From 3f548f0cafb837a3852ae1d28b1f40f7b52aaaf5 Mon Sep 17 00:00:00 2001
From: Robert Stein <robert@blueshoe.de>
Date: Thu, 30 Mar 2023 10:23:22 +0200
Subject: [PATCH] chore: adapt codesign

---
 .github/workflows/dist-build-mac.yaml | 47 ++++++++++++---------------
 1 file changed, 21 insertions(+), 26 deletions(-)

diff --git a/.github/workflows/dist-build-mac.yaml b/.github/workflows/dist-build-mac.yaml
index 53eccec..a01aafa 100644
--- a/.github/workflows/dist-build-mac.yaml
+++ b/.github/workflows/dist-build-mac.yaml
@@ -36,36 +36,31 @@ jobs:
           ./pyoxidizer build exe --release
           cp `find build/ -name "deck"` ./deck
           cat pyproject.toml | grep version -m 1 | awk '{ print "APP_VERSION="substr($3, 2, length($3) -2)}' >> $GITHUB_ENV
-      - name: Codesign executable
-        env:
-          MACOS_DEVELOPER_HASH: ${{ secrets.MACOS_DEVELOPER_HASH }}
-          MACOS_APP_HASH: ${{ secrets.MACOS_APP_HASH }}
-          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
-          MACOS_KEYCHAIN_PASS: ${{ secrets.MACOS_KEYCHAIN_PASS }}
-          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+      - name: Codesign app bundle
+        # Extract the secrets we defined earlier as environment variables
+        env: 
+          MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
+          MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
+          MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
+          MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
         run: |
+          # Turn our base64-encoded certificate back to a regular .p12 file
+          
           echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
-          security create-keychain -p $MACOS_KEYCHAIN_PASS build.keychain
-          security default-keychain -s build.keychain
-          security unlock-keychain -p $MACOS_KEYCHAIN_PASS build.keychain
-          security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
-          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_KEYCHAIN_PASS build.keychain
 
-          echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
-          <!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
-          <plist version=\"1.0\">
-          <dict>
-                <key>com.apple.security.cs.allow-jit</key>
-                <true/>
-                <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
-                <true/>
-                <key>com.apple.security.cs.disable-library-validation</key>
-                <true/>
-          </dict>
-          </plist>" > entitlements.plist
+          # We need to create a new keychain, otherwise using the certificate will prompt
+          # with a UI dialog asking for the certificate password, which we can't
+          # use in a headless CI environment
+          
+          security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain 
+          security default-keychain -s build.keychain
+          security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
+          security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
 
-          echo "Now running codesign"
-          /usr/bin/codesign --deep --force --options=runtime --entitlements ./entitlements.plist --sign $MACOS_APP_HASH --timestamp ./deck
+          # We finally codesign our app bundle, specifying the Hardened runtime option
+          
+          /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./deck -v
       - name: Upload Artifact
         uses: actions/upload-artifact@v2
         with: