Fix DMG: Finder alias instead of symlink, inside-out signing in CI

Local build script:
- Replace --app-drop-link with Finder alias to /Applications
- Symlinks show broken/generic icon on macOS Sonoma+ in read-only DMGs
- Finder aliases always resolve the proper Applications folder icon

CI release workflow:
- Replace ln -s with Finder alias + create-dmg (matching local script)
- Replace --deep codesigning with inside-out signing (XPC → Sparkle → app)
- Add branded DMG background, icon positioning, and volume icon
- Install create-dmg in CI dependencies

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: eriknielsen

.github/workflows/release.yml

@@ -16,7 +16,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Install dependencies
-        run: brew install xcodegen xcbeautify
+        run: brew install xcodegen xcbeautify create-dmg
 
       - name: Generate Xcode project
         run: xcodegen generate
@@ -89,12 +89,31 @@ jobs:
           DEVELOPER_ID_APPLICATION: ${{ secrets.DEVELOPER_ID_APPLICATION }}
         run: |
           APP_PATH="build/DerivedData/Build/Products/Release/Lockpaw.app"
+          SPARKLE_FW="${APP_PATH}/Contents/Frameworks/Sparkle.framework"
+          SPARKLE_VER="${SPARKLE_FW}/Versions/B"
 
-          codesign --force --deep --sign "$DEVELOPER_ID_APPLICATION" \
-            --options runtime \
-            "$APP_PATH"
+          sign_item() {
+            codesign --force --sign "$DEVELOPER_ID_APPLICATION" --options runtime --timestamp "$1"
+          }
 
-          codesign --verify --verbose "$APP_PATH"
+          # Sign inside-out: Sparkle internals → XPC → framework → app
+          for xpc in "${SPARKLE_VER}/XPCServices/Downloader.xpc" "${SPARKLE_VER}/XPCServices/Installer.xpc"; do
+            [ -d "${xpc}" ] || continue
+            sign_item "${xpc}/Contents/MacOS/$(basename "${xpc}" .xpc)"
+            sign_item "${xpc}"
+          done
+
+          [ -f "${SPARKLE_VER}/Autoupdate" ] && sign_item "${SPARKLE_VER}/Autoupdate"
+
+          if [ -d "${SPARKLE_VER}/Updater.app" ]; then
+            sign_item "${SPARKLE_VER}/Updater.app/Contents/MacOS/Updater"
+            sign_item "${SPARKLE_VER}/Updater.app"
+          fi
+
+          sign_item "${SPARKLE_FW}"
+          sign_item "${APP_PATH}"
+
+          codesign --verify --verbose "${APP_PATH}"
 
       - name: Create DMG
         if: steps.check-secrets.outputs.can_sign == 'true'
@@ -105,12 +124,24 @@ jobs:
 
           mkdir -p "$DMG_DIR"
           cp -R "$APP_PATH" "$DMG_DIR/"
-          ln -s /Applications "$DMG_DIR/Applications"
 
-          hdiutil create -volname "Lockpaw" \
-            -srcfolder "$DMG_DIR" \
-            -ov -format UDZO \
-            "$DMG_PATH"
+          # Finder alias instead of symlink — symlinks show broken icon on Sonoma+
+          osascript -e "tell application \"Finder\" to make new alias file at POSIX file \"$(cd "$DMG_DIR" && pwd)\" to POSIX file \"/Applications\""
+
+          create-dmg \
+            --volname "Lockpaw" \
+            --volicon "scripts/dmg-volume-icon.icns" \
+            --background "scripts/dmg-background@2x.png" \
+            --window-pos 200 120 \
+            --window-size 660 400 \
+            --icon-size 96 \
+            --text-size 14 \
+            --icon "Lockpaw.app" 170 180 \
+            --hide-extension "Lockpaw.app" \
+            --icon "Applications" 490 180 \
+            --no-internet-enable \
+            "$DMG_PATH" \
+            "$DMG_DIR"
 
       - name: Notarize DMG
         if: steps.check-secrets.outputs.can_sign == 'true'

scripts/build-release.sh

@@ -64,6 +64,11 @@ mkdir -p "${DMG_DIR}"
 cp -R "${APP_PATH}" "${DMG_DIR}/"
 rm -rf "${SIGN_DIR}"
 
+# Create a Finder alias to /Applications instead of a symlink.
+# Symlinks show a broken/generic icon on macOS Sonoma+ when mounted as read-only DMG.
+# Finder aliases always resolve the proper Applications folder icon.
+osascript -e "tell application \"Finder\" to make new alias file at POSIX file \"$(cd "${DMG_DIR}" && pwd)\" to POSIX file \"/Applications\""
+
 create-dmg \
   --volname "${APP_NAME}" \
   --volicon "scripts/dmg-volume-icon.icns" \
@@ -74,7 +79,7 @@ create-dmg \
   --text-size 14 \
   --icon "${APP_NAME}.app" 170 180 \
   --hide-extension "${APP_NAME}.app" \
-  --app-drop-link 490 180 \
+  --icon "Applications" 490 180 \
   --no-internet-enable \
   "${DMG_PATH}" \
   "${DMG_DIR}"