diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index f5e82e34..392db41d 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -86,6 +86,37 @@ jobs: - name: Build macOS binaries (Electron) run: npm run build:mac --workspace @neuralnomads/codenomad-electron-app + - name: Ad-hoc sign Electron macOS app bundles (seal resources) + shell: bash + run: | + set -euo pipefail + + release_root="packages/electron-app/release" + apps=() + while IFS= read -r -d '' app; do + apps+=("$app") + done < <(find "$release_root" -type d -name 'CodeNomad.app' -print0) + + if [ "${#apps[@]}" -eq 0 ]; then + echo "No CodeNomad.app found under $release_root" >&2 + exit 1 + fi + + # GitHub macOS runners typically have no signing identity. Without any signature, + # the shipped .app can fail Gatekeeper with: + # code has no resources but signature indicates they must be present + # Ad-hoc signing seals bundle resources and makes the signature internally consistent. + if security find-identity -p codesigning -v | grep -q "0 valid identities found"; then + echo "No valid macOS codesigning identity found; applying ad-hoc signature" + for app in "${apps[@]}"; do + echo "codesign (adhoc): $app" + codesign --force --deep --sign - "$app" + codesign --verify --deep --strict --verbose=2 "$app" + done + else + echo "macOS codesigning identity present; skipping ad-hoc signing" + fi + - name: Repackage Electron macOS zips (ditto) shell: bash run: | @@ -128,13 +159,6 @@ jobs: set -euo pipefail shopt -s nullglob - # Dev CI builds typically don't have a macOS signing identity available. - # When no identity is present, electron-builder skips signing and strict verification will fail. - if security find-identity -p codesigning -v | grep -q "0 valid identities found"; then - echo "No valid macOS codesigning identity found; skipping codesign verification" - exit 0 - fi - tmp_dir=$(mktemp -d) trap 'rm -rf "$tmp_dir"' EXIT