Add DMG creation, signing, and notarization to macOS workflow

ozkanpakdil · ozkanpakdil · commit 9d12a3ddbdbc · 2026-01-19T21:21:56.000Z
- Replace `.tar.gz` artifacts with signed and notarized `.dmg`.
- Update release workflow and Homebrew Cask to use `.dmg` format.
- Refine packaging scripts for DMG handling and artifact generation.
- Update `README.md` with `.dmg` as the primary macOS artifact.
diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
@@ -187,6 +187,53 @@ jobs:
           # Check with spctl to see what Gatekeeper thinks
           spctl --assess --verbose=4 --type execute ./target/gluonfx/x86_64-darwin/${{ env.APP_NAME }}.app || true
 
+      - name: Create and sign DMG
+        run: |
+          echo "=== Creating DMG ==="
+          # Create a temporary directory for DMG content
+          mkdir -p dmg_content
+          cp -r ./target/gluonfx/x86_64-darwin/${{ env.APP_NAME }}.app dmg_content/
+          
+          # Create DMG
+          hdiutil create -volname "${{ env.APP_NAME }}" -srcfolder dmg_content -ov -format UDZO Swaggerific_x86_64.dmg
+          
+          echo "=== Signing DMG ==="
+          codesign --force --verify --verbose \
+            --sign "Developer ID Application: Ozkan Pakdil (${{ env.TEAM_ID }})" \
+            --timestamp \
+            Swaggerific_x86_64.dmg
+
+      - name: Notarize the DMG
+        run: |
+          echo "=== Submitting DMG for notarization ==="
+          xcrun notarytool submit Swaggerific_x86_64.dmg \
+            --key ~/private_keys/AuthKey_${{ secrets.APPLE_API_KEY_ID }}.p8 \
+            --key-id ${{ secrets.APPLE_API_KEY_ID }} \
+            --issuer ${{ secrets.APPLE_API_ISSUER_ID }} \
+            --wait > notarization_dmg_output.txt 2>&1 || true
+          
+          cat notarization_dmg_output.txt
+          
+          # Extract submission ID
+          SUBMISSION_ID=$(grep -o 'id: [a-f0-9-]*' notarization_dmg_output.txt | head -1 | cut -d' ' -f2)
+          echo "Submission ID: $SUBMISSION_ID"
+          
+          if grep -q "status: Accepted" notarization_dmg_output.txt; then
+            echo "=== Notarization successful! ==="
+            xcrun stapler staple Swaggerific_x86_64.dmg
+          else
+            echo "=== Notarization failed, fetching log ==="
+            if [ -n "$SUBMISSION_ID" ]; then
+              xcrun notarytool log "$SUBMISSION_ID" \
+                --key ~/private_keys/AuthKey_${{ secrets.APPLE_API_KEY_ID }}.p8 \
+                --key-id ${{ secrets.APPLE_API_KEY_ID }} \
+                --issuer ${{ secrets.APPLE_API_ISSUER_ID }} \
+                notarization_dmg_log.json || true
+              cat notarization_dmg_log.json || true
+            fi
+            exit 1
+          fi
+
       - name: Create and sign installer package
         run: |
           echo "=== Creating signed .pkg installer ==="
@@ -289,10 +336,8 @@ jobs:
       - name: Prepare staging artifacts
         run: |
           cp -r ./target/gluonfx/x86_64-darwin/${{ env.APP_NAME }}.app staging/
-          tar -czvf staging/swaggerific_x86_64-darwin.tar.gz -C target/gluonfx/x86_64-darwin ${{ env.APP_NAME }}.app
-          cp -r SwaggerificInstaller.pkg staging/
-          
-          
+          cp Swaggerific_x86_64.dmg staging/
+          cp SwaggerificInstaller.pkg staging/
 
       - name: Upload
         uses: actions/upload-artifact@v4
@@ -307,14 +352,15 @@ jobs:
           name: "MacOS Development Build (Signed & Notarized)"
           prerelease: true
           files: |
-            staging/*
+            staging/*.dmg
+            staging/*.pkg
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Update Homebrew Cask
         run: |
-          # Calculate SHA256 of the tar.gz file
-          SHA256=$(shasum -a 256 staging/swaggerific_x86_64-darwin.tar.gz | awk '{print $1}')
+          # Calculate SHA256 of the dmg file
+          SHA256=$(shasum -a 256 staging/Swaggerific_x86_64.dmg | awk '{print $1}')
           echo "SHA256: $SHA256"
           
           # Update the cask file with the new SHA256
@@ -323,7 +369,7 @@ jobs:
             version "${{ env.APP_VERSION }}"
             sha256 "$SHA256"
 
-            url "https://github.com/ozkanpakdil/swaggerific/releases/download/latest_macos/swaggerific_x86_64-darwin.tar.gz",
+            url "https://github.com/ozkanpakdil/swaggerific/releases/download/latest_macos/Swaggerific_x86_64.dmg",
                 verified: "github.com/ozkanpakdil/swaggerific"
             name "Swaggerific"
             desc "Simple GUI app for working with Swagger/OpenAPI"
diff --git a/.github/workflows/package-and-release.yml b/.github/workflows/package-and-release.yml
@@ -96,7 +96,7 @@ jobs:
         if: "!startsWith(github.ref, 'refs/tags/')"
         with:
           tag_name: "latest"
-          name: "Latest Development Zip Package"
+          name: "Latest Development Package"
           prerelease: true
           files: |
             dist/*.zip
diff --git a/README.md b/README.md
@@ -12,7 +12,7 @@ Follow [here](https://bsky.app/profile/swaggerific.bsky.social) for new releases
 
 ## Install via Homebrew (macOS)
 
-Swaggerific is available as a Homebrew Cask for macOS (Intel x86_64). The app is **signed and notarized** with an Apple Developer ID certificate.
+Swaggerific is available as a Homebrew Cask for macOS (Intel x86_64). The app is **signed and notarized** with an Apple Developer ID certificate in a DMG package.
 
 1) Tap this repository:
 
@@ -41,11 +41,11 @@ brew uninstall --cask swaggerific
 Notes:
 - This cask targets Intel (x86_64) macOS builds.
 - The app is signed and notarized, so it should open without Gatekeeper warnings.
-- It pulls the latest prebuilt app bundle from the `latest_macos` GitHub release.
+- It pulls the latest prebuilt DMG from the `latest_macos` GitHub release.
 
 ## Packaging artifacts
 
-The macOS packaging script `build-macos-arm64.sh` places generated artifacts under the `staging/` directory (tar.gz, .pkg, and installer .pkg). The `staging/` folder is ignored by Git.
+The macOS packaging script `build-macos-arm64.sh` places generated artifacts under the `staging/` directory (DMG, .pkg, and installer .pkg). The `staging/` folder is ignored by Git.
 
 ### Local Signing and Notarization
 
@@ -118,8 +118,6 @@ A user interface (UI) designed to interact with APIs using Swagger or OpenAPI js
 mvn -Djava.awt.headless=false -Dtestfx.robot=glass -Dsurefire.parallel=none test
 ```
 
-test
-
 ### Run agent
 
 ```shell
diff --git a/build-macos-arm64.sh b/build-macos-arm64.sh
@@ -210,10 +210,19 @@ echo "The app has been signed and is located at: $STAGED_APP"
 echo "You can now try to open it manually to verify it works."
 read -p "Press Enter to continue with packaging and notarization, or Ctrl+C to abort..."
 
-ARCHIVE_NAME="swaggerific_aarch64-darwin.tar.gz"
-echo "Creating archive $ARCHIVE_NAME ..."
-# Use staged (signed) app for archive
-tar -czvf "$STAGING_DIR/$ARCHIVE_NAME" -C "$STAGING_DIR" "swaggerific.app"
+# --- DMG Creation ---
+DMG_NAME="Swaggerific_aarch64.dmg"
+echo "Creating DMG $DMG_NAME ..."
+mkdir -p "$STAGING_DIR/dmg_content"
+cp -r "$STAGED_APP" "$STAGING_DIR/dmg_content/"
+hdiutil create -volname "Swaggerific" -srcfolder "$STAGING_DIR/dmg_content" -ov -format UDZO "$STAGING_DIR/$DMG_NAME"
+rm -rf "$STAGING_DIR/dmg_content"
+
+echo "=== Signing DMG ==="
+codesign --force --verify --verbose \
+  --sign "$SIGNING_IDENTITY" \
+  --timestamp \
+  "$STAGING_DIR/$DMG_NAME"
 
 PKG_NAME="Swaggerific.pkg"
 INSTALLER_NAME="SwaggerificInstaller.pkg"
@@ -274,6 +283,22 @@ if [[ ${#AUTH_ARGS[@]} -gt 0 ]]; then
   xcrun stapler staple "$STAGED_APP"
   rm "$APP_ZIP"
 
+  # 1b. Notarize the DMG
+  echo "Submitting DMG for notarization..."
+  xcrun notarytool submit "$STAGING_DIR/$DMG_NAME" "${AUTH_ARGS[@]}" --wait > notarization_dmg_output.txt 2>&1 || true
+  cat notarization_dmg_output.txt
+  SUBMISSION_ID=$(grep -o 'id: [a-f0-9-]*' notarization_dmg_output.txt | head -1 | cut -d' ' -f2)
+  if ! grep -q "status: Accepted" notarization_dmg_output.txt; then
+    echo "=== DMG notarization failed, fetching log ==="
+    if [[ -n "${SUBMISSION_ID:-}" ]]; then
+      xcrun notarytool log "$SUBMISSION_ID" "${AUTH_ARGS[@]}" notarization_dmg_log.json || true
+      cat notarization_dmg_log.json || true
+    fi
+    exit 1
+  fi
+  echo "Stapling notarization ticket to DMG..."
+  xcrun stapler staple "$STAGING_DIR/$DMG_NAME"
+
   # 2. Notarize the installer package
   echo "Submitting installer for notarization..."
   xcrun notarytool submit "$STAGED_INSTALLER" "${AUTH_ARGS[@]}" --wait > notarization_pkg_output.txt 2>&1 || true
@@ -293,27 +318,24 @@ if [[ ${#AUTH_ARGS[@]} -gt 0 ]]; then
   echo "Stapling notarization ticket to installer..."
   xcrun stapler staple "$STAGED_INSTALLER"
 
-  # 3. Update the tar.gz with the stapled app
-  echo "Re-creating archive $ARCHIVE_NAME with stapled app..."
-  tar -czvf "$STAGING_DIR/$ARCHIVE_NAME" -C "$STAGING_DIR" "swaggerific.app"
-  
+  # 3. Done
   echo "Notarization and stapling complete."
 fi
 
 echo "Done. Artifacts:"
-echo " - $STAGING_DIR/$ARCHIVE_NAME"
+echo " - $STAGING_DIR/$DMG_NAME"
 echo " - $STAGING_DIR/$PKG_NAME"
 echo " - $STAGING_DIR/$INSTALLER_NAME"
 
 # ------------------------
 # Simple upload to GitHub Release (latest_macos)
 # ------------------------
-ARCHIVE_PATH="$STAGING_DIR/$ARCHIVE_NAME"
 if command -v gh >/dev/null 2>&1; then
-  echo "Uploading $ARCHIVE_PATH to https://github.com/$GITHUB_REPO/releases/tag/$RELEASE_TAG ..."
+  echo "Uploading artifacts to https://github.com/$GITHUB_REPO/releases/tag/$RELEASE_TAG ..."
   # Ensure release exists (no frills); if it doesn't, print a hint and skip
   if gh release view "$RELEASE_TAG" --repo "$GITHUB_REPO" >/dev/null 2>&1; then
-    gh release upload "$RELEASE_TAG" "$ARCHIVE_PATH" --repo "$GITHUB_REPO" --clobber || true
+    gh release upload "$RELEASE_TAG" "$STAGING_DIR/$DMG_NAME" --repo "$GITHUB_REPO" --clobber || true
+    gh release upload "$RELEASE_TAG" "$STAGING_DIR/$INSTALLER_NAME" --repo "$GITHUB_REPO" --clobber || true
     echo "Upload complete."
   else
     echo "Release tag '$RELEASE_TAG' does not exist on $GITHUB_REPO. Create it first, then re-run."
@@ -322,7 +344,7 @@ if command -v gh >/dev/null 2>&1; then
 else
   echo "GitHub CLI (gh) not found. To upload manually run:"
   echo "  gh auth login"
-  echo "  gh release upload $RELEASE_TAG $ARCHIVE_PATH --repo $GITHUB_REPO --clobber"
+  echo "  gh release upload $RELEASE_TAG $STAGING_DIR/$DMG_NAME --repo $GITHUB_REPO --clobber"
 fi
 
 
