Apple binaries trusted signature

[pomadchin]

We have ARM builds via https://github.com/PDAL/java/issues/61

However, it's not enough (see https://github.com/PDAL/java/pull/89#issuecomment-1997818375); we need to make the published dylib trusted so it seamlessly works.

We need to figure out how to sign binaries;

• gha docs: https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development
• git searched repo that may help investigating what to do about it: https://github.com/keepassxreboot/keepassxc/issues/4934

@metasim thanks for the help 🥇

Most likely we need https://github.com/Apple-Actions/import-codesign-certs

I found https://github.com/strawberrymusicplayer/strawberry/blob/master/.github/workflows/build.yml#L806-L809 and https://github.com/orgs/community/discussions/70145

More: https://github.com/PDAL/java/pull/89#issuecomment-1998059230

[metasim]

I wonder if self-signing (aka "adhoc") is better than nothing:

codesign --force -s - libpdaljni.2.6.dylib

From the manpage:

If identity is the single letter "-" (dash), ad-hoc signing is performed. Ad-hoc signing does not use an identity at all, and identifies exactly one instance of code. Significant restrictions apply to the use of ad-hoc signed code; consult documentation before using this.

[pomadchin]

@metasim lets try it!

[pomadchin]

Also https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions

[pomadchin]

We don't need it, tested https://github.com/PDAL/java/pull/95 and https://github.com/PDAL/java/pull/96

All thx to @metasim 🔥