diff --git a/.github/actions/package/macos/action.yml b/.github/actions/package/macos/action.yml
index 42181953c..d9a68abbe 100644
--- a/.github/actions/package/macos/action.yml
+++ b/.github/actions/package/macos/action.yml
@@ -64,15 +64,6 @@ runs:
cd ${{ env.INSTALL_DIR }}
chmod +x "PrismLauncher.app/Contents/MacOS/prismlauncher"
- if [ -n '${{ inputs.apple-codesign-id }}' ]; then
- APPLE_CODESIGN_ID='${{ inputs.apple-codesign-id }}'
- ENTITLEMENTS_FILE='../program_info/App.entitlements'
- else
- APPLE_CODESIGN_ID='-'
- ENTITLEMENTS_FILE='../program_info/AdhocSignedApp.entitlements'
- fi
-
- sudo codesign --sign "$APPLE_CODESIGN_ID" --deep --force --entitlements "$ENTITLEMENTS_FILE" --options runtime "PrismLauncher.app/Contents/MacOS/prismlauncher"
mv "PrismLauncher.app" "Prism Launcher.app"
- name: Notarize
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b8ba57a45..967d8bf0e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -165,6 +165,9 @@ jobs:
ARTIFACT_NAME: ${{ matrix.artifact-name }}-Qt6
BUILD_PLATFORM: official
+
+ APPLE_CODESIGN_IDENTITY: ${{ secrets.APPLE_CODESIGN_ID }}
+ APPLE_BUILD_FOR_NOTARIZATION: ${{ secrets.APPLE_NOTARIZE_PASSWORD && 'YES' || 'NO' }}
run: |
cmake --workflow --preset "$CMAKE_PRESET"
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 929e1b394..154207766 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -409,6 +409,9 @@ if(UNIX AND APPLE)
set(MACOSX_SPARKLE_SHA256 "50612a06038abc931f16011d7903b8326a362c1074dabccb718404ce8e585f0b" CACHE STRING "SHA256 checksum for Sparkle release archive")
set(MACOSX_SPARKLE_DIR "${CMAKE_BINARY_DIR}/frameworks/Sparkle")
+ set(MACOSX_CODESIGN_IDENTITY "-" CACHE STRING "The identity to use for codesigning (the name, not the secret)")
+ set(MACOSX_PREPARE_NOTARIZATION OFF CACHE BOOL "Whether to disable features incompatible with notarization (notably, do not request an entitlement that allows for attaching a debugger)")
+
if(NOT MACOSX_SPARKLE_UPDATE_PUBLIC_KEY STREQUAL "" AND NOT MACOSX_SPARKLE_UPDATE_FEED_URL STREQUAL "")
set(Launcher_ENABLE_UPDATER YES)
endif()
diff --git a/cmake/macosPreset.json b/cmake/macosPreset.json
index 9098f9a9a..89623c369 100644
--- a/cmake/macosPreset.json
+++ b/cmake/macosPreset.json
@@ -13,7 +13,11 @@
"lhs": "${hostSystemName}",
"rhs": "Darwin"
},
- "generator": "Ninja"
+ "generator": "Ninja",
+ "cacheVariables": {
+ "MACOSX_CODESIGN_IDENTITY": "$penv{APPLE_CODESIGN_IDENTITY}",
+ "MACOSX_PREPARE_NOTARIZATION": "$penv{APPLE_BUILD_FOR_NOTARIZATION}"
+ }
},
{
"name": "macos_universal_base",
diff --git a/launcher/CMakeLists.txt b/launcher/CMakeLists.txt
index 194694d7f..63e38176f 100644
--- a/launcher/CMakeLists.txt
+++ b/launcher/CMakeLists.txt
@@ -1526,6 +1526,7 @@ if(WIN32 OR (UNIX AND APPLE))
LIBEXEC_DIR ${LIBRARY_DEST_DIR}
LIB_DIR ${LIBRARY_DEST_DIR}
PLUGINS_DIR ${PLUGIN_DEST_DIR}
+ NO_APP_STORE_COMPLIANCE
NO_OVERWRITE
NO_TRANSLATIONS
NO_COMPILER_RUNTIME
@@ -1570,3 +1571,14 @@ if(WIN32 OR (UNIX AND APPLE))
COMPONENT bundle
)
endif()
+
+if(UNIX AND APPLE)
+ # Need to fix code signing for the bundle
+ set(MACOSX_ENTITLEMENTS "${CMAKE_CURRENT_BINARY_DIR}/../program_info/App.entitlements")
+ configure_file(
+ "${CMAKE_CURRENT_SOURCE_DIR}/MacOSCodesign.cmake.in"
+ "${CMAKE_CURRENT_BINARY_DIR}/MacOSCodesign.cmake"
+ @ONLY
+ )
+ install(SCRIPT "${CMAKE_CURRENT_BINARY_DIR}/MacOSCodesign.cmake" COMPONENT Runtime)
+endif()
diff --git a/launcher/MacOSCodesign.cmake.in b/launcher/MacOSCodesign.cmake.in
new file mode 100644
index 000000000..067ccf763
--- /dev/null
+++ b/launcher/MacOSCodesign.cmake.in
@@ -0,0 +1,8 @@
+execute_process(
+ COMMAND "@CMAKE_SOURCE_DIR@/program_info/macos_signature.sh" "@MACOSX_CODESIGN_IDENTITY@" "@MACOSX_ENTITLEMENTS@"
+ WORKING_DIRECTORY "@CMAKE_INSTALL_PREFIX@"
+ RESULT_VARIABLE CODESIGN_RESULT
+)
+if(NOT CODESIGN_RESULT EQUAL 0)
+ message(FATAL_ERROR "Failed to codesign the bundle")
+endif()
\ No newline at end of file
diff --git a/nix/unwrapped.nix b/nix/unwrapped.nix
index d9144410f..bb6b47e7d 100644
--- a/nix/unwrapped.nix
+++ b/nix/unwrapped.nix
@@ -3,6 +3,7 @@
stdenv,
cmake,
cmark,
+ darwin,
apple-sdk_11,
extra-cmake-modules,
gamemode,
@@ -74,6 +75,7 @@ stdenv.mkDerivation {
extra-cmake-modules
jdk17
stripJavaArchivesHook
+ darwin.sigtool
];
buildInputs =
diff --git a/program_info/AdhocSignedApp.entitlements b/program_info/AdhocSignedApp.entitlements
deleted file mode 100644
index 032308a18..000000000
--- a/program_info/AdhocSignedApp.entitlements
+++ /dev/null
@@ -1,12 +0,0 @@
-
-
-
-
- com.apple.security.cs.disable-library-validation
-
- com.apple.security.device.audio-input
-
- com.apple.security.device.camera
-
-
-
diff --git a/program_info/App.entitlements b/program_info/App.entitlements.in
similarity index 84%
rename from program_info/App.entitlements
rename to program_info/App.entitlements.in
index 73bf832c7..5a93d71af 100644
--- a/program_info/App.entitlements
+++ b/program_info/App.entitlements.in
@@ -2,6 +2,8 @@
+@Launcher_AdhocEntitlements@
+@Launcher_DebugEntitlements@
com.apple.security.device.audio-input
com.apple.security.device.camera
diff --git a/program_info/CMakeLists.txt b/program_info/CMakeLists.txt
index db6920e20..f7af0e08b 100644
--- a/program_info/CMakeLists.txt
+++ b/program_info/CMakeLists.txt
@@ -38,6 +38,22 @@ set(Launcher_Branding_LogoQRC "program_info/prismlauncher.qrc" PARENT_SCOPE)
set(Launcher_Portable_File "program_info/portable.txt" PARENT_SCOPE)
+if(MACOSX_CODESIGN_IDENTITY STREQUAL "-")
+ string(CONCAT Launcher_AdhocEntitlements
+ " com.apple.security.cs.disable-library-validation\n"
+ " ")
+else()
+ set(Launcher_AdhocEntitlements "")
+endif()
+if(CMAKE_BUILD_TYPE STREQUAL "Debug" AND NOT MACOSX_PREPARE_NOTARIZATION)
+ string(CONCAT Launcher_DebugEntitlements
+ " com.apple.security.get-task-allow\n"
+ " ")
+else()
+ set(Launcher_DebugEntitlements "")
+endif()
+
+configure_file(App.entitlements.in App.entitlements)
configure_file(${Launcher_AppID}.desktop.in ${Launcher_AppID}.desktop)
configure_file(${Launcher_AppID}.metainfo.xml.in ${Launcher_AppID}.metainfo.xml)
configure_file(prismlauncher.rc.in prismlauncher.rc @ONLY)
diff --git a/program_info/macos_signature.sh b/program_info/macos_signature.sh
new file mode 100755
index 000000000..a16ce7cd1
--- /dev/null
+++ b/program_info/macos_signature.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env sh
+
+# Run this script from the directory containing "PrismLauncher.app"
+
+CODE_SIGN_IDENTITY="${1:--}"
+MAIN_ENTITLEMENTS_FILE="${2:-../program_info/App.entitlements}"
+
+if [[ "$CODE_SIGN_IDENTITY" == "Developer ID Application"* ]]; then
+ CODE_SIGN_IDENTITY=("$CODE_SIGN_IDENTITY" --timestamp)
+fi
+
+################ FRAMEWORKS ################
+cd "PrismLauncher.app/Contents/Frameworks" || exit 1
+# See https://sparkle-project.org/documentation/sandboxing/
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime Sparkle.framework/Versions/B/XPCServices/Installer.xpc
+# For Sparkle versions >= 2.6
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime --preserve-metadata=entitlements Sparkle.framework/Versions/B/XPCServices/Downloader.xpc
+# For Sparkle versions < 2.6
+#codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime --entitlements Entitlements/Downloader.entitlements Sparkle.framework/Versions/B/XPCServices/Downloader.xpc
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime Sparkle.framework/Versions/B/Autoupdate
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime Sparkle.framework/Versions/B/Updater.app
+
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" ./*.framework
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" ./*.dylib
+
+################ XPC SERVICES ################
+if cd "../XPCServices"; then
+ codesign -f -s "${CODE_SIGN_IDENTITY[@]}" -o runtime ./*.xpc
+fi
+
+################ PLUGINS ################
+cd "../PlugIns" || exit 1
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" */*.dylib
+cd "../MacOS" || exit 1
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" jars/*.jar
+
+################ APP ################
+cd "../../.." || exit 1
+codesign -f -s "${CODE_SIGN_IDENTITY[@]}" --entitlements "$MAIN_ENTITLEMENTS_FILE" -o runtime ./PrismLauncher.app
\ No newline at end of file