Code signing on MacOS

[rozyczko]

Extension of #25 to cover macos

[rozyczko]

This can be directly taken from SasView.

The GH yml file contains this:

 - name: Sign executable and create dmg

  if: ${{ matrix.os == 'macos-latest' }}
  env:
    MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
    MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
  run: |
    echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
    security create-keychain -p DloaAcYP build.keychain
    security default-keychain -s build.keychain
    security unlock-keychain -p DloaAcYP build.keychain
    security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
    security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k DloaAcYP build.keychain
    cd installers/dist
    python  ../../build_tools/code_sign_osx.py
    codesign --verify --options=runtime --entitlements ../../build_tools/entitlements.plist --timestamp --deep --verbose=4 --force --sign "Developer ID Application: European Spallation Source Eric (W2AG9MPZ43)" SasView5.app
    hdiutil create SasView5.dmg -srcfolder SasView5.app -ov -format UDZO
    codesign -s "Developer ID Application: European Spallation Source Eric (W2AG9MPZ43)" SasView5.dmg

and code_sign_osx.py is here: https://github.com/SasView/sasview/blob/gh_osx/build_tools/code_sign_osx.py

[rozyczko]

Updated (?) version of the file: https://github.com/SasView/sasview/blob/main/build_tools/code_sign_osx.py

It seems to be signing all the .so's and .dylib's though - is this what we need?

[AndrewSazonov]

• The first implementation is done in the macos_sign branch based on old easyDiffraction and new SasView.
• An entitlement property list has not yet been added. To be done.
• Only the installer application is currently signed. Do we really need to sign all .so and .dylib files? What about MaintenanceTool.app?
• A test on a fresh macOS is needed: download and run the installer and then MaintenanceTool.app.
• See also the official Code Signing Guide.

[AndrewSazonov]

• If app is not signed:

[AndrewSazonov]

• If app is signed:

  and then one can open it anyway via Settings / Security & Privacy

  

[AndrewSazonov]

Now, the following steps are implemented:

• Signing of the application installer
• Notarization for distribution outside of the App Store
• Stapling of the application installer

[AndrewSazonov]

One still need to select Allow apps downloaded from: App Store and identified developers in the Settings / Security & Privacy Then, the only message you get is: