Add code signing for Mac builds

[bmiller]

At some point we should add code signing to the mac build. Currently on first launch of each version the system blocks it from launching. The user then has to go into the security system preferences to allow it to be run. It's not difficult but it is an unneeded barrier.

Things to investigate:

• How code signing a pyinstaller created app is even done. I'm not sure if it's different from a compiled app.
• If travis can handle the signing, if so how to configure it.

[3ll3d00d]

There is https://github.com/pyinstaller/pyinstaller/wiki/Recipe-OSX-Code-Signing

I imagine this means

• create a codesign cert locally
• store it in the repo as a Travis encrypted file https://docs.travis-ci.com/user/encrypting-files/#automated-encryption
• add commands before_install to import the cert to the keychain
• add the codesign command before_deploy to sign the app

[bmiller]

Seems pretty straight forward. Can we have items in travis though that aren't in the repo? I'm not that familiar with travis. I ask because on concern I have is where the cert is located. Having the .p12 and the pass for it in the repo sort of defeats the purpose of it. :)

If you don't know off hand I can do some research on it and on how other open source projects handle it.

[3ll3d00d]

https://docs.travis-ci.com/user/encrypting-files/ describes how encrypted files are supported so you would store the encrypted cert in the repo and decrypt at build time

[bmiller]

@3ll3d00d Since I have my personal dev account active again for BEQBrowser I started looking at revising this issue. The first launch hoops are a bit annoying. Doing it with the GitHub actions looks to be pretty easy. I can generate the certs for you if you want to make the project secrets with them and add the task. Here's a guide on what needs to be done: https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions

To nutshell it, I creates the certs, we make a secrete with them and a password. Then add the task:

- name: Codesign executable
        env: 
          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
        run: |
          echo $MACOS_CERTIFICATE | base64 —decode > certificate.p12
          security create-keychain -p <your-password> build.keychain security default-keychain -s build.keychain
          security unlock-keychain -p <your-password> build.keychain
          security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k <your-password> build.keychain
          /usr/bin/codesign --force -s <identity-id> ./path/to/you/app -v