[CI] Setup macOS DMG Signing (#143)

* feat: add macOS signing configuration and files

* feat: add notarization script

* fix: update workflow with teamid

* chore: try to run action on branch

* chore: bump version

* fix: checkout submodules

* chore: fix lint

* chore: another try

* fix: variables

* fix: add GH_TOKEN var

* chore: try again with new token

* other: upload build for test signing

* chore: bump version

* other: update entitlements and build only

* Update release_macOS.yml

* ci: build only on new tag

* chore: replace deprecated package

Author: flavioislima

.eslintignore

@@ -4,3 +4,4 @@ flatpak/.flatpak-builder/
 vite.config.ts
 **/__tests__/**
 **/__mocks__/**
+sign/**

.github/workflows/release_macOS.yml

@@ -0,0 +1,38 @@
+name: Build and Release macOS HP version
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+
+env:
+  CSC_IDENTITY_AUTO_DISCOVERY: true
+  CSC_LINK: ${{ secrets.CSC_LINK }}
+  CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+  APPLE_ID: ${{ secrets.APPLEID }}
+  APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLEIDPASS }}
+  TEAMID: ${{ secrets.TEAMID }}
+  GH_TOKEN: ${{ secrets.WORKFLOW_TOKEN }}
+
+jobs:
+  build-and-release:
+    runs-on: macos-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          submodules: 'recursive'
+          token: ${{ secrets.pat }}
+
+      - name: Install dependencies
+        run: yarn install
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: '16'
+
+      - name: Build artifacts.
+        run: yarn release:mac --arm64

.prettierignore

@@ -4,4 +4,5 @@ build
 coverage
 public/locales/
 flatpak
-extensions/
+extensions/
+sign/

package.json

@@ -1,6 +1,6 @@
 {
   "name": "hyperplay",
-  "version": "0.0.3-alpha.1",
+  "version": "0.0.3-alpha.2",
   "private": true,
   "main": "build/electron/main.js",
   "homepage": "./",
@@ -15,8 +15,9 @@
     "email": "hyperplay@hyperplay.gg"
   },
   "build": {
-    "appId": "com.electron.hyperplay",
+    "appId": "gg.hyperplay.HyperPlay",
     "productName": "HyperPlay",
+    "afterSign": "sign/notarize.js",
     "files": [
       "build/**/*",
       "node_modules/**/*",
@@ -55,9 +56,13 @@
     },
     "mac": {
       "artifactName": "${productName}-${version}-macOS-${arch}.${ext}",
-      "target": "dmg",
       "category": "public.app-category.games",
       "icon": "build/app_icon.icns",
+      "entitlements": "build/entitlements.mac.plist",
+      "entitlementsInherit": "build/entitlements.mac.plist",
+      "extendInfo": {
+        "com.apple.security.cs.allow-jit": true
+      },
       "asarUnpack": [
         "build/bin/darwin/legendary",
         "build/bin/darwin/gogdl"
@@ -216,6 +221,7 @@
     ]
   },
   "devDependencies": {
+    "@electron/notarize": "^1.2.3",
     "@testing-library/dom": "^7.31.0",
     "@testing-library/jest-dom": "^5.16.4",
     "@testing-library/react": "^13.1.1",

public/entitlements.mac.plist

@@ -0,0 +1,12 @@
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
+    "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+  </dict>
+</plist>

sign/notarize.js

@@ -0,0 +1,20 @@
+require('dotenv').config()
+const { notarize } = require('electron-notarize')
+
+exports.default = async function notarizing(context) {
+  const { electronPlatformName, appOutDir } = context
+  if (electronPlatformName !== 'darwin') {
+    return
+  }
+
+  const appName = context.packager.appInfo.productFilename
+
+  return await notarize({
+    tool: 'notarytool',
+    appBundleId: 'gg.hyperplay.HyperPlay',
+    appPath: `${appOutDir}/${appName}.app`,
+    teamId: process.env.TEAMID,
+    appleId: process.env.APPLE_ID,
+    appleIdPassword: process.env.APPLE_APP_SPECIFIC_PASSWORD
+  })
+}

tsconfig.json

@@ -34,5 +34,5 @@
     "strictPropertyInitialization": true
   },
   "include": ["src"],
-  "exclude": ["vite.config.ts", "**/__tests__/**", "**/__mocks__/**"]
+  "exclude": ["vite.config.ts", "**/__tests__/**", "**/__mocks__/**", "sign"]
 }

yarn.lock

@@ -518,6 +518,14 @@
     global-agent "^3.0.0"
     global-tunnel-ng "^2.7.1"
 
+"@electron/notarize@^1.2.3":
+  version "1.2.3"
+  resolved "https://registry.yarnpkg.com/@electron/notarize/-/notarize-1.2.3.tgz#38056a629e5a0b5fd56c975c4828c0f74285b644"
+  integrity sha512-9oRzT56rKh5bspk3KpAVF8lPKHYQrBnRwcgiOeR0hdilVEQmszDaAu0IPCPrwwzJN0ugNs0rRboTreHMt/6mBQ==
+  dependencies:
+    debug "^4.1.1"
+    fs-extra "^9.0.1"
+
 "@electron/universal@1.2.1":
   version "1.2.1"
   resolved "https://registry.yarnpkg.com/@electron/universal/-/universal-1.2.1.tgz#3c2c4ff37063a4e9ab1e6ff57db0bc619bc82339"