sign and notarize Apple extensions (#16)

* feat(xcframework): add signing and notarization step for CloudSync.xcframework

* fix(workflow): update sign and notarize step for xcframework

* fix(workflow): enhance signing and notarization process for CloudSync.xcframework

* fix(workflow):remove useless notarization step

* refactor(xcframework): remove unused cloudsync_autoinit, modulemap and cloudsync header file

* fix(workflow): update codesigning steps for apple platforms

* fix(workflow): create CloudSync.framework directory during xcframework build

* fix(workflow): add notarization step for CloudSync.xcframework

* fix(workflow): enhance codesigning and notarization steps for macOS builds

* fix(workflow): update macOS codesigning to use zip for notarization

* fix(workflow): update stapling process for xcframework to handle multiple frameworks

* fix(workflow): remove stapling steps for cloudsync.dylib and CloudSync.xcframework

* fix(workflow): rename codesigning steps for clarity and include notarization

* fix(workflow): update codesigning step for dylib and remove notarization process

* bump version

Author: Gioee

.github/workflows/main.yml

@@ -116,6 +116,35 @@ jobs:
       - name: build sqlite-sync
         run: ${{ matrix.name == 'linux-musl' && matrix.arch == 'arm64' && 'docker exec alpine' || '' }} make extension ${{ matrix.make && matrix.make || ''}}
 
+      - name: create keychain for codesign
+        if: matrix.os == 'macos-15'
+        run: |
+          echo "${{ secrets.APPLE_CERTIFICATE }}" | base64 --decode > certificate.p12
+          security create-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" build.keychain
+          security import certificate.p12 -k build.keychain -P "${{ secrets.CERTIFICATE_PASSWORD }}" -T /usr/bin/codesign
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${{ secrets.KEYCHAIN_PASSWORD }}" build.keychain
+
+      - name: codesign dylib
+        if: matrix.os == 'macos-15' && matrix.name != 'apple-xcframework'
+        run: codesign --sign "${{ secrets.APPLE_TEAM_ID }}" --timestamp --options runtime dist/cloudsync.dylib
+
+      - name: codesign and notarize xcframework
+        if: matrix.name == 'apple-xcframework'
+        run: |
+          find dist/CloudSync.xcframework -name "*.framework" -exec echo "Signing: {}" \; -exec codesign --sign "${{ secrets.APPLE_TEAM_ID }}" --timestamp --options runtime {} \; # Sign each individual framework FIRST
+          codesign --sign "${{ secrets.APPLE_TEAM_ID }}" --timestamp --options runtime dist/CloudSync.xcframework # Then sign the xcframework wrapper
+          ditto -c -k --keepParent dist/CloudSync.xcframework dist/CloudSync.xcframework.zip
+          xcrun notarytool submit dist/CloudSync.xcframework.zip --apple-id "${{ secrets.APPLE_ID }}" --password "${{ secrets.APPLE_PASSWORD }}" --team-id "${{ secrets.APPLE_TEAM_ID }}" --wait
+          rm dist/CloudSync.xcframework.zip
+
+      - name: cleanup keychain for codesign
+        if: matrix.os == 'macos-15'
+        run: |
+          rm certificate.p12
+          security delete-keychain build.keychain
+
       - name: android setup test environment
         if: matrix.name == 'android' && matrix.arch != 'arm64-v8a'
         run: |

src/cloudsync.c

@@ -3245,10 +3245,6 @@ void cloudsync_commit_alter (sqlite3_context *context, int argc, sqlite3_value *
 
 // MARK: - Main Entrypoint -
 
-int cloudsync_autoinit (void) {
-    return sqlite3_auto_extension((void *)sqlite3_cloudsync_init);
-}
-
 int cloudsync_register (sqlite3 *db, char **pzErrMsg) {
     int rc = SQLITE_OK;
 

src/cloudsync.h

@@ -20,10 +20,9 @@
 extern "C" {
 #endif
 
-#define CLOUDSYNC_VERSION                       "0.8.26"
+#define CLOUDSYNC_VERSION                       "0.8.27"
 
 int sqlite3_cloudsync_init (sqlite3 *db, char **pzErrMsg, const sqlite3_api_routines *pApi);
-int cloudsync_autoinit (void);
 
 #ifdef __cplusplus
 }