fix: re-sign macos desktop bundle before release

GcsSloop · GcsSloop · commit c89804a113ce · 2026-03-31T10:00:22.000+08:00
diff --git a/.github/workflows/desktop-release.yml b/.github/workflows/desktop-release.yml
@@ -22,6 +22,7 @@ jobs:
           bash scripts/test/desktop_updater_config_test.sh
           bash scripts/test/generate_updater_manifest_test.sh
           bash scripts/test/desktop_release_workflow_publish_test.sh
+          bash scripts/test/package_local_release_test.sh
 
   package-macos:
     needs: validate-release-scripts
@@ -54,12 +55,27 @@ jobs:
           cp "$(which tesseract)" "$RUNTIME_DIR/macos/bin/tesseract"
           cp "$(which gs)" "$RUNTIME_DIR/macos/bin/gs"
           echo "SCREEN_PDF_RUNTIME_SOURCE_DIR=$RUNTIME_DIR" >> "$GITHUB_ENV"
+      - name: Prepare notarization key
+        env:
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+        run: |
+          if [[ -z "${APPLE_API_KEY:-}" ]]; then
+            echo "APPLE_API_KEY not set, skip notarization key preparation"
+            exit 0
+          fi
+          key_path="$RUNNER_TEMP/AuthKey.p8"
+          printf '%s' "$APPLE_API_KEY" >"$key_path"
+          echo "APPLE_API_KEY_PATH=$key_path" >> "$GITHUB_ENV"
       - name: Package desktop app
         run: bash scripts/desktop/package_local_release.sh
         env:
           RELEASE_PLATFORM: macos
           TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
           TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+          APPLE_API_KEY_PATH: ${{ env.APPLE_API_KEY_PATH }}
+          APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
       - uses: actions/upload-artifact@v4
         with:
           name: screen-pdf-macos
diff --git a/scripts/desktop/notarize_macos.sh b/scripts/desktop/notarize_macos.sh
@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+BUNDLE_ROOT="${RELEASE_BUNDLE_DIR:-$ROOT_DIR/program/desktop/src-tauri/target/release/bundle}"
+APP_PATH="$(find "$BUNDLE_ROOT/macos" -maxdepth 1 -name "*.app" -type d -print0 | xargs -0 ls -td 2>/dev/null | head -n1 || true)"
+DMG_PATH="$(find "$BUNDLE_ROOT/dmg" -maxdepth 1 -name "*.dmg" -type f -print0 | xargs -0 ls -t 2>/dev/null | head -n1 || true)"
+REQUIRE_NOTARIZATION="${REQUIRE_MACOS_NOTARIZATION:-0}"
+
+require_env() {
+  local name="$1"
+  if [[ -z "${!name:-}" ]]; then
+    echo "missing required environment variable: $name" >&2
+    exit 1
+  fi
+}
+
+if [[ -z "$APP_PATH" ]]; then
+  echo "No macOS app bundle found under $BUNDLE_ROOT, skip notarization"
+  exit 0
+fi
+
+if [[ "$REQUIRE_NOTARIZATION" == "1" ]]; then
+  require_env APPLE_SIGNING_IDENTITY
+  require_env APPLE_API_KEY_PATH
+  require_env APPLE_API_KEY_ID
+  require_env APPLE_API_ISSUER
+fi
+
+if [[ -n "${APPLE_SIGNING_IDENTITY:-}" ]]; then
+  echo "Code signing app with Developer ID identity"
+  codesign --force --deep --options runtime --timestamp \
+    --sign "$APPLE_SIGNING_IDENTITY" \
+    "$APP_PATH"
+else
+  echo "APPLE_SIGNING_IDENTITY not set, falling back to ad-hoc codesign"
+  codesign --force --deep --sign - "$APP_PATH"
+fi
+
+codesign --verify --deep --strict --verbose=2 "$APP_PATH"
+
+if [[ -z "${APPLE_API_KEY_PATH:-}" || -z "${APPLE_API_KEY_ID:-}" || -z "${APPLE_API_ISSUER:-}" ]]; then
+  echo "Apple notarization credentials are incomplete, skip notarization"
+  exit 0
+fi
+
+if [[ -n "$DMG_PATH" ]]; then
+  NOTARY_INPUT="$DMG_PATH"
+else
+  NOTARY_INPUT="$ROOT_DIR/program/desktop/src-tauri/target/notary/ScreenPDF.zip"
+  mkdir -p "$(dirname "$NOTARY_INPUT")"
+  ditto -c -k --sequesterRsrc --keepParent "$APP_PATH" "$NOTARY_INPUT"
+fi
+
+xcrun notarytool submit "$NOTARY_INPUT" \
+  --key "$APPLE_API_KEY_PATH" \
+  --key-id "$APPLE_API_KEY_ID" \
+  --issuer "$APPLE_API_ISSUER" \
+  --wait
+
+xcrun stapler staple "$APP_PATH"
+if [[ -n "$DMG_PATH" ]]; then
+  xcrun stapler staple "$DMG_PATH"
+fi
+
+spctl -a -vv -t exec "$APP_PATH"
diff --git a/scripts/desktop/package_local_release.sh b/scripts/desktop/package_local_release.sh
@@ -35,11 +35,19 @@ esac
 bash "$ROOT_DIR/scripts/release/sync_release_metadata.sh"
 pnpm --dir "$ROOT_DIR/program/desktop" tauri build
 
+if [[ "$PLATFORM" == "macos" ]]; then
+  bash "$ROOT_DIR/scripts/desktop/notarize_macos.sh"
+fi
+
 RELEASE_VERSION="$VERSION" RELEASE_PLATFORM="$PLATFORM" RELEASE_ASSET_DIR="$ASSET_DIR" \
   bash "$ROOT_DIR/scripts/desktop/collect_release_assets.sh"
 
 if [[ "$PLATFORM" == "macos" ]]; then
-  BUNDLE_PATH="$ROOT_DIR/program/desktop/src-tauri/target/release/bundle/macos/ScreenPDF.app"
+  BUNDLE_PATH="$(find "$ROOT_DIR/program/desktop/src-tauri/target/release/bundle/macos" -maxdepth 1 -name '*.app' -type d -print0 | xargs -0 ls -td 2>/dev/null | head -n1 || true)"
+  if [[ -z "$BUNDLE_PATH" ]]; then
+    echo "macOS app bundle not found after tauri build" >&2
+    exit 1
+  fi
   VERIFY_ARGS=(
     --bundle "$BUNDLE_PATH"
     --platform "$PLATFORM"
diff --git a/scripts/test/desktop_release_workflow_publish_test.sh b/scripts/test/desktop_release_workflow_publish_test.sh
@@ -29,6 +29,13 @@ assert_contains 'choco install tesseract -y'
 assert_contains 'ghostscriptInstallerUrl = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10070/gs10070w64.exe"'
 assert_contains 'Get-Command 7z.exe'
 assert_contains 'gswin64c.exe not found in extracted Ghostscript installer'
+assert_contains 'Prepare notarization key'
+assert_contains 'APPLE_SIGNING_IDENTITY'
+assert_contains 'APPLE_API_KEY'
+assert_contains 'APPLE_API_KEY_ID'
+assert_contains 'APPLE_API_ISSUER'
+assert_contains 'APPLE_API_KEY_PATH'
+assert_contains 'APPLE_API_KEY not set, skip notarization key preparation'
 assert_contains 'name: Collect publish files'
 assert_contains '**/*.dmg'
 assert_contains '**/*.msi'
diff --git a/scripts/test/package_local_release_test.sh b/scripts/test/package_local_release_test.sh
@@ -0,0 +1,114 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+SOURCE_SCRIPT_PATH="$ROOT_DIR/scripts/desktop/package_local_release.sh"
+HELPER_PATH="$ROOT_DIR/scripts/desktop/release_version_helpers.sh"
+
+fail() {
+  echo "FAIL: $*" >&2
+  exit 1
+}
+
+assert_file() {
+  local path="$1"
+  [[ -f "$path" ]] || fail "expected file: $path"
+}
+
+assert_contains() {
+  local file="$1"
+  local pattern="$2"
+  local content
+  content="$(cat "$file" 2>/dev/null || true)"
+  if [[ "$content" != *"$pattern"* ]]; then
+    echo "=== $file ===" >&2
+    cat "$file" >&2 || true
+    fail "expected $file to contain $pattern"
+  fi
+}
+
+tmp_dir="$(mktemp -d)"
+trap 'rm -rf "$tmp_dir"' EXIT
+
+repo_dir="$tmp_dir/repo"
+mkdir -p "$repo_dir/scripts/release" "$repo_dir/scripts/desktop" "$repo_dir/bin" "$repo_dir/program/desktop"
+cp "$SOURCE_SCRIPT_PATH" "$repo_dir/scripts/desktop/package_local_release.sh"
+cp "$HELPER_PATH" "$repo_dir/scripts/desktop/release_version_helpers.sh"
+mkdir -p "$repo_dir/program/desktop/src-tauri/target/release/bundle/macos/ScreenPDF.app"
+
+cat >"$repo_dir/scripts/release/sync_release_metadata.sh" <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+printf 'sync:%s\n' "$*" >>"$CALL_LOG"
+EOF
+chmod +x "$repo_dir/scripts/release/sync_release_metadata.sh"
+
+cat >"$repo_dir/scripts/desktop/collect_release_assets.sh" <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+printf 'collect:%s:%s\n' "${RELEASE_VERSION:-missing}" "${RELEASE_PLATFORM:-missing}" >>"$CALL_LOG"
+mkdir -p "${RELEASE_ASSET_DIR:-$PWD/release-assets}"
+printf 'artifact\n' >"${RELEASE_ASSET_DIR:-$PWD/release-assets}/artifact.txt"
+EOF
+chmod +x "$repo_dir/scripts/desktop/collect_release_assets.sh"
+
+cat >"$repo_dir/scripts/desktop/prepare_runtime_macos.sh" <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+printf 'prepare-runtime:macos\n' >>"$CALL_LOG"
+EOF
+chmod +x "$repo_dir/scripts/desktop/prepare_runtime_macos.sh"
+
+cat >"$repo_dir/scripts/desktop/notarize_macos.sh" <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+printf 'notarize:macos\n' >>"$CALL_LOG"
+EOF
+chmod +x "$repo_dir/scripts/desktop/notarize_macos.sh"
+
+cat >"$repo_dir/bin/pnpm" <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+printf 'pnpm:%s\n' "$*" >>"$CALL_LOG"
+EOF
+chmod +x "$repo_dir/bin/pnpm"
+
+cat >"$repo_dir/bin/python" <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+printf 'python:%s\n' "$*" >>"$CALL_LOG"
+if [[ "${1:-}" == *"release_metadata.py" && "${2:-}" == "version" ]]; then
+  printf '2.3.4\n'
+elif [[ "${1:-}" == *"release_metadata.py" && "${2:-}" == "platform" ]]; then
+  printf '%s\n' "${@: -1}"
+fi
+EOF
+chmod +x "$repo_dir/bin/python"
+
+(
+  cd "$repo_dir"
+  git init >/dev/null
+  git config user.name "Codex"
+  git config user.email "codex@example.com"
+  printf 'seed\n' >README.md
+  git add README.md
+  git commit -m "init" >/dev/null
+  git tag v2.3.4
+  printf 'next\n' >>README.md
+  git add README.md
+  git commit -m "next" >/dev/null
+
+  CALL_LOG="$tmp_dir/calls.log" \
+  PATH="$repo_dir/bin:$PATH" \
+  RELEASE_PLATFORM="macos" \
+  RELEASE_ASSET_DIR="$tmp_dir/release-assets" \
+  bash "$repo_dir/scripts/desktop/package_local_release.sh" >/dev/null
+)
+
+assert_file "$tmp_dir/release-assets/artifact.txt"
+assert_contains "$tmp_dir/calls.log" "prepare-runtime:macos"
+assert_contains "$tmp_dir/calls.log" "sync:"
+assert_contains "$tmp_dir/calls.log" "pnpm:--dir"
+assert_contains "$tmp_dir/calls.log" "notarize:macos"
+
+echo "PASS: package_local_release_test"
