macOS notarization

.github/workflows/build.yml

@@ -137,6 +137,14 @@ jobs:
         echo "VERSION=$(cat build/version.txt)" >> $GITHUB_ENV
         cpack --config build/CPackConfig.cmake -B build/installer --verbose
         mv build/installer/*.dmg build/Release
+    - name: Notarize
+      if: github.ref_name == 'main'
+      run: |
+        misc/ci-macos-notarize.sh build/Release/*.dmg
+      env:
+        APPLE_NOTARIZATION_USERNAME: ${{ secrets.APPLE_NOTARIZATION_USERNAME }}
+        APPLE_NOTARIZATION_PASSWORD: ${{ secrets.APPLE_NOTARIZATION_PASSWORD }}
+        APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
     - name: Upload
       uses: actions/upload-artifact@v4
       with:

misc/ci-macos-notarize.sh

@@ -0,0 +1,44 @@
+#!/bin/sh
+
+set -e
+
+if [ -z "${APPLE_NOTARIZATION_USERNAME}" ]
+then
+    echo "No notarization credentials supplied, skipping..."
+    exit 0
+fi
+
+echo "Creating NotarizationProfile..."
+xcrun notarytool store-credentials --apple-id "${APPLE_NOTARIZATION_USERNAME}" \
+    --password "${APPLE_NOTARIZATION_PASSWORD}" \
+    --team-id "${APPLE_TEAM_ID}" "NotarizationProfile"
+
+if [ "$#" -eq 0 ]
+then
+    echo "Error: Please provide one or more .dmg files"
+    exit 1
+fi
+
+for FILE in "$@"; do
+    case ${FILE} in
+        *.dmg)
+            if [ ! -f "${FILE}" ]
+            then
+                echo "Error: '${FILE}' does not exist or is not a regular file"
+                exit 1
+            fi
+
+            echo "Submitting notarization request..."
+            xcrun notarytool submit "${FILE}" \
+                --keychain-profile "NotarizationProfile" --wait
+
+            echo "Stapling..."
+            xcrun stapler staple "${FILE}"
+            ;;
+
+        *)
+            echo "Error: '${FILE}' does not have a .dmg extension"
+            exit 1
+            ;;
+    esac
+done