From 3b5a1d6c743cd0c13bb05610bfe2f63965b34f6a Mon Sep 17 00:00:00 2001
From: Benau <Benau@users.noreply.github.com>
Date: Fri, 23 Sep 2022 21:44:09 +0800
Subject: [PATCH] Notarize macOS release build

---
 .github/workflows/apple.yml | 31 ++++++++++++++++++++++++++-----
 1 file changed, 26 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/apple.yml b/.github/workflows/apple.yml
index 7aa44ac34..5a077eadd 100644
--- a/.github/workflows/apple.yml
+++ b/.github/workflows/apple.yml
@@ -131,8 +131,19 @@ jobs:
           echo "${{ env.release_pre }}"
       - name: Download binaries
         uses: actions/download-artifact@v2
-      - name: Run dylibbundler and archive
+      - name: Mask developer name
+        run: |
+          echo "::add-mask::${{ secrets.MAC_DEVELOPER_NAME }}"
+      - name: Import certificates
         if: ${{ env.release_tag != '' }}
+        uses: apple-actions/import-codesign-certs@v1
+        with:
+          p12-file-base64: ${{ secrets.MAC_DEVELOPER_ID_P12_FILE }}
+          p12-password: ${{ secrets.MAC_DEVELOPER_ID_P12_PASSWORD }}
+      - name: Run dylibbundler and sign STK
+        if: ${{ env.release_tag != '' }}
+        env:
+          developer_id: "Developer ID Application: ${{ secrets.MAC_DEVELOPER_NAME }} (${{ secrets.MAC_DEVELOPER_TEAM }})"
         run: |
           wget https://github.com/supertuxkart/dependencies/releases/download/preview/dependencies-macosx.tar.xz
           tar xf dependencies-macosx.tar.xz
@@ -148,10 +159,20 @@ jobs:
           rm stk-assets-full.zip
           cd ../../../../..
           mv ./macosx-arm64/supertuxkart.app SuperTuxKart.app
-          # Use Ad Hoc certificate for now, use Apple developer certificate after STK is on App Store later
-          codesign --force -s - SuperTuxKart.app/Contents/libs/*.dylib
-          codesign --force --deep -s - SuperTuxKart.app
-          zip -r SuperTuxKart-${{ env.release_tag }}-mac.zip SuperTuxKart.app
+          codesign --force --sign "$developer_id" SuperTuxKart.app/Contents/libs/*.dylib
+          codesign --force --options=runtime --deep --sign "$developer_id" SuperTuxKart.app
+      - name: "Notarize release build"
+        if: ${{ env.release_tag != '' && github.ref != 'refs/heads/master' }}
+        run: |
+          ditto -c -k --sequesterRsrc --keepParent SuperTuxKart.app tmp.zip
+          xcrun notarytool submit tmp.zip --apple-id ${{ secrets.STK_NOTARIZATION_USERNAME }} \
+                                          --password ${{ secrets.STK_NOTARIZATION_PASSWORD }} \
+                                          --team-id ${{ secrets.MAC_DEVELOPER_TEAM }} --wait
+          xcrun stapler staple SuperTuxKart.app
+      - name: Archive
+        if: ${{ env.release_tag != '' }}
+        run: |
+          ditto -c -k --sequesterRsrc --keepParent SuperTuxKart.app SuperTuxKart-${{ env.release_tag }}-mac.zip
       - name: Create release
         if: ${{ env.release_tag != '' }}
         uses: ncipollo/release-action@v1.8.8