DIR="$RELEASE_DIR/macos"
+APP_NAME="Halloy.app"
+
+environment=("MACOS_CERTIFICATE" "MACOS_CERTIFICATE_PWD" "MACOS_CI_KEYCHAIN_PWD" "MACOS_CERTIFICATE_NAME")
+for var in "${environment[@]}"; do
+    if [[ -z "${!var}" ]]; then
+        echo "Error: $var is not set"
+        exit 1
+    fi
+done
+
+echo "Decoding certificate"
+echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+
+echo "Installing cert in a new key chain"
+security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain 
+security default-keychain -s build.keychain
+security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
+security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
+security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
+
+echo "Signing..."
+/usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime $APP_DIR/$APP_NAME -v
\ No newline at end of file

From cb493893f54d8684917f776e1217d02d10fdacd2 Mon Sep 17 00:00:00 2001
From: Peter Gammelgaard Poulsen <peter.gammelgaard@gmail.com>
Date: Thu, 28 Mar 2024 00:58:18 +0100
Subject: [PATCH 2/6] Added script to notarize app

---
 scripts/notarize-macos.sh | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100755 scripts/notarize-macos.sh

diff --git a/scripts/notarize-macos.sh b/scripts/notarize-macos.sh
new file mode 100755
index 00000000..1838d89e
--- /dev/null
+++ b/scripts/notarize-macos.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+RELEASE_DIR="target/release"
+APP_DIR="$RELEASE_DIR/macos"
+APP_NAME="Halloy.app"
+APP_PATH=$APP_DIR/$APP_NAME
+
+environment=("MACOS_NOTARIZATION_APPLE_ID MACOS_NOTARIZATION_TEAM_ID MACOS_NOTARIZATION_PWD")
+for var in "${environment[@]}"; do
+    if [[ -z "${!var}" ]]; then
+        echo "Error: $var is not set"
+        exit 1
+    fi
+done
+
+echo "Create keychain profile"
+xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
+
+echo "Creating temp notarization archive"
+ditto -c -k --keepParent "$APP_PATH" "notarization.zip"
+
+echo "Notarize app"
+xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
+
+echo "Attach staple"
+xcrun stapler staple $APP_PATH
\ No newline at end of file

From f1b70f9db3a7b70c842df48102a56232e4525d9c Mon Sep 17 00:00:00 2001
From: Peter Gammelgaard Poulsen <peter.gammelgaard@gmail.com>
Date: Thu, 28 Mar 2024 00:58:27 +0100
Subject: [PATCH 3/6] Added script to package app

---
 scripts/package-macos.sh | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100755 scripts/package-macos.sh

diff --git a/scripts/package-macos.sh b/scripts/package-macos.sh
new file mode 100755
index 00000000..b901e518
--- /dev/null
+++ b/scripts/package-macos.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+RELEASE_DIR="target/release"
+APP_DIR="$RELEASE_DIR/macos"
+APP_NAME="Halloy.app"
+DMG_NAME="halloy.dmg"
+DMG_DIR="$RELEASE_DIR/macos"
+
+# package dmg
+echo "Packing disk image..."
+ln -sf /Applications "$DMG_DIR/Applications"
+hdiutil create "$DMG_DIR/$DMG_NAME" -volname "Halloy" -fs HFS+ -srcfolder "$APP_DIR" -ov -format UDZO
+echo "Packed '$APP_NAME' in '$APP_DIR'"
\ No newline at end of file

From 0f79ceb508b4ec4a97b72a9a3a8af251cddce446 Mon Sep 17 00:00:00 2001
From: Peter Gammelgaard Poulsen <peter.gammelgaard@gmail.com>
Date: Thu, 28 Mar 2024 00:58:56 +0100
Subject: [PATCH 4/6] added workflow to build and sign on macOS

---
 .github/workflows/build-sign-macos.yml | 50 ++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 .github/workflows/build-sign-macos.yml

diff --git a/.github/workflows/build-sign-macos.yml b/.github/workflows/build-sign-macos.yml
new file mode 100644
index 00000000..146075af
--- /dev/null
+++ b/.github/workflows/build-sign-macos.yml
@@ -0,0 +1,50 @@
+name: "Build and sign for macOS"
+
+on:
+  pull_request: #remove this before merge!
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build and sign
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          toolchain: stable
+          override: true
+
+      - name: Build
+        run: bash scripts/build-macos.sh
+
+      - name: Sign
+        env: 
+          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+          MACOS_CERTIFICATE_NAME: ${{ secrets.MACOS_CERTIFICATE_NAME }}
+          MACOS_CI_KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }}
+        run: bash scripts/sign-macos.sh
+
+      - name: Notarize
+        env:
+          MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
+          MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
+          MACOS_NOTARIZATION_PWD: ${{ secrets.MACOS_NOTARIZATION_PWD }}
+        run: bash scripts/notarize-macos.sh
+
+      - name: Package
+        run: bash scripts/package-macos.sh
+
+      - name: Upload dmg
+        uses: actions/upload-artifact@v2
+        with:
+          name: macos-dmg
+          path: target/release/macos/halloy.dmg
+        
+      - name: Upload app
+        uses: actions/upload-artifact@v2
+        with:
+          name: macos-app
+          path: target/release/macos/halloy.app
\ No newline at end of file

From 292cc54c33b6d2c4625dd50f26d10522d8687825 Mon Sep 17 00:00:00 2001
From: Peter Gammelgaard Poulsen <peter.gammelgaard@gmail.com>
Date: Thu, 28 Mar 2024 01:11:12 +0100
Subject: [PATCH 5/6] Fixed notarize script environment check

---
 scripts/notarize-macos.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/notarize-macos.sh b/scripts/notarize-macos.sh
index 1838d89e..2aa67c54 100755
--- a/scripts/notarize-macos.sh
+++ b/scripts/notarize-macos.sh
@@ -5,7 +5,7 @@ APP_DIR="$RELEASE_DIR/macos"
 APP_NAME="Halloy.app"
 APP_PATH=$APP_DIR/$APP_NAME
 
-environment=("MACOS_NOTARIZATION_APPLE_ID MACOS_NOTARIZATION_TEAM_ID MACOS_NOTARIZATION_PWD")
+environment=("MACOS_NOTARIZATION_APPLE_ID" "MACOS_NOTARIZATION_TEAM_ID" "MACOS_NOTARIZATION_PWD")
 for var in "${environment[@]}"; do
     if [[ -z "${!var}" ]]; then
         echo "Error: $var is not set"

From e48446f6b31a42220a322daf197872ef64b3172d Mon Sep 17 00:00:00 2001
From: Peter Gammelgaard Poulsen <peter.gammelgaard@gmail.com>
Date: Thu, 28 Mar 2024 20:52:22 +0100
Subject: [PATCH 6/6] Moved into release.yml

---
 .github/workflows/build-sign-macos.yml | 50 --------------------------
 .github/workflows/release.yml          | 16 +++++++++
 scripts/build-macos.sh                 |  7 ----
 scripts/notarize-macos.sh              | 26 --------------
 scripts/package-macos.sh               |  2 +-
 scripts/sign-macos.sh                  | 17 +++++++--
 6 files changed, 32 insertions(+), 86 deletions(-)
 delete mode 100644 .github/workflows/build-sign-macos.yml
 delete mode 100755 scripts/notarize-macos.sh

diff --git a/.github/workflows/build-sign-macos.yml b/.github/workflows/build-sign-macos.yml
deleted file mode 100644
index 146075af..00000000
--- a/.github/workflows/build-sign-macos.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-name: "Build and sign for macOS"
-
-on:
-  pull_request: #remove this before merge!
-  workflow_dispatch:
-
-jobs:
-  build:
-    name: Build and sign
-    runs-on: macos-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions-rs/toolchain@v1
-        with:
-          profile: minimal
-          toolchain: stable
-          override: true
-
-      - name: Build
-        run: bash scripts/build-macos.sh
-
-      - name: Sign
-        env: 
-          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
-          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
-          MACOS_CERTIFICATE_NAME: ${{ secrets.MACOS_CERTIFICATE_NAME }}
-          MACOS_CI_KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }}
-        run: bash scripts/sign-macos.sh
-
-      - name: Notarize
-        env:
-          MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
-          MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
-          MACOS_NOTARIZATION_PWD: ${{ secrets.MACOS_NOTARIZATION_PWD }}
-        run: bash scripts/notarize-macos.sh
-
-      - name: Package
-        run: bash scripts/package-macos.sh
-
-      - name: Upload dmg
-        uses: actions/upload-artifact@v2
-        with:
-          name: macos-dmg
-          path: target/release/macos/halloy.dmg
-        
-      - name: Upload app
-        uses: actions/upload-artifact@v2
-        with:
-          name: macos-app
-          path: target/release/macos/halloy.app
\ No newline at end of file
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6dd592e1..a001c3d8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -53,6 +53,22 @@ jobs:
       - name: Build
         run: ${{ matrix.target.make }}
 
+      - name: Sign macOS
+        if: matrix.target.target == 'macos'
+        env: 
+          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+          MACOS_CERTIFICATE_NAME: ${{ secrets.MACOS_CERTIFICATE_NAME }}
+          MACOS_CI_KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }}
+          MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
+          MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
+          MACOS_NOTARIZATION_PWD: ${{ secrets.MACOS_NOTARIZATION_PWD }}
+        run: bash scripts/sign-macos.sh
+
+      - name: Package macOS
+        if: matrix.target.target == 'macos'
+        run: bash scripts/package-macos.sh
+
       - name: Set artifact path
         run: ${{ matrix.target.artifact_path }}
 
diff --git a/scripts/build-macos.sh b/scripts/build-macos.sh
index ef16c183..c3d4dc8c 100755
--- a/scripts/build-macos.sh
+++ b/scripts/build-macos.sh
@@ -36,10 +36,3 @@ cp -fRp "$APP_TEMPLATE" "$APP_DIR"
 cp -fp "$APP_BINARY" "$APP_BINARY_DIR"
 touch -r "$APP_BINARY" "$APP_DIR/$APP_NAME"
 echo "Created '$APP_NAME' in '$APP_DIR'"
-
-# package dmg
-echo "Packing disk image..."
-ln -sf /Applications "$DMG_DIR/Applications"
-hdiutil create "$DMG_DIR/$DMG_NAME" -volname "Halloy" -fs HFS+ -srcfolder "$APP_DIR" -ov -format UDZO
-echo "Packed '$APP_NAME' in '$APP_DIR'"
-
diff --git a/scripts/notarize-macos.sh b/scripts/notarize-macos.sh
deleted file mode 100755
index 2aa67c54..00000000
--- a/scripts/notarize-macos.sh
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/bash
-
-RELEASE_DIR="target/release"
-APP_DIR="$RELEASE_DIR/macos"
-APP_NAME="Halloy.app"
-APP_PATH=$APP_DIR/$APP_NAME
-
-environment=("MACOS_NOTARIZATION_APPLE_ID" "MACOS_NOTARIZATION_TEAM_ID" "MACOS_NOTARIZATION_PWD")
-for var in "${environment[@]}"; do
-    if [[ -z "${!var}" ]]; then
-        echo "Error: $var is not set"
-        exit 1
-    fi
-done
-
-echo "Create keychain profile"
-xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
-
-echo "Creating temp notarization archive"
-ditto -c -k --keepParent "$APP_PATH" "notarization.zip"
-
-echo "Notarize app"
-xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
-
-echo "Attach staple"
-xcrun stapler staple $APP_PATH
\ No newline at end of file
diff --git a/scripts/package-macos.sh b/scripts/package-macos.sh
index b901e518..66df7078 100755
--- a/scripts/package-macos.sh
+++ b/scripts/package-macos.sh
@@ -10,4 +10,4 @@ DMG_DIR="$RELEASE_DIR/macos"
 echo "Packing disk image..."
 ln -sf /Applications "$DMG_DIR/Applications"
 hdiutil create "$DMG_DIR/$DMG_NAME" -volname "Halloy" -fs HFS+ -srcfolder "$APP_DIR" -ov -format UDZO
-echo "Packed '$APP_NAME' in '$APP_DIR'"
\ No newline at end of file
+echo "Packed '$APP_NAME' in '$APP_DIR'"
diff --git a/scripts/sign-macos.sh b/scripts/sign-macos.sh
index 8047a390..30f459d4 100755
--- a/scripts/sign-macos.sh
+++ b/scripts/sign-macos.sh
@@ -3,8 +3,9 @@
 RELEASE_DIR="target/release"
 APP_DIR="$RELEASE_DIR/macos"
 APP_NAME="Halloy.app"
+APP_PATH=$APP_DIR/$APP_NAME
 
-environment=("MACOS_CERTIFICATE" "MACOS_CERTIFICATE_PWD" "MACOS_CI_KEYCHAIN_PWD" "MACOS_CERTIFICATE_NAME")
+environment=("MACOS_CERTIFICATE" "MACOS_CERTIFICATE_PWD" "MACOS_CI_KEYCHAIN_PWD" "MACOS_CERTIFICATE_NAME" "MACOS_NOTARIZATION_APPLE_ID" "MACOS_NOTARIZATION_TEAM_ID" "MACOS_NOTARIZATION_PWD")
 for var in "${environment[@]}"; do
     if [[ -z "${!var}" ]]; then
         echo "Error: $var is not set"
@@ -23,4 +24,16 @@ security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T
 security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
 
 echo "Signing..."
-/usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime $APP_DIR/$APP_NAME -v
\ No newline at end of file
+/usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime $APP_PATH -v
+
+echo "Create keychain profile"
+xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
+
+echo "Creating temp notarization archive"
+ditto -c -k --keepParent "$APP_PATH" "notarization.zip"
+
+echo "Notarize app"
+xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
+
+echo "Attach staple"
+xcrun stapler staple $APP_PATH