fix(newm-admin): Add macOS code signing and notarization

AndrewWestberg · AndrewWestberg · commit a1290942c317 · 2026-01-13T17:35:20.000Z
diff --git a/.github/workflows/newm-admin-release.yml b/.github/workflows/newm-admin-release.yml
@@ -94,7 +94,7 @@ jobs:
           path: newm-admin/${{ steps.package.outputs.PKG_PATH }}
 
   package-macos:
-    name: Package macOS DMG
+    name: Package macOS DMG (Universal)
     needs: build
     runs-on: macos-latest
 
@@ -110,6 +110,7 @@ jobs:
         uses: dtolnay/rust-toolchain@stable
         with:
           toolchain: stable
+          targets: aarch64-apple-darwin,x86_64-apple-darwin
 
       - name: Setup Rust cache
         uses: Swatinem/rust-cache@v2
@@ -119,26 +120,93 @@ jobs:
       - name: Install create-dmg
         run: brew install create-dmg
 
-      - name: Build Release
+      - name: Build ARM64 (Apple Silicon)
         run: cargo build --release --target aarch64-apple-darwin --locked
 
+      - name: Build x86_64 (Intel)
+        run: cargo build --release --target x86_64-apple-darwin --locked
+
       - name: Get version
         id: version
         run: |
           VERSION=$(sed -n 's/^version = "\(.*\)"/\1/p' Cargo.toml | head -n1)
           echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
 
-      - name: Create DMG
+      - name: Import Code Signing Certificate
+        env:
+          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+        run: |
+          # Create a temporary keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
+          security set-keychain-settings -t 3600 -u build.keychain
+          
+          # Decode certificate
+          echo "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12
+          
+          # Debug: Check file size (should be ~4300 bytes based on 5760 base64 chars)
+          echo "Certificate file size:"
+          ls -la certificate.p12
+          
+          # Debug: Verify the p12 file is valid with openssl first
+          echo "Verifying p12 with openssl..."
+          openssl pkcs12 -in certificate.p12 -nokeys -passin pass:"$MACOS_CERTIFICATE_PWD" -legacy 2>&1 || {
+            echo "OpenSSL verification failed. Trying without -legacy flag..."
+            openssl pkcs12 -in certificate.p12 -nokeys -passin pass:"$MACOS_CERTIFICATE_PWD" 2>&1 || {
+              echo "ERROR: p12 file appears invalid or password is wrong"
+              echo "Password length: ${#MACOS_CERTIFICATE_PWD}"
+              exit 1
+            }
+          }
+          
+          # Import certificate
+          security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign -T /usr/bin/security
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
+          
+          # Verify certificate was imported
+          security find-identity -v -p codesigning build.keychain
+          
+          # Clean up certificate file
+          rm certificate.p12
+
+      - name: Create Universal App Bundle and DMG
+        env:
+          MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }}
         run: |
           chmod +x packaging/macos/bundle.sh
           packaging/macos/bundle.sh ${{ steps.version.outputs.VERSION }} aarch64-apple-darwin
 
+      - name: Notarize App
+        env:
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_APP_PASSWORD: ${{ secrets.APPLE_APP_PASSWORD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+        run: |
+          DMG_PATH="target/aarch64-apple-darwin/release/NEWM-Admin-${{ steps.version.outputs.VERSION }}-macos.dmg"
+          
+          echo "Submitting DMG for notarization..."
+          xcrun notarytool submit "$DMG_PATH" \
+            --apple-id "$APPLE_ID" \
+            --password "$APPLE_APP_PASSWORD" \
+            --team-id "$APPLE_TEAM_ID" \
+            --wait
+          
+          echo "Stapling notarization ticket to DMG..."
+          xcrun stapler staple "$DMG_PATH"
+          
+          echo "Verifying notarization..."
+          xcrun stapler validate "$DMG_PATH"
+
       - name: Upload DMG
         uses: actions/upload-artifact@v4
         with:
           name: NEWM-Admin-${{ steps.version.outputs.VERSION }}-macos.dmg
           path: newm-admin/target/aarch64-apple-darwin/release/NEWM-Admin-${{ steps.version.outputs.VERSION }}-macos.dmg
 
+
   package-linux:
     name: Package Linux AppImage
     needs: build
diff --git a/newm-admin/Cargo.lock b/newm-admin/Cargo.lock
diff --git a/newm-admin/Cargo.toml b/newm-admin/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "newm-admin"
-version = "0.1.2"
+version = "0.1.3-alpha.3"
 edition = "2024"
 authors = ["Andrew Westberg <awestberg@newm.io>"]
 license = "Apache-2.0"
diff --git a/newm-admin/packaging/macos/Entitlements.plist b/newm-admin/packaging/macos/Entitlements.plist
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <!-- Required for JIT compilation and some memory operations -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <!-- Allow network client connections (required for API calls) -->
+    <key>com.apple.security.network.client</key>
+    <true/>
+</dict>
+</plist>
diff --git a/newm-admin/packaging/macos/bundle.sh b/newm-admin/packaging/macos/bundle.sh
@@ -4,6 +4,9 @@ set -euo pipefail
 # macOS App Bundle and DMG Creator for NEWM Admin
 # Usage: ./bundle.sh <version> <target>
 # Example: ./bundle.sh 0.1.0 aarch64-apple-darwin
+#
+# Environment variables:
+#   MACOS_SIGNING_IDENTITY - Code signing identity (optional, skips signing if not set)
 
 VERSION="${1:-0.1.0}"
 TARGET="${2:-aarch64-apple-darwin}"
@@ -14,15 +17,33 @@ BUILD_DIR="$PROJECT_DIR/target/$TARGET/release"
 APP_NAME="NEWM Admin.app"
 DMG_NAME="NEWM-Admin-${VERSION}-macos.dmg"
 
+# Signing identity from environment (set by GitHub Actions)
+SIGNING_IDENTITY="${MACOS_SIGNING_IDENTITY:-}"
+
 echo "Creating macOS app bundle..."
+echo "  Version: $VERSION"
+echo "  Target: $TARGET"
+echo "  Signing: ${SIGNING_IDENTITY:-(unsigned)}"
 
 # Create app bundle structure
 rm -rf "$BUILD_DIR/$APP_NAME"
 mkdir -p "$BUILD_DIR/$APP_NAME/Contents/MacOS"
 mkdir -p "$BUILD_DIR/$APP_NAME/Contents/Resources"
 
-# Copy executable
-cp "$BUILD_DIR/newm-admin" "$BUILD_DIR/$APP_NAME/Contents/MacOS/"
+# Check for universal binary opportunity
+INTEL_BINARY="$PROJECT_DIR/target/x86_64-apple-darwin/release/newm-admin"
+ARM_BINARY="$PROJECT_DIR/target/aarch64-apple-darwin/release/newm-admin"
+
+if [[ -f "$INTEL_BINARY" && -f "$ARM_BINARY" ]]; then
+    echo "Creating universal binary (Intel + ARM)..."
+    lipo -create -output "$BUILD_DIR/$APP_NAME/Contents/MacOS/newm-admin" \
+        "$INTEL_BINARY" "$ARM_BINARY"
+    echo "  Universal binary created successfully"
+else
+    # Fallback to single-arch binary
+    echo "Using single-architecture binary for $TARGET"
+    cp "$BUILD_DIR/newm-admin" "$BUILD_DIR/$APP_NAME/Contents/MacOS/"
+fi
 
 # Copy icon
 cp "$PROJECT_DIR/assets/icon.icns" "$BUILD_DIR/$APP_NAME/Contents/Resources/icon.icns"
@@ -32,6 +53,22 @@ sed "s/\${VERSION}/$VERSION/g" "$SCRIPT_DIR/Info.plist" > "$BUILD_DIR/$APP_NAME/
 
 echo "App bundle created at: $BUILD_DIR/$APP_NAME"
 
+# Code signing (if identity is provided)
+if [[ -n "$SIGNING_IDENTITY" ]]; then
+    echo "Signing app bundle with: $SIGNING_IDENTITY"
+    codesign --force --deep --sign "$SIGNING_IDENTITY" \
+        --options runtime \
+        --entitlements "$SCRIPT_DIR/Entitlements.plist" \
+        --timestamp \
+        "$BUILD_DIR/$APP_NAME"
+    
+    echo "Verifying signature..."
+    codesign --verify --verbose=2 "$BUILD_DIR/$APP_NAME"
+    echo "  Signature verified successfully"
+else
+    echo "WARNING: No signing identity provided, app will be unsigned"
+fi
+
 # Create DMG if create-dmg is available
 if command -v create-dmg &> /dev/null; then
     echo "Creating DMG..."
@@ -49,11 +86,24 @@ if command -v create-dmg &> /dev/null; then
         "$BUILD_DIR/$DMG_NAME" \
         "$BUILD_DIR/$APP_NAME"
     
+    # Sign the DMG as well if we have a signing identity
+    if [[ -n "$SIGNING_IDENTITY" ]]; then
+        echo "Signing DMG..."
+        codesign --force --sign "$SIGNING_IDENTITY" --timestamp "$BUILD_DIR/$DMG_NAME"
+    fi
+    
     echo "DMG created at: $BUILD_DIR/$DMG_NAME"
 else
     echo "create-dmg not found, creating simple DMG with hdiutil..."
     rm -f "$BUILD_DIR/$DMG_NAME"
     hdiutil create -volname "NEWM Admin" -srcfolder "$BUILD_DIR/$APP_NAME" -ov -format UDZO "$BUILD_DIR/$DMG_NAME"
+    
+    # Sign the DMG as well if we have a signing identity
+    if [[ -n "$SIGNING_IDENTITY" ]]; then
+        echo "Signing DMG..."
+        codesign --force --sign "$SIGNING_IDENTITY" --timestamp "$BUILD_DIR/$DMG_NAME"
+    fi
+    
     echo "DMG created at: $BUILD_DIR/$DMG_NAME"
 fi
 
