feat: replace Apple ID signing with ad-hoc codesign (no Apple account required)

Copilot · lmangani · Copilot · commit 7d7fbccaa93d · 2026-03-09T00:35:21.000Z
Co-authored-by: lmangani &lt;1423657+lmangani@users.noreply.github.com&gt;
diff --git a/.github/workflows/build-mac-dmg.yml b/.github/workflows/build-mac-dmg.yml
@@ -54,39 +54,55 @@ jobs:
       - name: Build frontend
         run: pnpm run build:frontend
 
-      - name: Build macOS DMG
+      - name: Build macOS app bundle (unsigned)
+        # Build the unpacked .app only — electron-builder signing is disabled entirely.
+        # Ad-hoc signing is applied in the next step via build/macos/codesign.sh.
+        id: build-app
+        env:
+          CSC_IDENTITY_AUTO_DISCOVERY: "false"
+        run: |
+          pnpm exec electron-builder --mac --dir \
+            --config.mac.notarize=false \
+            --config.publish.owner=${{ github.repository_owner }} \
+            --config.publish.repo=${{ github.event.repository.name }}
+
+          APP_PATH=$(find release/mac-* -name "*.app" -maxdepth 1 | head -1)
+          if [ -z "$APP_PATH" ]; then
+            echo "Error: No .app bundle found in release/"
+            exit 1
+          fi
+          echo "app_path=$APP_PATH" >> "$GITHUB_OUTPUT"
+
+      - name: Ad-hoc code sign the app bundle
+        # Signs all Mach-O binaries (Python natives, Electron frameworks, executables)
+        # and the app bundle using identity "-" (ad-hoc / self-signed).
+        # No Apple ID, no certificate, no notarization required.
+        # To use a real Developer ID certificate, set the MACOS_SIGNING_IDENTITY secret.
+        run: |
+          chmod +x build/macos/codesign.sh
+          ./build/macos/codesign.sh "${{ steps.build-app.outputs.app_path }}"
+        env:
+          MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY || '-' }}
+
+      - name: Create DMG from signed app
+        # Packages the signed .app into a DMG using the electron-builder.yml layout.
+        # --prepackaged skips the build phase; electron-builder only creates the DMG.
+        # CSC_IDENTITY_AUTO_DISCOVERY=false prevents any re-signing attempt.
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CSC_LINK: ${{ secrets.CSC_LINK }}
-          CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
-          APPLE_ID: ${{ secrets.APPLE_ID }}
-          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
-          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+          CSC_IDENTITY_AUTO_DISCOVERY: "false"
         run: |
-          # Publish to the GitHub Release only when triggered by a release event.
-          # For workflow_dispatch, the DMG is available as a workflow artifact below.
           PUBLISH_MODE="never"
           if [ "${{ github.event_name }}" = "release" ]; then
             PUBLISH_MODE="always"
           fi
 
-          # Build electron-builder argument list
-          BUILD_ARGS=(
-            "--mac"
-            "--publish" "$PUBLISH_MODE"
-            "--config.publish.owner=${{ github.repository_owner }}"
-            "--config.publish.repo=${{ github.event.repository.name }}"
-          )
-
-          # Skip code signing and notarization when secrets are not configured.
-          # This allows unsigned DMG builds without requiring an Apple Developer account.
-          if [ -z "$CSC_LINK" ] || [ -z "$APPLE_ID" ]; then
-            echo "::notice::Code signing secrets not configured — building unsigned DMG"
-            export CSC_IDENTITY_AUTO_DISCOVERY=false
-            BUILD_ARGS+=("--config.mac.notarize=false")
-          fi
-
-          pnpm exec electron-builder "${BUILD_ARGS[@]}"
+          pnpm exec electron-builder --mac dmg \
+            --prepackaged "${{ steps.build-app.outputs.app_path }}" \
+            --config.mac.notarize=false \
+            --config.publish.owner=${{ github.repository_owner }} \
+            --config.publish.repo=${{ github.event.repository.name }} \
+            --publish "$PUBLISH_MODE"
 
       - name: Upload DMG artifact
         uses: actions/upload-artifact@v4
diff --git a/build/macos/codesign.sh b/build/macos/codesign.sh
@@ -0,0 +1,123 @@
+#!/usr/bin/env bash
+# build/macos/codesign.sh
+# Ad-hoc code signing for LTX Desktop macOS app bundle.
+#
+# No Apple Developer account or Apple ID is required. By default this script
+# uses ad-hoc signing (identity "-"), which prevents the "app is damaged" Gatekeeper
+# warning without needing a paid Apple Developer certificate.
+#
+# For production releases with a real Developer ID, set the MACOS_SIGNING_IDENTITY
+# environment variable to your certificate name (e.g. "Developer ID Application: …").
+#
+# Adapted from: https://github.com/audiohacking/AceForge/blob/main/build/macos/codesign.sh
+# Original reference: https://github.com/dylanwh/lilguy/blob/main/macos/build.sh
+#
+# Usage:
+#   bash build/macos/codesign.sh <path-to-app.bundle>
+
+set -euo pipefail
+
+APP_PATH="${1:?Usage: $0 <path-to-app.bundle>}"
+SIGNING_IDENTITY="${MACOS_SIGNING_IDENTITY:--}"   # Default: ad-hoc ("-")
+ENTITLEMENTS_PATH="resources/entitlements.mac.plist"
+
+echo "=================================================="
+echo "  LTX Desktop macOS Code Signing"
+echo "=================================================="
+echo "  App:          $APP_PATH"
+echo "  Identity:     $SIGNING_IDENTITY"
+echo "  Entitlements: $ENTITLEMENTS_PATH"
+echo ""
+
+# ── Pre-flight checks ────────────────────────────────────────────────────────
+if [ ! -d "$APP_PATH" ]; then
+    echo "Error: App bundle not found at $APP_PATH"
+    exit 1
+fi
+
+if [ ! -f "$ENTITLEMENTS_PATH" ]; then
+    echo "Error: Entitlements file not found at $ENTITLEMENTS_PATH"
+    echo "       Run this script from the project root."
+    exit 1
+fi
+
+# ── Signing helper ────────────────────────────────────────────────────────────
+# Ad-hoc signing ("-") does not support --timestamp (requires a CA).
+sign_target() {
+    local target="$1"
+    echo "  Signing: $(basename "$target")"
+
+    if [ "$SIGNING_IDENTITY" = "-" ]; then
+        xcrun codesign \
+            --sign "$SIGNING_IDENTITY" \
+            --force \
+            --options runtime \
+            --entitlements "$ENTITLEMENTS_PATH" \
+            --deep \
+            "$target"
+    else
+        xcrun codesign \
+            --sign "$SIGNING_IDENTITY" \
+            --force \
+            --options runtime \
+            --entitlements "$ENTITLEMENTS_PATH" \
+            --deep \
+            --timestamp \
+            "$target"
+    fi
+
+    echo "  ✓ Signed: $(basename "$target")"
+}
+
+# ── Step 1: Sign bundled Python native libraries ──────────────────────────────
+# Sign leaf Mach-O binaries first so the bundle signature remains valid.
+# The Python embed directory contains .dylib/.so native extensions.
+echo "Step 1: Signing bundled Python native libraries..."
+PYTHON_DIR="$APP_PATH/Contents/Resources/python"
+if [ -d "$PYTHON_DIR" ]; then
+    find "$PYTHON_DIR" -type f \( -name "*.dylib" -o -name "*.so" \) -print0 | \
+        while IFS= read -r -d '' lib; do
+            sign_target "$lib" || true   # keep going on individual failures
+        done
+    echo "  Python native libraries signed."
+else
+    echo "  No bundled Python directory found at Contents/Resources/python — skipping."
+fi
+
+# ── Step 2: Sign Electron framework libraries ────────────────────────────────
+echo ""
+echo "Step 2: Signing Electron framework libraries..."
+if [ -d "$APP_PATH/Contents/Frameworks" ]; then
+    find "$APP_PATH/Contents/Frameworks" -type f \( -name "*.dylib" -o -name "*.so" \) -print0 | \
+        while IFS= read -r -d '' f; do
+            sign_target "$f" || true
+        done
+fi
+
+# ── Step 3: Sign main executables ────────────────────────────────────────────
+echo ""
+echo "Step 3: Signing main executables..."
+for exe in "$APP_PATH/Contents/MacOS/"*; do
+    if [ -f "$exe" ] && [ -x "$exe" ]; then
+        sign_target "$exe"
+    fi
+done
+
+# ── Step 4: Sign the whole app bundle ────────────────────────────────────────
+echo ""
+echo "Step 4: Signing app bundle..."
+sign_target "$APP_PATH"
+
+# ── Verification ─────────────────────────────────────────────────────────────
+echo ""
+echo "Verification:"
+xcrun codesign --verify --deep --strict --verbose=2 "$APP_PATH" 2>&1 || true
+
+echo ""
+echo "Signature info:"
+xcrun codesign -dv "$APP_PATH" 2>&1 || true
+
+echo ""
+echo "=================================================="
+echo "  ✓ Code signing complete!"
+echo "=================================================="
