Add option to force disable get-task-allow entitlement

The `get-task-allow` entitlement is not compatible with notarization.

Signed-off-by: Kenneth Chew <79120643+kthchew@users.noreply.github.com>

.github/workflows/build.yml

@@ -165,6 +165,9 @@ jobs:
 
           ARTIFACT_NAME: ${{ matrix.artifact-name }}-Qt6
           BUILD_PLATFORM: official
+
+          APPLE_CODESIGN_IDENTITY: ${{ secrets.APPLE_CODESIGN_ID }}
+          APPLE_BUILD_FOR_NOTARIZATION: ${{ secrets.APPLE_NOTARIZE_PASSWORD && 'YES' || 'NO' }}
         run: |
           cmake --workflow --preset "$CMAKE_PRESET"
 

CMakeLists.txt

@@ -410,6 +410,7 @@ if(UNIX AND APPLE)
     set(MACOSX_SPARKLE_DIR "${CMAKE_BINARY_DIR}/frameworks/Sparkle")
 
     set(MACOSX_CODESIGN_IDENTITY "-" CACHE STRING "The identity to use for codesigning (the name, not the secret)")
+    set(MACOSX_PREPARE_NOTARIZATION OFF CACHE BOOL "Whether to disable features incompatible with notarization (notably, do not request an entitlement that allows for attaching a debugger)")
 
     if(NOT MACOSX_SPARKLE_UPDATE_PUBLIC_KEY STREQUAL "" AND NOT MACOSX_SPARKLE_UPDATE_FEED_URL STREQUAL "")
         set(Launcher_ENABLE_UPDATER YES)

cmake/macosPreset.json

@@ -13,7 +13,11 @@
 				"lhs": "${hostSystemName}",
 				"rhs": "Darwin"
 			},
-			"generator": "Ninja"
+			"generator": "Ninja",
+			"cacheVariables": {
+				"MACOSX_CODESIGN_IDENTITY": "$penv{APPLE_CODESIGN_IDENTITY}",
+				"MACOSX_PREPARE_NOTARIZATION": "$penv{APPLE_BUILD_FOR_NOTARIZATION}"
+			}
 		},
 		{
 			"name": "macos_universal_base",

program_info/CMakeLists.txt

@@ -38,7 +38,7 @@ set(Launcher_Branding_LogoQRC "program_info/prismlauncher.qrc" PARENT_SCOPE)
 
 set(Launcher_Portable_File "program_info/portable.txt" PARENT_SCOPE)
 
-if(CMAKE_BUILD_TYPE STREQUAL "Debug")
+if(CMAKE_BUILD_TYPE STREQUAL "Debug" AND NOT MACOSX_PREPARE_NOTARIZATION)
     set(Launcher_DebugEntitlements "<key>com.apple.security.get-task-allow</key>\n    <true/>")
 else()
     set(Launcher_DebugEntitlements "")