From 99f4df1487c191f045ac10bb5b601661a117452c Mon Sep 17 00:00:00 2001
From: Brendan Allan <brendonovich@outlook.com>
Date: Sat, 20 May 2023 11:20:14 +0800
Subject: [PATCH] macos signing (#835)

* add certificate envs

more signing envs

* signing identity

install api key in release workflow

sign ffmpeg libraries

* update all envs

* update docker build action

* update fmmpeg scripts

* remove lib codesigning from setup script

* declare signing identity arg

* codesign ffmpeg in setup

* stupid

* qutoes
---
 .github/actions/setup-system/action.yml |  1 +
 .github/scripts/setup-system.sh         |  2 +-
 .github/workflows/ffmpeg.yml            |  2 +-
 .github/workflows/release.yml           | 25 +++++++++++++++++++++++++
 apps/desktop/src-tauri/tauri.conf.json  |  1 -
 5 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/.github/actions/setup-system/action.yml b/.github/actions/setup-system/action.yml
index 75a3825f0..bdd5eb77e 100644
--- a/.github/actions/setup-system/action.yml
+++ b/.github/actions/setup-system/action.yml
@@ -55,6 +55,7 @@ runs:
       env:
         TARGET: ${{ inputs.targets }}
         GITHUB_TOKEN: ${{ inputs.token }}
+        APPLE_SIGNING_IDENTITY: ${{ env.APPLE_SIGNING_IDENTITY }}
 
     - name: Run 'setup-system.ps1' script
       shell: powershell
diff --git a/.github/scripts/setup-system.sh b/.github/scripts/setup-system.sh
index e20964d4f..059e33a7e 100755
--- a/.github/scripts/setup-system.sh
+++ b/.github/scripts/setup-system.sh
@@ -316,7 +316,7 @@ elif [ "$SYSNAME" = "Darwin" ]; then
   for _lib in "${_frameworks_dir}/FFMpeg.framework/Libraries/"*; do
     if [ -f "$_lib" ]; then
       # Sign the lib with the local machine certificate (Required for it to work on macOS 13+)
-      if ! codesign -s - -f "$_lib" 1>/dev/null 2>&1; then
+      if ! codesign -s "$APPLE_SIGNING_IDENTITY" -f "$_lib" 1>/dev/null 2>&1; then
         err "Failed to sign: ${_lib#"$_frameworks_dir"}" \
           'Please open an issue on https://github.com/spacedriveapp/spacedrive/issues'
       fi
diff --git a/.github/workflows/ffmpeg.yml b/.github/workflows/ffmpeg.yml
index b4beea06f..12268f9ca 100644
--- a/.github/workflows/ffmpeg.yml
+++ b/.github/workflows/ffmpeg.yml
@@ -45,7 +45,7 @@ jobs:
         run: |
           set -euxo pipefail
           cd .github/scripts/ffmpeg-macos
-          docker build --build-arg FFMPEG_VERSION=$FFMPEG_VERSION -o . .
+          docker build --build-arg FFMPEG_VERSION=$FFMPEG_VERSION --build-arg APPLE_SIGNING_IDENTITY="${{ secrets.APPLE_SIGNING_IDENTITY }}" -o . .
           export XZ_OPT='-T0 -9'
           tar -cJf "ffmpeg-${FFMPEG_VERSION}-x86_64.tar.xz" -C ffmpeg/x86_64 .
           tar -cJf "ffmpeg-${FFMPEG_VERSION}-arm64.tar.xz" -C ffmpeg/aarch64 .
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d187f8838..e8f124c26 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -39,6 +39,22 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v3
 
+      - name: Install Apple API key
+        if: ${{ runner.os == 'macOS' }}
+        run: |
+          mkdir -p ~/.appstoreconnect/private_keys/
+          cd ~/.appstoreconnect/private_keys/
+          echo ${{ secrets.APPLE_API_KEY_BASE64 }} >> AuthKey_${{ secrets.APPLE_API_KEY }}.p8.base64
+          base64 --decode AuthKey_${{ secrets.APPLE_API_KEY }}.p8.base64 -o AuthKey_${{ secrets.APPLE_API_KEY }}.p8
+          rm AuthKey_${{ secrets.APPLE_API_KEY }}.p8.base64
+
+      - name: Install Codesigning Certificate
+        if: ${{ runner.os == 'macOS' }}
+        uses: apple-actions/import-codesign-certs@v2
+        with: 
+          p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }}
+          p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+
       - name: Setup Node.js, pnpm and dependencies
         uses: ./.github/actions/setup-pnpm
         with:
@@ -46,6 +62,8 @@ jobs:
 
       - name: Setup System and Rust
         uses: ./.github/actions/setup-system
+        env:
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           targets: ${{ matrix.settings.target }}
@@ -56,6 +74,13 @@ jobs:
         env:
           TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
           TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}
+          ENABLE_CODE_SIGNING: ${{ secrets.APPLE_CERTIFICATE }}
+          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+          APPLE_PROVIDER_SHORT_NAME: ${{ secrets.APPLE_PROVIDER_SHORT_NAME }}
+          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
 
       - name: Publish Artifacts
         uses: ./.github/actions/publish-artifacts
diff --git a/apps/desktop/src-tauri/tauri.conf.json b/apps/desktop/src-tauri/tauri.conf.json
index ae5d995ee..b3f6a38a8 100644
--- a/apps/desktop/src-tauri/tauri.conf.json
+++ b/apps/desktop/src-tauri/tauri.conf.json
@@ -37,7 +37,6 @@
 				"frameworks": [],
 				"minimumSystemVersion": "10.15",
 				"exceptionDomain": "",
-				"signingIdentity": null,
 				"entitlements": null
 			},
 			"windows": {