macos: codesign for new macos security limitation

Before this change:

1. CALM itself will be shown as a damaged application,
   the user has to de-quarantine it with command line:

   xattr -d com.apple.quarantine /Applications/Calm.app

2. CALM made applications, will also be shown as damaged,
   the user also has to de-quarantine them.

After this change:

1. CALM itself still be shown as a damaged application.

2. CALM made applications, will shown as:
   "cannot be opened because the developer cannot be verified."
   which is better, since the user could open it with right click.

Author: VitoVan

build/build.sh

@@ -45,6 +45,8 @@ build_darwin () {
     echo "build launcher ..."
     brew install gcc
     gcc src/calm.c -o calm
+    # codesign for macos-14 enhanced security
+    codesign --sign - --force --preserve-metadata=entitlements,requirements,flags,runtime calm
 
     echo "remove Windows fonts dir ..."
     sed '/<dir>C:\\Windows\\Fonts<\/dir>/d' s/usr/all/fonts.conf > tmp-fonts.conf

s/dev/darwin/config-lib.sh

@@ -65,5 +65,6 @@ ls -lah .
 # copy all typelibs
 cp -L -R $(brew --prefix)/lib/girepository-1.0/*.typelib ./
 
-# codesign for macos-14, since we changed those libs
+# codesign for macos-14 enhanced security
 ls *.dylib | xargs -I _ codesign --sign - --force --preserve-metadata=entitlements,requirements,flags,runtime _
+ls *.typelib | xargs -I _ sudo codesign --sign - --force --preserve-metadata=entitlements,requirements,flags,runtime _

s/usr/macos/bundle.lisp

@@ -13,7 +13,8 @@
          (dist-dir-abs (or (uiop:absolute-pathname-p dist-dir)
                            (uiop:merge-pathnames* dist-dir *calm-env-app-dir*)))
          (app-icon-abs (or (uiop:absolute-pathname-p app-icon)
-                           (uiop:merge-pathnames* app-icon *calm-env-app-dir*))))
+                           (uiop:merge-pathnames* app-icon *calm-env-app-dir*)))
+         (codesign-cmd "codesign --sign - --force --preserve-metadata=entitlements,requirements,flags,runtime "))
 
     ;; clean old bunlde
     (uiop:delete-directory-tree app-dir :validate t :if-does-not-exist :ignore)
@@ -38,7 +39,17 @@
      dist-dir-abs
      app-macos-dir)
     ;; copy icon
-    (u:copy-file app-icon-abs (merge-pathnames "icon.icns" app-resources-dir)))
+    (u:copy-file app-icon-abs (merge-pathnames "icon.icns" app-resources-dir))
+
+    (u:calm-log "signing everything... (some files need sudo permission)")
+    (u:exec (str:concat "find " app-name ".app/Contents/MacOS/ -type f | xargs -I _ sudo " codesign-cmd " _")
+            :ignore-error-status t)
+    (u:calm-log "signing calm launcher...")
+    (u:exec (str:concat "sudo " codesign-cmd app-name ".app/Contents/MacOS/calm")
+            :ignore-error-status t)
+    (u:calm-log "signing the application bundle itself...")
+    (u:exec (str:concat "sudo " codesign-cmd app-name ".app")
+            :ignore-error-status t))
 
   (u:calm-log-fancy "~%Application Bundle created: ~A.app~%" app-name))