fix(macos): improve notarization with timeout and graceful failure

Changes:
- Add 30 minute timeout for notarization (fail fast)
- Add SKIP_NOTARIZE=true env var to skip notarization entirely
- Don't fail build if notarization fails (app still code-signed)
- Add NOTARIZE_FAIL_ON_ERROR=true to fail build on notarization error
- Add forceCodeSigning, strictVerify, type=distribution to mac config
- Disable electron-builder built-in notarize (using custom script)

This prevents CI from hanging forever waiting for Apple's notarization
service and reduces wasted GitHub Actions minutes.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.github/workflows/release.yml

@@ -27,8 +27,10 @@ jobs:
             dist/*.exe.blockmap
             dist/latest.yml
 
-  build-macos:
+  # macOS ARM64 build (Apple Silicon)
-    runs-on: macos-latest
+  build-macos-arm64:
+    runs-on: macos-latest  # ARM64 runner for native Apple Silicon builds
+    timeout-minutes: 120
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
@@ -37,15 +39,75 @@ jobs:
           cache: 'npm'
       - run: npm ci
 
-      - name: Build macOS Packages
+      - name: Build macOS ARM64 Package
-        run: npx electron-builder --mac --publish never
+        env:
+          # Code signing
+          CSC_LINK: ${{ secrets.CSC_LINK }}
+          CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+          # Notarization
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+        run: npx electron-builder --mac --arm64 --publish never
+
+      - name: Rename ARM64 artifacts for clarity
+        run: |
+          cd dist
+          for f in *.dmg; do
+            [ -f "$f" ] && mv "$f" "${f%.dmg}-arm64.dmg" 2>/dev/null || true
+          done
+          for f in *.zip; do
+            [ -f "$f" ] && mv "$f" "${f%.zip}-arm64.zip" 2>/dev/null || true
+          done
+          ls -la
+
       - uses: actions/upload-artifact@v4
         with:
-          name: macos-builds
+          name: macos-arm64-builds
+          path: |
+            dist/*.dmg
+            dist/*.zip
+
+  # macOS x64 build (Intel)
+  build-macos-x64:
+    runs-on: macos-15-large  # Intel runner for native x64 builds
+    timeout-minutes: 120
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'npm'
+      - run: npm ci
+
+      - name: Build macOS x64 Package
+        env:
+          # Code signing
+          CSC_LINK: ${{ secrets.CSC_LINK }}
+          CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+          # Notarization
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+        run: npx electron-builder --mac --x64 --publish never
+
+      - name: Rename x64 artifacts for clarity
+        run: |
+          cd dist
+          for f in *.dmg; do
+            [ -f "$f" ] && mv "$f" "${f%.dmg}-x64.dmg" 2>/dev/null || true
+          done
+          for f in *.zip; do
+            [ -f "$f" ] && mv "$f" "${f%.zip}-x64.zip" 2>/dev/null || true
+          done
+          ls -la
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: macos-x64-builds
           path: |
             dist/*.dmg
             dist/*.zip
-            dist/latest-mac.yml
 
   build-linux:
     runs-on: ubuntu-latest
@@ -126,8 +188,9 @@ jobs:
             .SRCINFO
           include-hidden-files: true
 
+  # Create release with Windows, Linux, Arch (fast builds)
   release:
-    needs: [build-windows, build-macos, build-linux, build-arch]
+    needs: [build-windows, build-linux, build-arch]
     runs-on: ubuntu-latest
     if: |
       startsWith(github.ref, 'refs/tags/v') ||
@@ -141,10 +204,23 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Download all artifacts
+      - name: Download Windows artifacts
         uses: actions/download-artifact@v4
         with:
-          path: artifacts
+          name: windows-builds
+          path: artifacts/windows-builds
+
+      - name: Download Linux artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: linux-builds
+          path: artifacts/linux-builds
+
+      - name: Download Arch artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: arch-package
+          path: artifacts/arch-package
 
       - name: Display structure of downloaded files
         run: ls -R artifacts
@@ -161,10 +237,70 @@ jobs:
             artifacts/arch-package/*.pkg.tar.zst
             artifacts/arch-package/*.src.tar.zst
             artifacts/arch-package/.SRCINFO
-            artifacts/linux-builds/**/*
+            artifacts/linux-builds/*
-            artifacts/windows-builds/**/*
+            artifacts/windows-builds/*
-            artifacts/macos-builds/**/*
           generate_release_notes: true
           draft: true
           prerelease: false
 
+  # Upload macOS ARM64 builds separately
+  release-macos-arm64:
+    needs: [build-macos-arm64, release]
+    runs-on: ubuntu-latest
+    if: |
+      startsWith(github.ref, 'refs/tags/v') ||
+      github.ref == 'refs/heads/main' ||
+      github.event_name == 'workflow_dispatch'
+
+    permissions:
+      contents: write
+
+    steps:
+      - name: Download macOS ARM64 artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: macos-arm64-builds
+          path: artifacts/macos-arm64-builds
+
+      - name: Display macOS ARM64 files
+        run: ls -R artifacts
+
+      - name: Upload macOS ARM64 to Release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ github.ref_name }}
+          files: |
+            artifacts/macos-arm64-builds/*
+          draft: true
+          prerelease: false
+
+  # Upload macOS x64 builds separately
+  release-macos-x64:
+    needs: [build-macos-x64, release]
+    runs-on: ubuntu-latest
+    if: |
+      startsWith(github.ref, 'refs/tags/v') ||
+      github.ref == 'refs/heads/main' ||
+      github.event_name == 'workflow_dispatch'
+
+    permissions:
+      contents: write
+
+    steps:
+      - name: Download macOS x64 artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: macos-x64-builds
+          path: artifacts/macos-x64-builds
+
+      - name: Display macOS x64 files
+        run: ls -R artifacts
+
+      - name: Upload macOS x64 to Release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ github.ref_name }}
+          files: |
+            artifacts/macos-x64-builds/*
+          draft: true
+          prerelease: false

build/entitlements.mac.plist

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.network.client</key>
+    <true/>
+    <key>com.apple.security.network.server</key>
+    <true/>
+    <key>com.apple.security.files.user-selected.read-write</key>
+    <true/>
+</dict>
+</plist>

package.json

@@ -1,6 +1,6 @@
 {
   "name": "hytale-f2p-launcher",
-  "version": "2.2.0",
+  "version": "2.1.2",
   "description": "A modern, cross-platform launcher for Hytale with automatic updates and multi-client support",
   "homepage": "https://github.com/amiayweb/Hytale-F2P",
   "main": "main.js",
@@ -25,7 +25,8 @@
     "cross-platform",
     "electron",
     "auto-update",
-    "mod-manager"
+    "mod-manager",
+    "chat"
   ],
   "maintainers": [
     {
@@ -33,7 +34,7 @@
       "url": "https://github.com/Terromur"
     },
     {
-      "name": "Fazri Gading",
+      "name": "Fari Gading",
       "email": "fazrigading@gmail.com",
       "url": "https://github.com/fazrigading"
     }
@@ -44,6 +45,7 @@
   },
   "license": "MIT",
   "devDependencies": {
+    "@electron/notarize": "^2.5.0",
     "electron": "^40.0.0",
     "electron-builder": "^26.4.0"
   },
@@ -54,13 +56,16 @@
     "dotenv": "^17.2.3",
     "electron-updater": "^6.7.3",
     "fs-extra": "^11.3.3",
-    "tar": "^7.5.7",
+    "tar": "^6.2.1",
     "uuid": "^9.0.1"
   },
+  "overrides": {
+    "tar": "$tar"
+  },
   "build": {
     "appId": "com.hytalef2p.launcher",
     "productName": "Hytale F2P Launcher",
-    "artifactName": "${name}_${version}.${ext}",
+    "artifactName": "${name}_${version}_${arch}.${ext}",
     "directories": {
       "output": "dist"
     },
@@ -73,14 +78,40 @@
       ".env"
     ],
     "win": {
-      "target": "nsis",
+      "target": [
+        {
+          "target": "nsis",
+          "arch": [
+            "x64",
+            "arm64"
+          ]
+        }
+      ],
       "icon": "build/icon.ico"
     },
     "linux": {
       "target": [
-        "AppImage",
+        {
-        "deb",
+          "target": "AppImage",
-        "rpm"
+          "arch": [
+            "x64",
+            "arm64"
+          ]
+        },
+        {
+          "target": "deb",
+          "arch": [
+            "x64",
+            "arm64"
+          ]
+        },
+        {
+          "target": "rpm",
+          "arch": [
+            "x64",
+            "arm64"
+          ]
+        }
       ],
       "icon": "build/icon.png",
       "category": "Game"
@@ -90,20 +121,30 @@
         {
           "target": "dmg",
           "arch": [
-            "universal"
+            "arm64",
+            "x64"
           ]
         },
         {
           "target": "zip",
           "arch": [
-            "universal"
+            "arm64",
+            "x64"
           ]
         }
       ],
       "icon": "build/icon.icns",
-      "artifactName": "${name}_${version}_${arch}.${ext}",
+      "category": "public.app-category.games",
-      "category": "public.app-category.games"
+      "hardenedRuntime": true,
+      "gatekeeperAssess": false,
+      "entitlements": "build/entitlements.mac.plist",
+      "entitlementsInherit": "build/entitlements.mac.plist",
+      "forceCodeSigning": true,
+      "strictVerify": true,
+      "type": "distribution",
+      "notarize": false
     },
+    "afterSign": "scripts/notarize.js",
     "nsis": {
       "oneClick": false,
       "allowToChangeInstallationDirectory": true,

scripts/notarize.js

@@ -0,0 +1,92 @@
+console.log('[Notarize] Script loaded');
+
+let notarize;
+try {
+  notarize = require('@electron/notarize').notarize;
+  console.log('[Notarize] @electron/notarize loaded successfully');
+} catch (err) {
+  console.error('[Notarize] Failed to load @electron/notarize:', err.message);
+  throw err;
+}
+
+const path = require('path');
+
+// Timeout for notarization (30 minutes max)
+const NOTARIZE_TIMEOUT_MS = 30 * 60 * 1000;
+
+function withTimeout(promise, ms, message) {
+  return Promise.race([
+    promise,
+    new Promise((_, reject) =>
+      setTimeout(() => reject(new Error(message)), ms)
+    )
+  ]);
+}
+
+exports.default = async function notarizing(context) {
+  console.log('[Notarize] afterSign hook called');
+  console.log('[Notarize] Context:', JSON.stringify({
+    platform: context.electronPlatformName,
+    appOutDir: context.appOutDir,
+    outDir: context.outDir
+  }, null, 2));
+
+  const { electronPlatformName, appOutDir } = context;
+
+  // Only notarize macOS builds
+  if (electronPlatformName !== 'darwin') {
+    console.log('[Notarize] Skipping: not macOS');
+    return;
+  }
+
+  // Check if notarization is disabled via env var
+  if (process.env.SKIP_NOTARIZE === 'true') {
+    console.log('[Notarize] Skipping: SKIP_NOTARIZE=true');
+    return;
+  }
+
+  // Check credentials
+  const hasAppleId = !!process.env.APPLE_ID;
+  const hasPassword = !!process.env.APPLE_APP_SPECIFIC_PASSWORD;
+  const hasTeamId = !!process.env.APPLE_TEAM_ID;
+
+  console.log('[Notarize] Credentials check:', { hasAppleId, hasPassword, hasTeamId });
+
+  if (!hasAppleId || !hasPassword || !hasTeamId) {
+    console.log('[Notarize] Skipping: missing credentials');
+    return;
+  }
+
+  const appName = context.packager.appInfo.productFilename;
+  const appPath = path.join(appOutDir, `${appName}.app`);
+
+  console.log('[Notarize] Starting notarization...');
+  console.log('[Notarize] App path:', appPath);
+  console.log('[Notarize] Team ID:', process.env.APPLE_TEAM_ID);
+  console.log('[Notarize] Timeout:', NOTARIZE_TIMEOUT_MS / 1000, 'seconds');
+
+  try {
+    await withTimeout(
+      notarize({
+        appPath,
+        appleId: process.env.APPLE_ID,
+        appleIdPassword: process.env.APPLE_APP_SPECIFIC_PASSWORD,
+        teamId: process.env.APPLE_TEAM_ID,
+      }),
+      NOTARIZE_TIMEOUT_MS,
+      `Notarization timed out after ${NOTARIZE_TIMEOUT_MS / 1000} seconds`
+    );
+    console.log('[Notarize] Notarization complete!');
+  } catch (error) {
+    console.error('[Notarize] Notarization failed:', error.message);
+
+    // Don't fail the build if notarization times out or fails
+    // The app will still be code-signed, just not notarized
+    if (process.env.NOTARIZE_FAIL_ON_ERROR !== 'true') {
+      console.warn('[Notarize] Continuing build without notarization (set NOTARIZE_FAIL_ON_ERROR=true to fail)');
+      return;
+    }
+
+    throw error;
+  }
+};