Enhance macOS deployment with Sparkle integration and update build scripts

This commit refines the CMake configuration for macOS by finding the Sparkle framework early in the build process, allowing it to be bundled with the application. The Dmg.cmake script is updated to handle Sparkle's framework paths and ensure proper deployment. Additionally, the build_sign_notarize.sh script is improved to sign Sparkle's helper executables correctly and includes enhanced notarization feedback. The Brewfile and install_brew_deps.sh are also updated to include the new macdeploycheck dependency for better deployment checks.

build_tools/macos/build_sign_notarize.sh

@@ -16,7 +16,8 @@ Common options:
   --run                          Perform build/sign/notarize (otherwise list identities/profiles)
   --release | --debug            Build config (default: Release)
   --clean                        Clean build dir before build
-  --deploy                       Run CMake 'deploy' target before signing (recommended for distributing)
+  --deploy                       Run CMake 'deploy' target before signing (default: on)
+  --no-deploy                    Do not run 'deploy' (not recommended for distribution)
   --build-dir <path>             Override build directory
 
 Signing options:
@@ -42,8 +43,10 @@ list_identities_and_profiles() {
   security find-identity -p codesigning -v || true
 
   echo
-  echo "==> [$(ts)] notarytool profiles (keychain profiles)"
-  xcrun notarytool list-profiles 2>/dev/null || echo "(none; create one with: xcrun notarytool store-credentials <name> ...)"
+  echo "==> [$(ts)] notarytool credential profiles"
+  echo "Note: this Xcode notarytool version does not provide a 'list-profiles' command."
+  echo "If you forgot the profile name you created, check Keychain Access or re-run:"
+  echo "  xcrun notarytool store-credentials \"<profile-name>\" --apple-id \"you@example.com\" --team-id \"TEAMID\""
 
   echo
   echo "==> [$(ts)] Provisioning profiles (macOS)"
@@ -69,7 +72,7 @@ fi
 do_run=0
 config="Release"
 do_clean=0
-do_deploy=0
+do_deploy=1
 build_dir=""
 identity=""
 entitlements=""
@@ -83,6 +86,7 @@ while [[ $# -gt 0 ]]; do
     --debug) config="Debug"; shift ;;
     --clean) do_clean=1; shift ;;
     --deploy) do_deploy=1; shift ;;
+    --no-deploy) do_deploy=0; shift ;;
     --build-dir) build_dir="${2:-}"; shift 2 ;;
     --identity) identity="${2:-}"; shift 2 ;;
     --entitlements) entitlements="${2:-}"; shift 2 ;;
@@ -139,12 +143,46 @@ if [[ -n "$entitlements" ]]; then
   codesign_args+=( --entitlements "$entitlements" )
 fi
 
-find "$app_path" -type f \( -name "*.dylib" -o -name "*.so" -o -perm -111 \) -print0 | while IFS= read -r -d '' f; do
-  codesign "${codesign_args[@]}" "$f" >/dev/null
+# Sign nested code first, then frameworks, then the main app bundle.
+#
+# Important: do NOT codesign individual files *inside* a .framework bundle (e.g. Sparkle.framework/Sparkle),
+# because codesign expects frameworks to be signed as bundles and may error with
+# "bundle format is ambiguous (could be app or framework)".
+
+# 1) Sign dylibs and standalone executables that are NOT inside a .framework/.app/.xpc bundle.
+find "$app_path" -type f \( -name "*.dylib" -o -name "*.so" -o -perm -111 \) \
+  ! -path "*/Contents/Frameworks/*.framework/*" \
+  ! -path "*/Contents/Frameworks/*.app/*" \
+  ! -path "*/Contents/Frameworks/*.xpc/*" \
+  ! -path "*/Contents/PlugIns/*.framework/*" \
+  ! -path "*/Contents/PlugIns/*.app/*" \
+  ! -path "*/Contents/PlugIns/*.xpc/*" \
+  -print0 | while IFS= read -r -d '' f; do
+    codesign "${codesign_args[@]}" "$f" >/dev/null
+  done
+
+# 2) Sign nested helper apps and XPC services (Sparkle ships these inside its framework).
+find "$app_path" -type d \( -name "*.xpc" -o -name "*.app" \) -print0 2>/dev/null | while IFS= read -r -d '' b; do
+  codesign "${codesign_args[@]}" "$b" >/dev/null
 done
+
+# 2b) Sparkle.framework contains a standalone helper executable "Autoupdate" under Versions/* that is
+# not inside an .app or .xpc bundle. Notarization requires it be signed with Developer ID + timestamp.
+sparkle_fw="$app_path/Contents/Frameworks/Sparkle.framework"
+if [[ -d "$sparkle_fw" ]]; then
+  find "$sparkle_fw/Versions" -type f -perm -111 \
+    ! -path "*/_CodeSignature/*" \
+    -print0 2>/dev/null | while IFS= read -r -d '' f; do
+      codesign "${codesign_args[@]}" "$f" >/dev/null
+    done
+fi
+
+# 3) Sign frameworks as bundles.
 find "$app_path/Contents/Frameworks" "$app_path/Contents/PlugIns" -type d -name "*.framework" -print0 2>/dev/null | while IFS= read -r -d '' fw; do
   codesign "${codesign_args[@]}" "$fw" >/dev/null
 done
+
+# 4) Finally sign the main app.
 codesign "${codesign_args[@]}" "$app_path" >/dev/null
 
 echo "==> [$(ts)] Verifying codesign"
@@ -156,7 +194,25 @@ ditto -c -k --sequesterRsrc --keepParent "$app_path" "$zip_path"
 
 if [[ "$skip_notarize" -eq 0 ]]; then
   echo "==> [$(ts)] Notarizing"
-  xcrun notarytool submit "$zip_path" --keychain-profile "$notary_profile" --wait
+  # Use JSON output so we can reliably detect Invalid and fetch logs.
+  submit_json="$(xcrun notarytool submit "$zip_path" --keychain-profile "$notary_profile" --wait --output-format json --no-progress)"
+  submit_id="$(python3 -c 'import json,sys; print(json.load(sys.stdin).get("id",""))' <<<"$submit_json" 2>/dev/null || true)"
+  submit_status="$(python3 -c 'import json,sys; print(json.load(sys.stdin).get("status",""))' <<<"$submit_json" 2>/dev/null || true)"
+
+  if [[ -z "$submit_id" ]]; then
+    echo "Error: could not parse notarization submission id. Raw output:" >&2
+    echo "$submit_json" >&2
+    exit 1
+  fi
+
+  echo "==> [$(ts)] Notary submission id: $submit_id"
+  echo "==> [$(ts)] Notary status: $submit_status"
+
+  if [[ "$submit_status" != "Accepted" ]]; then
+    echo "Error: notarization failed with status '$submit_status'. Fetching log..." >&2
+    xcrun notarytool log "$submit_id" --keychain-profile "$notary_profile" || true
+    exit 1
+  fi
 
   echo "==> [$(ts)] Stapling"
   xcrun stapler staple "$app_path"

build_tools/macos/install_brew_deps.sh

@@ -93,7 +93,7 @@ run_with_heartbeat "Refreshing strawberry/local tap clone" bash -lc '
   git reset --hard -q "$default_ref"
 '
 
-for f in kdsingleapplication-qt6 qtsparkle-qt6 sparkle-framework libgpod; do
+for f in kdsingleapplication-qt6 qtsparkle-qt6 sparkle-framework libgpod macdeploycheck; do
   if ! brew info "strawberry/local/${f}" >/dev/null 2>&1; then
     echo "Error: Missing formula strawberry/local/${f} in the tapped repo." >&2
     echo "If you recently added/changed formulae, ensure they are committed, then refresh the tap:" >&2