Add apple code-signing to build

.github/workflows/build.yml

@@ -59,15 +59,43 @@ jobs:
           dotnet-version: ${{ env.DOTNET_VERSION }}
       - name: Build SquirrelMac
         run: |
-          dotnet publish -v minimal --self-contained -c Release -r osx.10.12-x64 ./src/Squirrel.CommandLine.OSX/Squirrel.CommandLine.OSX.csproj -o ./bundle
+          dotnet publish -v minimal --self-contained -c Release -r osx.10.12-x64 ./src/Squirrel.CommandLine.OSX/Squirrel.CommandLine.OSX.csproj -o ./publish
-          ls -la ./bundle
+          ls -la ./publish
       - name: Build UpdateMac
         run: |
-          dotnet publish -v minimal --self-contained -c Release -r osx.10.12-x64 ./src/Update.OSX/Update.OSX.csproj -o ./bundle
+          dotnet publish -v minimal --self-contained -c Release -r osx.10.12-x64 ./src/Update.OSX/Update.OSX.csproj -o ./publish
-          ls -la ./bundle
+          ls -la ./publish
+      # https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development
+      - name: Install Apple Certificate
+        env:
+          BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_BUILD_CERTIFICATE_BASE64 }}
+          P12_PASSWORD: ${{ secrets.APPLE_BUILD_CERTIFICATE_PASSWORD }}
+          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+        run: |
+          # write certificate to file
+          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode --output $CERTIFICATE_PATH
+
+          # create temporary keychain
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+          # import certificate to keychain
+          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
+      - name: CodeSign Binaries
+        run: |
+          codesign --force --timestamp --options=runtime --keychain $KEYCHAIN_PATH --entitlements Squirrel.entitlements --sign "Developer ID: Caelan Sayler" ./publish/SquirrelMac
+          codesign --force --timestamp --options=runtime --keychain $KEYCHAIN_PATH --entitlements Squirrel.entitlements --sign "Developer ID: Caelan Sayler" ./publish/UpdateMac
+      - name: Clean up KeyChain
+        if: ${{ always() }}
+        run: |
+          security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
       - name: Upload MacOS Artifacts
         uses: actions/upload-artifact@v3
         with:
           name: osx-tools
-          path: ./bundle/*
+          path: ./publish/*
         

Squirrel.entitlements

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.cs.allow-jit</key>
+	<true/>
+	<key>com.apple.security.automation.apple-events</key>
+	<true/>
+	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+	<true/>
+	<key>com.apple.security.cs.allow-dyld-environment-variables</key>
+	<true/>
+	<key>com.apple.security.cs.disable-library-validation</key>
+	<true/>
+</dict>
+</plist>

Squirrel.sln

@@ -19,6 +19,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "SolutionLevel", "SolutionLe
 		.github\workflows\build.yml = .github\workflows\build.yml
 		build.ps1 = build.ps1
 		pack.ps1 = pack.ps1
+		Squirrel.entitlements = Squirrel.entitlements
 	EndProjectSection
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Squirrel.CommandLine.Windows", "src\Squirrel.CommandLine.Windows\Squirrel.CommandLine.Windows.csproj", "{19E8EBF5-0277-422F-BF49-C66D9DBA5AA4}"