fix macos-14 code signing

Author: VitoVan

build/build.sh

@@ -45,6 +45,8 @@ build_darwin () {
     echo "build launcher ..."
     brew install gcc
     gcc src/calm.c -o calm
+    # codesign for macos-14 enhanced security
+    sudo codesign --sign - --force calm
 
     echo "remove Windows fonts dir ..."
     sed '/<dir>C:\\Windows\\Fonts<\/dir>/d' s/usr/all/fonts.conf > tmp-fonts.conf

entry.lisp

@@ -76,6 +76,8 @@
     (dist-by-new-process)
     (u:calm-log "building macOS Application...")
     (u:load-from-calm "s/usr/macos/bundle.lisp")
+    (u:calm-log "signing macOS Application...")
+    (u:load-from-calm "s/usr/macos/sign.lisp")
     (u:calm-log "building macOS DMG, this may take a while...")
     (u:load-from-calm "s/usr/macos/dmg.lisp"))
   #+win32
@@ -132,6 +134,8 @@
   #+darwin
   ("make-bundle" (u:load-from-calm "s/usr/macos/bundle.lisp"))
   #+darwin
+  ("sign-app" (u:load-from-calm "s/usr/macos/sign.lisp"))
+  #+darwin
   ("make-dmg" (u:load-from-calm "s/usr/macos/dmg.lisp"))
 
   #+win32

s/dev/darwin/config-lib.sh

@@ -65,5 +65,6 @@ ls -lah .
 # copy all typelibs
 cp -L -R $(brew --prefix)/lib/girepository-1.0/*.typelib ./
 
-# codesign for macos-14, since we changed those libs
-ls *.dylib | xargs -I _ codesign --sign - --force --preserve-metadata=entitlements,requirements,flags,runtime _
+# codesign for macos-14 enhanced security
+sudo codesign --sign - --force *.*
+

s/dev/darwin/pack.sh

@@ -18,6 +18,8 @@ export DIST_DIR=./calm-dist/
 
 ./calm make-bundle
 
+./calm sign-app
+
 if [ -n "${CI}" ]; then
     echo working around for macos-13 on github ...
     # A workaround mentioned here https://github.com/actions/runner-images/issues/7522

s/usr/macos/bundle.lisp

@@ -18,6 +18,9 @@
     ;; clean old bunlde
     (uiop:delete-directory-tree app-dir :validate t :if-does-not-exist :ignore)
 
+    (u:calm-log "signing everything before bundling, some files need sudo permission...")
+    (u:exec (str:concat "find " dist-dir-abs " -type f | xargs -I _ sudo codesign --sign - --force _"))
+
     (ensure-directories-exist app-content-dir)
     (ensure-directories-exist app-receipt-dir)
     (ensure-directories-exist app-resources-dir)
@@ -38,7 +41,10 @@
      dist-dir-abs
      app-macos-dir)
     ;; copy icon
-    (u:copy-file app-icon-abs (merge-pathnames "icon.icns" app-resources-dir)))
+    (u:copy-file app-icon-abs (merge-pathnames "icon.icns" app-resources-dir))
+
+    (u:calm-log "signing the application bundle itself...")
+    (u:exec (str:concat "sudo codesign --sign - --force " app-name ".app")))
 
   (u:calm-log-fancy "~%Application Bundle created: ~A.app~%" app-name))
 

s/usr/macos/sign.lisp

@@ -0,0 +1,16 @@
+#-calm
+(ql:quickload :calm)
+(in-package :calm)
+(calm-config)
+
+(defun sign-app (app-name)
+  (uiop:chdir *calm-env-app-dir*)
+
+  (u:calm-log "signing everything, some files need sudo permission...")
+  (u:exec (str:concat "find " app-name ".app -type f | xargs -I _ sudo codesign --sign - --force _"))
+  (u:calm-log "signing the app itself...")
+  (u:exec (str:concat "sudo codesign --sign - --force " app-name ".app"))
+  (u:calm-log-fancy "~%APP signed: ~A.app~%" app-name))
+
+(sign-app
+ (u:get-from-env-or-ask 'app-name "Hello"))