feat(macos): add code signing and notarization support

Add macOS code signing and notarization for Gatekeeper compatibility: - Add hardened runtime configuration in package.json - Add entitlements.mac.plist for required app permissions - Enable built-in electron-builder notarization - Add code signing and notarization secrets to workflow Required GitHub Secrets: - CSC_LINK: Base64-encoded .p12 certificate file - CSC_KEY_PASSWORD: Password for the .p12 certificate - APPLE_ID: Apple Developer account email - APPLE_APP_SPECIFIC_PASSWORD: App-specific password from appleid.apple.com - APPLE_TEAM_ID: 10-character Apple Developer Team ID Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-26 10:41:46 -03:00 · 2026-02-03 10:55:00 +01:00
parent 6761f6b3e0
commit 98123d7338
3 changed files with 33 additions and 1 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -38,6 +38,14 @@ jobs:
      - run: npm ci

      - name: Build macOS Packages
+        env:
+          # Code signing
+          CSC_LINK: ${{ secrets.CSC_LINK }}
+          CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+          # Notarization
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
        run: npx electron-builder --mac --publish never
      - uses: actions/upload-artifact@v4
        with:
@@ -45,6 +53,7 @@ jobs:
          path: |
            dist/*.dmg
            dist/*.zip
+            dist/*.blockmap
            dist/latest-mac.yml

  build-linux:
--- a/build/entitlements.mac.plist
+++ b/build/entitlements.mac.plist
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.network.client</key>
+    <true/>
+    <key>com.apple.security.network.server</key>
+    <true/>
+    <key>com.apple.security.files.user-selected.read-write</key>
+    <true/>
+</dict>
+</plist>
--- a/package.json
+++ b/package.json
@@ -104,7 +104,12 @@
      ],
      "icon": "build/icon.icns",
      "artifactName": "${name}_${version}_${arch}.${ext}",
-      "category": "public.app-category.games"
+      "category": "public.app-category.games",
+      "hardenedRuntime": true,
+      "gatekeeperAssess": false,
+      "entitlements": "build/entitlements.mac.plist",
+      "entitlementsInherit": "build/entitlements.mac.plist",
+      "notarize": true
    },
    "nsis": {
      "oneClick": false,