CI: Sign and notarize our macos binaries

.github/workflows/macos_build.yml

@@ -25,6 +25,10 @@ on:
         required: false
         type: boolean
         default: false
+      sign_and_notarize:
+        required: false
+        type: boolean
+        default: false
 
 jobs:
   build_macos:
@@ -143,6 +147,38 @@ jobs:
         run: make -j$(getconf _NPROCESSORS_ONLN) unittests
 
       - name: Prepare Build Artifacts
+        run: |
+          mv build/pcsx2*/PCSX2.app PCSX2.app
+
+      - name: Pull the Signing Keys and Notarization Credentials
+        if: ${{ inputs.sign_and_notarize == true }}
+        run: |
+          echo "${{ secrets.APPLE_SIGN_P12_B64 }}" | base64 -d > cert.p12
+          echo "${{ secrets.APPLE_APPSTORECONNECT_CFG }}" | base64 -d > key.json
+
+      - name: Sign the Application
+        if: ${{ inputs.sign_and_notarize == true }}
+        uses: indygreg/apple-code-sign-action@v1.1
+        with:
+          input_path: 'PCSX2.app'
+          p12_file: cert.p12
+          p12_password: "${{ secrets.APPLE_SIGN_P12_PASS }}"
+          sign_args: |
+            --for-notarization
+            --code-signature-flags=runtime
+            --entitlements-xml-file=pcsx2/Resources/PCSX2.entitlements
+          notarize: true
+          # max_wait_seconds is only present on my fork located at F0bes/apple-code-sign-action@demo4
+          # If we are timing out we should switch to the newest upstream (if I get it upstreamed)
+          # or use my fork.
+          # max_wait_seconds: '2000'
+          staple: true
+          # Generated using rcodesign
+          # Despite what the docs say, I found that this file is required and I had 0 luck
+          # passing the issuer id, key, etc through arguments.
+          app_store_connect_api_key_json_file: 'key.json'
+
+      - name: Zip Build Artifacts
         run: |
           TAG="$(git tag --points-at HEAD)"
           if [ -z "$TAG" ]; then
@@ -150,7 +186,7 @@ jobs:
           else
             APPNAME="PCSX2-$TAG"
           fi
-          mv build/pcsx2*/PCSX2.app "$APPNAME.app"
+          mv PCSX2.app "$APPNAME.app"
           tar --options xz:compression-level=9 -cvJf "${{ steps.artifact-metadata.outputs.artifact-name }}.tar.xz" "$APPNAME.app"
           mkdir ci-artifacts
           cp "${{ steps.artifact-metadata.outputs.artifact-name }}.tar.xz" ci-artifacts/macOS.tar.xz

.github/workflows/macos_build_matrix.yml

@@ -16,4 +16,5 @@ jobs:
     with:
       jobName: "MacOS Build"
       artifactPrefixName: "PCSX2-macos-Qt"
+      sign_and_notarize: true # If we find that notarization takes a long time we should disable that on PR builds
     secrets: inherit

.github/workflows/release_cut_new.yml

@@ -148,6 +148,7 @@ jobs:
       artifactPrefixName: "PCSX2-macos-Qt"
       fetchTags: true
       stableBuild: ${{ github.event_name == 'workflow_dispatch' && inputs.is_prelease == 'false' }}
+      sign_and_notarize: true
     secrets: inherit
 
   # Upload the Artifacts

pcsx2/CMakeLists.txt

@@ -1347,6 +1347,7 @@ function(setup_main_executable target)
 		set_target_properties(${target} PROPERTIES
 			MACOSX_BUNDLE true
 			MACOSX_BUNDLE_INFO_PLIST "${PCSX2_SOURCE_DIR}/Resources/Info.plist.in"
+			XCODE_ATTRIBUTE_CODE_SIGN_ENTITLEMENTS "${PCSX2_SOURCE_DIR}/Resources/PCSX2.entitlements"
 			OUTPUT_NAME PCSX2
 			# Fixes complaints when Xcode tries to sign for running locally about MoltenVK not being signed
 			XCODE_ATTRIBUTE_OTHER_CODE_SIGN_FLAGS --deep

pcsx2/Resources/PCSX2.entitlements

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.cs.allow-jit</key>
+	<true/>
+	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+	<true/>
+	<key>com.apple.security.cs.disable-library-validation</key>
+	<true/>
+	<key>com.apple.security.device.audio-input</key>
+	<true/>
+</dict>
+</plist>