feat: add macOS DMG creation with code signing support

- Created package.osx-dmg.sh script for DMG creation
- Added support for code signing with Developer ID certificate
- Added notarization support for Gatekeeper approval
- Created entitlements.plist for proper app permissions
- Updated package.yml to create both ZIP and DMG
- Added comprehensive documentation for signing setup

DMG features:
- Automatic code signing if certificates available
- Notarization for Gatekeeper approval
- Falls back to unsigned DMG if no certificates
- Both ZIP and DMG provided in releases

Required GitHub Secrets (optional):
- MACOS_CERTIFICATE: Base64 encoded .p12 certificate
- MACOS_CERTIFICATE_PWD: Certificate password
- APPLE_ID: Apple ID for notarization
- NOTARIZE_PASSWORD: App-specific password
- TEAM_ID: Apple Developer Team ID

Author: biancode

.github/workflows/package.yml

@@ -50,19 +50,36 @@ jobs:
         with:
           name: sourcegit.${{ matrix.runtime }}
           path: build
-      - name: Package
+      - name: Package as ZIP (unsigned)
         env:
           VERSION: ${{ inputs.version }}
           RUNTIME: ${{ matrix.runtime }}
         run: |
           mkdir build/SourceGit
           tar -xf "build/sourcegit.${{ matrix.runtime }}.tar" -C build/SourceGit
           ./build/scripts/package.osx-app.sh
-      - name: Upload package artifact
+      - name: Package as DMG (signed if certificates available)
+        env:
+          VERSION: ${{ inputs.version }}
+          RUNTIME: ${{ matrix.runtime }}
+          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          NOTARIZE_PASSWORD: ${{ secrets.NOTARIZE_PASSWORD }}
+          TEAM_ID: ${{ secrets.TEAM_ID }}
+        run: |
+          # Re-extract for DMG (clean state)
+          rm -rf build/SourceGit
+          mkdir build/SourceGit
+          tar -xf "build/sourcegit.${{ matrix.runtime }}.tar" -C build/SourceGit
+          ./build/scripts/package.osx-dmg.sh
+      - name: Upload package artifacts
         uses: actions/upload-artifact@v4
         with:
           name: package.${{ matrix.runtime }}
-          path: build/sourcegit_*.zip
+          path: |
+            build/sourcegit_*.zip
+            build/sourcegit_*.dmg
       - name: Delete temp artifacts
         uses: geekyeggo/delete-artifact@v5
         with:

build/scripts/package.osx-dmg.sh

@@ -0,0 +1,108 @@
+#!/bin/bash
+set -e
+
+# DMG creation and signing script for macOS
+# Requires: VERSION and RUNTIME environment variables
+# Optional: MACOS_CERTIFICATE, MACOS_CERTIFICATE_PWD, APPLE_ID, NOTARIZE_PASSWORD, TEAM_ID
+
+cd build
+
+# Prepare the app bundle
+echo "Preparing SourceGit.app..."
+rm -rf SourceGit.app
+mkdir -p SourceGit.app/Contents/{MacOS,Resources}
+cp -r SourceGit/* SourceGit.app/Contents/MacOS/
+mv SourceGit.app/Contents/MacOS/SourceGit SourceGit.app/Contents/MacOS/SourceGit
+cp resources/app/App.icns SourceGit.app/Contents/Resources/App.icns
+sed "s/SOURCE_GIT_VERSION/$VERSION/g" resources/app/App.plist > SourceGit.app/Contents/Info.plist
+rm -rf SourceGit.app/Contents/MacOS/SourceGit.dsym
+
+# Code signing (if certificate is available)
+if [ -n "$MACOS_CERTIFICATE" ] && [ -n "$MACOS_CERTIFICATE_PWD" ]; then
+    echo "Setting up code signing..."
+
+    # Create temporary keychain
+    KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+    KEYCHAIN_PASSWORD=$(openssl rand -base64 32)
+
+    # Import certificate
+    echo "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12
+
+    # Create and configure keychain
+    security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+    security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+    security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+    # Import certificate to keychain
+    security import certificate.p12 -P "$MACOS_CERTIFICATE_PWD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
+    security list-keychain -d user -s "$KEYCHAIN_PATH"
+
+    # Sign the app
+    echo "Signing SourceGit.app..."
+    codesign --deep --force --verify --verbose \
+        --sign "Developer ID Application" \
+        --options runtime \
+        --entitlements resources/app/entitlements.plist \
+        --timestamp \
+        SourceGit.app
+
+    echo "Verifying signature..."
+    codesign --verify --verbose SourceGit.app
+
+    # Clean up certificate
+    rm certificate.p12
+else
+    echo "No signing certificate found, creating unsigned DMG..."
+fi
+
+# Create DMG
+echo "Creating DMG..."
+DMG_NAME="sourcegit_${VERSION}.${RUNTIME}.dmg"
+VOLUME_NAME="SourceGit ${VERSION}"
+
+# Create a temporary directory for DMG contents
+rm -rf dmg_temp
+mkdir dmg_temp
+cp -R SourceGit.app dmg_temp/
+
+# Create Applications symlink
+ln -s /Applications dmg_temp/Applications
+
+# Create DMG using hdiutil (more reliable than create-dmg in CI)
+hdiutil create -volname "$VOLUME_NAME" \
+    -srcfolder dmg_temp \
+    -ov -format UDZO \
+    "$DMG_NAME"
+
+# Sign the DMG itself (if certificate is available)
+if [ -n "$MACOS_CERTIFICATE" ]; then
+    echo "Signing DMG..."
+    codesign --sign "Developer ID Application" \
+        --timestamp \
+        "$DMG_NAME"
+fi
+
+# Notarization (if credentials are available)
+if [ -n "$APPLE_ID" ] && [ -n "$NOTARIZE_PASSWORD" ] && [ -n "$TEAM_ID" ]; then
+    echo "Submitting for notarization..."
+
+    # Submit for notarization
+    xcrun notarytool submit "$DMG_NAME" \
+        --apple-id "$APPLE_ID" \
+        --password "$NOTARIZE_PASSWORD" \
+        --team-id "$TEAM_ID" \
+        --wait
+
+    # Staple the notarization ticket
+    echo "Stapling notarization..."
+    xcrun stapler staple "$DMG_NAME"
+
+    echo "Verifying notarization..."
+    spctl -a -t open --context context:primary-signature -v "$DMG_NAME"
+fi
+
+# Clean up
+rm -rf dmg_temp SourceGit.app
+
+echo "DMG created: $DMG_NAME"
+ls -lh "$DMG_NAME"

docs/MACOS_SIGNING.md

@@ -0,0 +1,117 @@
+# macOS Code Signing and Notarization Setup
+
+This guide explains how to set up code signing and notarization for macOS releases.
+
+## Prerequisites
+
+1. **Apple Developer Account** ($99/year)
+   - Sign up at https://developer.apple.com
+   - Enroll in the Apple Developer Program
+
+2. **Developer ID Certificate**
+   - In Xcode: Preferences → Accounts → Manage Certificates
+   - Create a "Developer ID Application" certificate
+   - Export as .p12 file with password
+
+## GitHub Secrets Setup
+
+Add these secrets to your GitHub repository (Settings → Secrets and variables → Actions):
+
+### Required Secrets
+
+1. **MACOS_CERTIFICATE**
+   ```bash
+   # Convert your .p12 certificate to base64
+   base64 -i DeveloperID_Application.p12 | pbcopy
+   ```
+   Paste the base64 string as the secret value
+
+2. **MACOS_CERTIFICATE_PWD**
+   - The password you used when exporting the .p12 certificate
+
+3. **APPLE_ID** (for notarization)
+   - Your Apple ID email address
+
+4. **NOTARIZE_PASSWORD** (for notarization)
+   - Generate an app-specific password:
+   - Go to https://appleid.apple.com/account/manage
+   - Sign in → Security → App-Specific Passwords
+   - Generate a password for "SourceGit Notarization"
+
+5. **TEAM_ID** (for notarization)
+   - Find your Team ID in Apple Developer account
+   - Or run: `xcrun altool --list-providers -u "[email protected]" -p "app-specific-password"`
+
+## Testing Locally
+
+Test the signing process locally:
+
+```bash
+# Set environment variables
+export VERSION="2025.34.10"
+export RUNTIME="osx-arm64"
+export MACOS_CERTIFICATE="base64_encoded_cert"
+export MACOS_CERTIFICATE_PWD="your_password"
+export APPLE_ID="[email protected]"
+export NOTARIZE_PASSWORD="app-specific-password"
+export TEAM_ID="YOURTEAMID"
+
+# Run the DMG script
+cd build
+./scripts/package.osx-dmg.sh
+```
+
+## Verification
+
+After downloading the DMG:
+
+```bash
+# Check signature
+codesign -dv --verbose=4 /path/to/SourceGit.app
+
+# Check notarization
+spctl -a -t open --context context:primary-signature -v /path/to/sourcegit.dmg
+
+# Verify Gatekeeper acceptance
+spctl -a -vvv /path/to/SourceGit.app
+```
+
+## Workflow Behavior
+
+The workflow creates both signed DMG and unsigned ZIP:
+
+- **With secrets**: Creates signed and notarized DMG + unsigned ZIP
+- **Without secrets**: Creates unsigned DMG + unsigned ZIP
+
+Both are uploaded as release assets, giving users options.
+
+## Troubleshooting
+
+### "Developer ID Application" not found
+- Ensure certificate is properly imported
+- Check keychain access permissions
+
+### Notarization fails
+- Verify app-specific password is correct
+- Check Team ID matches your developer account
+- Ensure all entitlements are correct
+
+### DMG won't open
+- Check if Gatekeeper is enabled: `spctl --status`
+- Try right-click → Open for first launch
+
+## Cost Considerations
+
+- Apple Developer Program: $99/year
+- No per-notarization costs
+- Unlimited app notarizations included
+
+## Alternative: Ad-hoc Signing (Free)
+
+For testing without Apple Developer account:
+```bash
+# Ad-hoc sign (no notarization possible)
+codesign --deep --force -s - SourceGit.app
+```
+
+Note: Ad-hoc signed apps will still show warnings but can be opened with right-click → Open.

resources/app/entitlements.plist

@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <!-- Required for notarization -->
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+
+    <!-- Allow unsigned executable memory (required for .NET) -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+
+    <!-- Allow DYLD environment variables -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+
+    <!-- File access permissions -->
+    <key>com.apple.security.files.user-selected.read-write</key>
+    <true/>
+
+    <!-- Network client (for Git operations) -->
+    <key>com.apple.security.network.client</key>
+    <true/>
+
+    <!-- Terminal/Shell access (for Git commands) -->
+    <key>com.apple.security.inherit</key>
+    <true/>
+</dict>
+</plist>