Skip to content

fix: staple macOS app before packaging DMG #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
seatedro merged 1 commit into from
May 6, 2026
+21 −10
Merged

fix: staple macOS app before packaging DMG #20

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/package.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,7 @@ jobs:
keychain_path="${RUNNER_TEMP}/diffy-signing.keychain-db"
certificate_path="${RUNNER_TEMP}/diffy-developer-id.p12"

echo "$APPLE_CERTIFICATE_P12_BASE64" | base64 --decode > "$certificate_path"
echo "$APPLE_CERTIFICATE_P12_BASE64" | base64 -d > "$certificate_path"
security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" "$keychain_path"
security set-keychain-settings -lut 21600 "$keychain_path"
security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" "$keychain_path"
Expand Down
29 changes: 20 additions & 9 deletions scripts/package-macos-release.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,14 +42,24 @@ write_notary_key() {
if [[ -n "${APPLE_NOTARY_PRIVATE_KEY:-}" ]]; then
printf '%s' "$APPLE_NOTARY_PRIVATE_KEY" > "$key_path"
elif [[ -n "${APPLE_NOTARY_PRIVATE_KEY_BASE64:-}" ]]; then
printf '%s' "$APPLE_NOTARY_PRIVATE_KEY_BASE64" | base64 --decode > "$key_path"
printf '%s' "$APPLE_NOTARY_PRIVATE_KEY_BASE64" | base64 -d > "$key_path"
else
die "APPLE_NOTARY_PRIVATE_KEY or APPLE_NOTARY_PRIVATE_KEY_BASE64 is required"
fi

chmod 600 "$key_path"
}

submit_for_notarization() {
local path="$1"

xcrun notarytool submit "$path" \
--key "$notary_key" \
--key-id "$APPLE_NOTARY_KEY_ID" \
--issuer "$APPLE_NOTARY_ISSUER_ID" \
--wait
}

sign_macho_files() {
local app="$1"

Expand Down Expand Up @@ -79,8 +89,10 @@ version="$(package_version)"
arch="$(artifact_arch)"
work_dir="$(mktemp -d)"
notary_key="${work_dir}/AuthKey_${APPLE_NOTARY_KEY_ID}.p8"
app_zip="${work_dir}/${APP_NAME}-${version}-${arch}.zip"
stage_dir="${work_dir}/stage"
trap 'rm -rf "$work_dir"' EXIT
write_notary_key "$notary_key"

cargo packager --release --formats app

Expand All @@ -99,6 +111,11 @@ sign_macho_files "$app_path"
"$app_path"
/usr/bin/codesign --verify --deep --strict --verbose=2 "$app_path"

ditto -c -k --keepParent "$app_path" "$app_zip"
submit_for_notarization "$app_zip"
xcrun stapler staple "$app_path"
xcrun stapler validate "$app_path"

mkdir -p "$stage_dir"
ditto "$app_path" "${stage_dir}/${APP_BUNDLE_NAME}"
ln -s /Applications "${stage_dir}/Applications"
Expand All @@ -115,15 +132,9 @@ hdiutil create \
/usr/bin/codesign --force --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "$dmg_path"
/usr/bin/codesign --verify --verbose=2 "$dmg_path"

write_notary_key "$notary_key"
xcrun notarytool submit "$dmg_path" \
--key "$notary_key" \
--key-id "$APPLE_NOTARY_KEY_ID" \
--issuer "$APPLE_NOTARY_ISSUER_ID" \
--wait

submit_for_notarization "$dmg_path"
xcrun stapler staple "$dmg_path"
xcrun stapler staple "$app_path"
xcrun stapler validate "$dmg_path"
spctl --assess --type open --context context:primary-signature --verbose=2 "$dmg_path"
spctl --assess --type execute --verbose=2 "$app_path"

Expand Down
Loading