Codesign and notarize macOS build

Author: drhelius

.github/workflows/gearsystem.yml

@@ -1,10 +1,13 @@
-name: Main Workflow
+name: Build and Release
 
 on:
   workflow_dispatch:
   push:
     paths-ignore:
       - '**.md'
+      - '.github/**'
+      - '.vscode/**'
+      - '.devcontainer/**'
   pull_request:
   schedule:
     - cron: '0 0 * * 0'
@@ -49,6 +52,28 @@ jobs:
       with:
         name: ${{ env.NAME_UPPER }}-${{ env.BUILD_NUMBER }}-${{ matrix.os }}
         path: artifact/*
+  linux-clang:
+    name: Linux (Clang/LLVM)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Update OS
+      run: sudo apt-get update -qq
+    - name: Install dependencies
+      run: sudo apt-get install -y libsdl2-dev libglew-dev libgtk-3-dev
+    - name: Get build number
+      run: |
+        echo "BUILD_NUMBER=$(git describe --abbrev=7 --dirty --always --tags)" >> $GITHUB_ENV
+    - name: make
+      run: make
+      working-directory: platforms/linux
+      env:
+        USE_CLANG: 1
   libretro:
     name: Libretro (ubuntu)
     runs-on: ubuntu-latest
@@ -98,12 +123,45 @@ jobs:
     - name: make
       run: make dist
       working-directory: platforms/macos
+    - name: Codesign app bundle
+      env:
+        MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
+        MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
+        MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
+        MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
+      run: |
+        echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+
+        security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
+        security default-keychain -s build.keychain
+        security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
+        security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
+        security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
+
+        codesign -v -f -o runtime --sign "$MACOS_CERTIFICATE_NAME" ${{ env.NAME_UPPER }}.app/Contents/MacOS/gamecontrollerdb.txt
+        codesign -v -f -o runtime --entitlements "app.entitlements" --sign "$MACOS_CERTIFICATE_NAME" ${{ env.NAME_UPPER }}.app/Contents/MacOS/${{ env.NAME_LOWER }}
+        codesign -v -f -o runtime --sign "$MACOS_CERTIFICATE_NAME" ${{ env.NAME_UPPER }}.app
+
+        codesign -v -vvv --deep "${{ env.NAME_UPPER }}.app"
+      working-directory: platforms/macos
+    - name: Notarize app bundle
+      env:
+        PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
+        PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
+        PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
+      run: |
+        xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD"
+        ditto -c -k --keepParent "${{ env.NAME_UPPER }}.app" "notarization.zip"
+        xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
+        xcrun stapler staple "${{ env.NAME_UPPER }}.app"
+        spctl -a -vvv -t install "${{ env.NAME_UPPER }}.app"
+        ditto -c -k --keepParent "${{ env.NAME_UPPER }}.app" "${{ env.NAME_UPPER }}.app.zip"
+      working-directory: platforms/macos
     - name: Prepare artifact directory
       run: |
         mkdir -p artifact
-        cp platforms/README.txt artifact
-        cp platforms/gamecontrollerdb.txt artifact
-        cp -R platforms/macos/${{ env.NAME_UPPER }}.app artifact
+        cp platforms/README.txt artifact/
+        mv platforms/macos/${{ env.NAME_UPPER }}.app.zip artifact/
     - name: Archive binary
       uses: actions/upload-artifact@v4
       with:

platforms/desktop-shared/Makefile.common

@@ -1,7 +1,16 @@
-CXX = g++
-CC = gcc
-#CXX = clang++
-#CC = clang
+define HEADER
+   ____                               _
+  / ___| ___  __ _ _ __ ___ _   _ ___| |_ ___ _ __ ___
+ | |  _ / _ \\/ _` | '__/ __| | | / __| __/ _ \\ '_ ` _ \\
+ | |_| |  __/ (_| | |  \\__ \\ |_| \\__ \\ ||  __/ | | | | |
+  \\____|\\___|\\__,_|_|  |___/\\__, |___/\\__\\___|_| |_| |_|
+                            |___/
+
+  ** Building for $(PLATFORM) platform **
+  ** Git version: $(GIT_VERSION) **
+
+endef
+export HEADER
 
 TARGET_NAME = gearsystem
 GIT_VERSION := "$(shell git describe --abbrev=7 --dirty --always --tags)"
@@ -10,17 +19,28 @@ PLATFORM = "undefined"
 
 OBJECTS += $(SOURCES_C:.c=.o) $(SOURCES_CXX:.cpp=.o)
 
+USE_CLANG ?= 0
+ifeq ($(USE_CLANG), 1)
+    CXX = clang++
+    CC = clang
+else
+    CXX = g++
+    CC = gcc
+endif
+
 CPPFLAGS += -I../ -I../../
 CPPFLAGS += -Wall -Wextra -Wformat  -DEMULATOR_BUILD=\"$(GIT_VERSION)\"
 CXXFLAGS += -std=c++11
 CFLAGS += -std=c99
 
 DEBUG ?= 0
 ifeq ($(DEBUG), 1)
+    BUILD_CONFIG = Debug
     CPPFLAGS +=-DDEBUG -g3
 else
-    CPPFLAGS +=-DNDEBUG -O3 -flto
-    LDFLAGS += -flto
+    BUILD_CONFIG = Release
+    CPPFLAGS +=-DNDEBUG -O3 -flto=auto
+    LDFLAGS += -O3 -flto=auto
 endif
 
 SANITIZE ?= 0
@@ -29,23 +49,17 @@ ifeq ($(SANITIZE), 1)
     LDFLAGS += -lasan
 endif
 
-ifeq ($(UNAME_S), Linux) #LINUX
+ifeq ($(UNAME_S), Linux)
     PLATFORM = "Linux"
     LDFLAGS += -lGL -lGLEW -ldl `sdl2-config --libs`
     CPPFLAGS += `sdl2-config --cflags`
     TARGET := $(TARGET_NAME)
-else ifeq ($(UNAME_S), Darwin) #APPLE
+else ifeq ($(UNAME_S), Darwin)
     PLATFORM = "macOS"
-    LDFLAGS += -framework OpenGL -framework Cocoa -framework IOKit -framework CoreVideo `sdl2-config --libs`
-    LDFLAGS += -L/usr/local/lib
+    LDFLAGS += -framework OpenGL `sdl2-config --static-libs`
     CPPFLAGS += `sdl2-config --cflags`
-    CPPFLAGS += -I/usr/local/include -I/opt/local/include
+    CPPFLAGS += -I/opt/local/include
     TARGET := $(TARGET_NAME)
-else ifeq ($(findstring MINGW,$(UNAME_S)),MINGW)
-    PLATFORM = "MinGW"
-    LDFLAGS += -lgdi32 -lopengl32 -lglew32 -limm32 `pkg-config --static --libs sdl2`
-    CPPFLAGS += `pkg-config --cflags sdl2`
-    TARGET := $(TARGET_NAME).exe
 else
     PLATFORM = "Generic Unix-like/BSD"
     LDFLAGS += `sdl2-config --libs` -lSDL2
@@ -56,8 +70,8 @@ else
     TARGET := $(TARGET_NAME)
 endif
 
-all: $(TARGET)
-	@echo Build complete for $(PLATFORM)
+all: header $(TARGET)
+	@echo Build complete for $(PLATFORM) \($(BUILD_CONFIG)\)
 
 $(TARGET): $(OBJECTS)
 	$(CXX) -o $@ $(OBJECTS) $(LDFLAGS)
@@ -72,4 +86,7 @@ $(TARGET): $(OBJECTS)
 	$(CC) $(CPPFLAGS) $(CFLAGS) -c -o $@ $<
 
 clean:
-	rm -f $(OBJECTS) $(TARGET)
+	rm -f $(OBJECTS) $(TARGET)
+
+header:
+	@echo "$$HEADER"

platforms/macos/Makefile

@@ -6,27 +6,16 @@ LDFLAGS += -framework AppKit -framework UniformTypeIdentifiers
 
 include ../desktop-shared/Makefile.common
 
-# Brew use a different path on Apple Silicon as on Intel
-UNAME_P := $(shell uname -m)
-ifneq ($(filter arm64%,$(UNAME_P)),)
-	DYLIB_PATH=/opt/homebrew/lib/
-else
-	DYLIB_PATH=/usr/local/opt/sdl2/lib
-endif
-
-SDL_DYLIB=libSDL2-2.0.0.dylib
 APP_NAME=Gearsystem
 
 bundle:
 	rm -rf $(APP_NAME).app
 	mkdir -p $(APP_NAME).app/Contents/{MacOS,Resources,Frameworks}
 	sed -e "s/@version@/$(GIT_VERSION)/g" Info.plist > $(APP_NAME).app/Contents/Info.plist
-	cp $(DYLIB_PATH)/$(SDL_DYLIB) $(APP_NAME).app/Contents/Frameworks/
 	cp iconfile.icns $(APP_NAME).app/Contents/Resources/
 	cp $(TARGET) $(APP_NAME).app/Contents/MacOS/
 	cp run.sh $(APP_NAME).app/Contents/MacOS/
 	cp ../gamecontrollerdb.txt $(APP_NAME).app/Contents/MacOS/
-	install_name_tool -change $(DYLIB_PATH)/$(SDL_DYLIB) @$(APP_NAME).app/Contents/MacOS/$(SDL_DYLIB) $(APP_NAME).app/Contents/MacOS/$(APP_NAME)
 
 dist: clean all bundle
 	@echo Success!!

platforms/macos/app.entitlements

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <dict>
+       <key>com.apple.security.cs.disable-library-validation</key>
+       <true/>
+    </dict>
+</plist>