diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 37efd63..e50c450 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -62,13 +62,41 @@ jobs: if: matrix.platform == 'macos-latest' run: | echo "Processing macOS build..." - # Create temporary keychain - security create-keychain -p temppass build.keychain - security default-keychain -s build.keychain - security unlock-keychain -p temppass build.keychain - # Sign the app - codesign --force --deep --options runtime --sign - ./src-tauri/target/*/release/bundle/macos/*.app + + # Find the app bundle + APP_PATH=$(find ./src-tauri/target/*/release/bundle/macos -name "*.app" -type d) + echo "Found app at: $APP_PATH" + + # Create entitlements file + cat > entitlements.plist << EOF + + + + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.allow-jit + + com.apple.security.cs.disable-library-validation + + com.apple.security.inherit + + + + EOF + + # Sign with hardened runtime and entitlements + codesign --force --deep --options runtime \ + --entitlements entitlements.plist \ + --sign - \ + "$APP_PATH" + + # Process DMG + DMG_PATH=$(find ./src-tauri/target/*/release/bundle/dmg -name "*.dmg" -type f) + if [ ! -z "$DMG_PATH" ]; then + echo "Found DMG at: $DMG_PATH" + codesign --force --sign - "$DMG_PATH" + fi + # Remove quarantine attributes find ./src-tauri/target/*/release/bundle -name "*.app" -o -name "*.dmg" -exec xattr -rd com.apple.quarantine {} \; - # Verify signature - codesign --verify --verbose ./src-tauri/target/*/release/bundle/macos/*.app