Improve code signing and notarization workflow

- Fix CMake syntax error in Packaging.cmake (NOT instead of not)
- Use CMake variables with environment fallbacks for all signing credentials
- Fix CPACK_PACKAGE_FILE_NAME mismatch by saving to RETUNER_PACKAGE_FILE_NAME
- Simplify target dependencies to ensure correct build order
- Remove redundant HARDENED_RUNTIME settings from CMakeLists.txt
- Add utils/apple.env.sample with example environment variables

Author: mfisher31

.github/copilot-instructions.md

@@ -35,13 +35,13 @@ When working with this codebase, be aware of these critical audio development co
 - CMake-based build that generates platform-specific project files
 - Cross-platform considerations for Windows, macOS, and Linux
 - Bundle packaging via Python scripts (`utils/artifacts.py`)
+- Make sure to `cd` in to the build directory when using the cmake option `--build .`
 
 ## Key Components
-- **docs/retuner-mockup-00.png**: UI Mockup Design
 - **processor.cpp/.hpp**: Audio DSP code and parameter handling
 - **editor.cpp/.hpp**: GUI implementation
+- **src/app/*.***: Standalon application code
 - **CMakeLists.txt**: Build configuration
-- **artifacts.py**: Build artifact packaging script
 
 ## Performance Considerations
 - Audio processing must be efficient and avoid allocations

.gitignore

@@ -5,3 +5,4 @@
 *.exe
 .DS_Store
 /utils/codesign.env
+/utils/apple.env

CMakeLists.txt

@@ -70,12 +70,6 @@ juce_add_plugin(reTuner
     LV2URI "https://kushview.net/plugins/retuner"
     VST3_CATEGORIES Fx "Pitch Shift"
     AU_MAIN_TYPE "kAudioUnitType_Effect"
-
-    HARDENED_RUNTIME_ENABLED TRUE
-    HARDENED_RUNTIME_OPTIONS
-        "com.apple.security.cs.allow-jit"
-	    "com.apple.security.cs.disable-library-validation"
-	    "com.apple.security.device.audio-input"
 )
 clap_juce_extensions_plugin(TARGET reTuner
     CLAP_ID "net.kushview.plugins.reTuner"

cmake/CodeSign.cmake

@@ -1,6 +1,6 @@
 if(APPLE)   
     # Code signing identity - check CMake variable, then environment, default to ad-hoc
-    if(NOT DEFINED CODE_SIGN_IDENTITY)
+    if(NOT CODE_SIGN_IDENTITY)
         if(DEFINED ENV{CODE_SIGN_IDENTITY})
             set(CODE_SIGN_IDENTITY "$ENV{CODE_SIGN_IDENTITY}")
         else()

cmake/Packaging.cmake

@@ -35,6 +35,7 @@ endif()
 
 set(RETUNER_GENERATOR ${CPACK_GENERATOR})
 set(CPACK_PACKAGE_FILE_NAME "${PROJECT_NAME}-${CPACK_PACKAGE_VERSION}-${RETUNER_SYSTEM_NAME}-${RETUNER_PROCESSOR}")
+set(RETUNER_PACKAGE_FILE_NAME "${CPACK_PACKAGE_FILE_NAME}")
 include(CPack)
 
 add_custom_target(installer
@@ -45,6 +46,10 @@ add_custom_target(installer
     VERBATIM
     USES_TERMINAL)
 
+if(APPLE)
+    add_dependencies(installer sign-products)
+endif()
+
 if("productbuild" IN_LIST RETUNER_GENERATOR OR RETUNER_GENERATOR STREQUAL "productbuild")
     cpack_add_component(AU
         DISPLAY_NAME "Audio Unit Plugin"
@@ -70,26 +75,43 @@ endif()
 
 # Signing and notarization targets for macOS
 if(APPLE)
-    set(NOTARIZE_FILE "${PROJECT_BINARY_DIR}/${CPACK_PACKAGE_FILE_NAME}.pkg")
-    set(UNSIGNED_PKG "${PROJECT_BINARY_DIR}/${CPACK_PACKAGE_FILE_NAME}-unsigned.pkg")
+    set(NOTARIZE_FILE "${PROJECT_BINARY_DIR}/${RETUNER_PACKAGE_FILE_NAME}.pkg")
+    set(UNSIGNED_PKG "${PROJECT_BINARY_DIR}/${RETUNER_PACKAGE_FILE_NAME}-unsigned.pkg")
+
+    if(NOT INSTALLER_SIGN_IDENTITY)
+        set(INSTALLER_SIGN_IDENTITY $ENV{INSTALLER_SIGN_IDENTITY})
+    endif()
+    
+    if(NOT APPLE_ID)
+        set(APPLE_ID $ENV{APPLE_ID})
+    endif()
+    
+    if(NOT TEAM_ID)
+        set(TEAM_ID $ENV{TEAM_ID})
+    endif()
+    
+    if(NOT APP_PASSWORD)
+        set(APP_PASSWORD $ENV{APP_PASSWORD})
+    endif()
 
     # Sign the installer package (uses productsign)
     add_custom_target(sign-installer
         COMMAND echo "Signing installer package..."
         COMMAND ${CMAKE_COMMAND} -E rename "${NOTARIZE_FILE}" "${UNSIGNED_PKG}"
-        COMMAND productsign --sign "$ENV{INSTALLER_SIGN_IDENTITY}" "${UNSIGNED_PKG}" "${NOTARIZE_FILE}"
+        COMMAND productsign --sign "${INSTALLER_SIGN_IDENTITY}" "${UNSIGNED_PKG}" "${NOTARIZE_FILE}"
         COMMAND ${CMAKE_COMMAND} -E rm -f "${UNSIGNED_PKG}"
         COMMAND echo "✓ Signed: ${NOTARIZE_FILE}"
         COMMENT "Signing productbuild package with productsign"
         VERBATIM
         USES_TERMINAL)
+    add_dependencies(sign-installer installer)
 
     add_custom_target(notarize
         COMMAND echo "Submitting for notarization: ${NOTARIZE_FILE}"
         COMMAND xcrun notarytool submit "${NOTARIZE_FILE}"
-            --apple-id "$ENV{APPLE_ID}"
-            --team-id "$ENV{TEAM_ID}"
-            --password "$ENV{APP_PASSWORD}"
+            --apple-id "${APPLE_ID}"
+            --team-id "${TEAM_ID}"
+            --password "${APP_PASSWORD}"
             --wait
         COMMAND echo "Stapling notarization ticket..."
         COMMAND xcrun stapler staple "${NOTARIZE_FILE}"
@@ -98,6 +120,5 @@ if(APPLE)
         VERBATIM
         USES_TERMINAL)
 
-    add_dependencies(notarize sign-products installer)
     add_dependencies(notarize sign-installer)
 endif()

utils/apple.env.sample

@@ -0,0 +1,20 @@
+# Apple Code Signing and Notarization Environment Variables
+# Source this file before building: source apple.env
+
+# Code signing identity for products (AU, VST3, CLAP, LV2, Standalone)
+# Example: "Developer ID Application: Your Name (TEAM_ID)"
+export CODE_SIGN_IDENTITY="Developer ID Application: Your Company Name (ABCD123456)"
+
+# Installer signing identity for the .pkg
+# Example: "Developer ID Installer: Your Name (TEAM_ID)"
+export INSTALLER_SIGN_IDENTITY="Developer ID Installer: Your Company Name (ABCD123456)"
+
+# Apple ID for notarization
+export APPLE_ID="[email protected]"
+
+# Team ID from Apple Developer account
+export TEAM_ID="ABCD123456"
+
+# App-specific password for notarization
+# Generate at: https://appleid.apple.com/account/manage (Sign-In and Security > App-Specific Passwords)
+export APP_PASSWORD="xxxx-xxxx-xxxx-xxxx"