macos signing (#835)

* add certificate envs

more signing envs

* signing identity

install api key in release workflow

sign ffmpeg libraries

* update all envs

* update docker build action

* update fmmpeg scripts

* remove lib codesigning from setup script

* declare signing identity arg

* codesign ffmpeg in setup

* stupid

* qutoes

.github/actions/setup-system/action.yml

@@ -55,6 +55,7 @@ runs:
       env:
         TARGET: ${{ inputs.targets }}
         GITHUB_TOKEN: ${{ inputs.token }}
+        APPLE_SIGNING_IDENTITY: ${{ env.APPLE_SIGNING_IDENTITY }}
 
     - name: Run 'setup-system.ps1' script
       shell: powershell

.github/scripts/setup-system.sh

@@ -316,7 +316,7 @@ elif [ "$SYSNAME" = "Darwin" ]; then
   for _lib in "${_frameworks_dir}/FFMpeg.framework/Libraries/"*; do
     if [ -f "$_lib" ]; then
       # Sign the lib with the local machine certificate (Required for it to work on macOS 13+)
-      if ! codesign -s - -f "$_lib" 1>/dev/null 2>&1; then
+      if ! codesign -s "$APPLE_SIGNING_IDENTITY" -f "$_lib" 1>/dev/null 2>&1; then
         err "Failed to sign: ${_lib#"$_frameworks_dir"}" \
           'Please open an issue on https://github.com/spacedriveapp/spacedrive/issues'
       fi

.github/workflows/ffmpeg.yml

@@ -45,7 +45,7 @@ jobs:
         run: |
           set -euxo pipefail
           cd .github/scripts/ffmpeg-macos
-          docker build --build-arg FFMPEG_VERSION=$FFMPEG_VERSION -o . .
+          docker build --build-arg FFMPEG_VERSION=$FFMPEG_VERSION --build-arg APPLE_SIGNING_IDENTITY="${{ secrets.APPLE_SIGNING_IDENTITY }}" -o . .
           export XZ_OPT='-T0 -9'
           tar -cJf "ffmpeg-${FFMPEG_VERSION}-x86_64.tar.xz" -C ffmpeg/x86_64 .
           tar -cJf "ffmpeg-${FFMPEG_VERSION}-arm64.tar.xz" -C ffmpeg/aarch64 .

.github/workflows/release.yml

@@ -39,6 +39,22 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v3
 
+      - name: Install Apple API key
+        if: ${{ runner.os == 'macOS' }}
+        run: |
+          mkdir -p ~/.appstoreconnect/private_keys/
+          cd ~/.appstoreconnect/private_keys/
+          echo ${{ secrets.APPLE_API_KEY_BASE64 }} >> AuthKey_${{ secrets.APPLE_API_KEY }}.p8.base64
+          base64 --decode AuthKey_${{ secrets.APPLE_API_KEY }}.p8.base64 -o AuthKey_${{ secrets.APPLE_API_KEY }}.p8
+          rm AuthKey_${{ secrets.APPLE_API_KEY }}.p8.base64
+
+      - name: Install Codesigning Certificate
+        if: ${{ runner.os == 'macOS' }}
+        uses: apple-actions/import-codesign-certs@v2
+        with: 
+          p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }}
+          p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+
       - name: Setup Node.js, pnpm and dependencies
         uses: ./.github/actions/setup-pnpm
         with:
@@ -46,6 +62,8 @@ jobs:
 
       - name: Setup System and Rust
         uses: ./.github/actions/setup-system
+        env:
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           targets: ${{ matrix.settings.target }}
@@ -56,6 +74,13 @@ jobs:
         env:
           TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
           TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}
+          ENABLE_CODE_SIGNING: ${{ secrets.APPLE_CERTIFICATE }}
+          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+          APPLE_PROVIDER_SHORT_NAME: ${{ secrets.APPLE_PROVIDER_SHORT_NAME }}
+          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
 
       - name: Publish Artifacts
         uses: ./.github/actions/publish-artifacts

apps/desktop/src-tauri/tauri.conf.json

@@ -37,7 +37,6 @@
 				"frameworks": [],
 				"minimumSystemVersion": "10.15",
 				"exceptionDomain": "",
-				"signingIdentity": null,
 				"entitlements": null
 			},
 			"windows": {