From 2083e008ab6c86e173c5c64f5a9f2ed65d2c2213 Mon Sep 17 00:00:00 2001
From: Jonas Kvinge <jonas@jkvinge.net>
Date: Sun, 15 Oct 2023 06:28:38 +0200
Subject: [PATCH] CI: Add macOS code-signing

---
 .github/workflows/build.yml | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5e4f3af59..a1a825d97 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -793,6 +793,39 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Write certificate file
+        if: matrix.runner == 'macos-11'
+        env:
+          APPLE_DEVELOPER_ID_CERTIFICATE: ${{ secrets.APPLE_DEVELOPER_ID_CERTIFICATE }}
+        run: echo ${APPLE_DEVELOPER_ID_CERTIFICATE} | base64 --decode > certificate.p12
+
+      - name: Create keychain
+        if: matrix.runner == 'macos-11'
+        run: security create-keychain -p ${{ secrets.APPLE_DEVELOPER_ID_CERTIFICATE_PASSWORD }} build.keychain
+
+      - name: Set keychain
+        if: matrix.runner == 'macos-11'
+        run: security default-keychain -s build.keychain
+
+      - name: Unlock keychain
+        if: matrix.runner == 'macos-11'
+        run: security unlock-keychain -p ${{ secrets.APPLE_DEVELOPER_ID_CERTIFICATE_PASSWORD }} build.keychain
+
+      - name: Unlock keychain
+        if: matrix.runner == 'macos-arm64'
+        run: security unlock-keychain -p ${{ secrets.APPLE_DEVELOPER_ID_CERTIFICATE_PASSWORD2 }}
+
+      - name: Import certificate
+        if: matrix.runner == 'macos-11'
+        run: security import certificate.p12 -k build.keychain -P ${{ secrets.APPLE_DEVELOPER_ID_CERTIFICATE_PASSWORD }} -T /usr/bin/codesign
+
+      - name: Show certificate
+        run: security find-identity -v
+
+      - name: Allow certificate
+        if: matrix.runner == 'macos-11'
+        run: security set-key-partition-list -S 'apple-tool:,apple:,codesign:' -s -k ${{ secrets.APPLE_DEVELOPER_ID_CERTIFICATE_PASSWORD }} build.keychain
+
       - name: Download macOS dependencies
         run: curl -f -O -L https://github.com/strawberrymusicplayer/strawberry-macos-dependencies/releases/latest/download/strawberry-macos-${{env.arch}}-${{env.buildtype}}.tar.xz
 
@@ -829,6 +862,7 @@ jobs:
           -DENABLE_DBUS=OFF
           -DICU_ROOT="${{env.prefix_path}}"
           -DFFTW3_DIR="${{env.prefix_path}}"
+          -DAPPLE_DEVELOPER_ID=$(test "${{matrix.runner}}" = "macos-arm64" && echo "383J84DVB6" || echo "")
           -DCREATEDMG_SKIP_JENKINS=$(test "${{matrix.runner}}" = "macos-arm64" && echo "ON" || echo "OFF")
 
       - name: Build