add apple signing

Author: Weixuanf

.github/workflows/build.yml

@@ -49,16 +49,31 @@ jobs:
           cd react
           npm run build
 
-      # - name: Build Electron app
-      #   run: |
-      #     cd electron
-      #     npm run build
+      - name: Install Apple certificate
+        if: matrix.os == 'macos-latest'
+        run: |
+          echo "$CERTIFICATE_P12" | base64 --decode > certificate.p12
+          security create-keychain -p "" build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p "" build.keychain
+          security import certificate.p12 -k build.keychain -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign
+          security set-key-partition-list -S apple-tool:,apple: -s -k "" build.keychain
+        env:
+          CERTIFICATE_P12: ${{ secrets.CERTIFICATE_P12 }}
+          CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
+
+      - name: Set env for mac signing
+        if: matrix.os == 'macos-latest'
+        run: echo "CSC_LINK=certificate.p12" >> $GITHUB_ENV && echo "CSC_KEY_PASSWORD=${{ secrets.CERTIFICATE_PASSWORD }}" >> $GITHUB_ENV
 
       - name: Build and Package Electron app
         run: |
           npx electron-builder --${{ matrix.os == 'macos-latest' && 'mac' || 'win' }} --publish always
         env:
           GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_APP_PASSWORD: ${{ secrets.APPLE_APP_PASSWORD }}
+          TEAM_ID: ${{ secrets.TEAM_ID }}
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v4

entitlements.mac.plist

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.inherit</key>
+    <true/>
+  </dict>
+</plist> 

package-lock.json

@@ -45,11 +45,13 @@
     "mac": {
       "category": "public.app-category.utilities",
       "icon": "assets/icons/unicorn.icns",
-      "target": [
-        "dmg",
-        "zip"
-      ]
+      "target": "dmg",
+      "hardenedRuntime": true,
+      "entitlements": "entitlements.mac.plist",
+      "entitlementsInherit": "entitlements.mac.plist",
+      "gatekeeperAssess": false
     },
+    "afterSign": "./scripts/notarize.js",
     "win": {
       "icon": "assets/icons/unicorn.ico",
       "target": [

package.json

@@ -0,0 +1,14 @@
+const { notarize } = require("electron-notarize");
+
+exports.default = async function notarizing(context) {
+  const { electronPlatformName, appOutDir } = context;
+  if (electronPlatformName !== "darwin") return;
+
+  return await notarize({
+    appBundleId: "com.jaaz.app",
+    appPath: `${appOutDir}/Jaaz.app`, // Replace with your actual .app name
+    appleId: process.env.APPLE_ID,
+    appleIdPassword: process.env.APPLE_APP_PASSWORD,
+    teamId: process.env.TEAM_ID,
+  });
+};