diff --git a/.github/workflows/macos_build.yml b/.github/workflows/macos_build.yml index 59811d477a..19cdf8b9cc 100644 --- a/.github/workflows/macos_build.yml +++ b/.github/workflows/macos_build.yml @@ -25,6 +25,10 @@ on: required: false type: boolean default: false + sign_and_notarize: + required: false + type: boolean + default: false jobs: build_macos: @@ -143,6 +147,38 @@ jobs: run: make -j$(getconf _NPROCESSORS_ONLN) unittests - name: Prepare Build Artifacts + run: | + mv build/pcsx2*/PCSX2.app PCSX2.app + + - name: Pull the Signing Keys and Notarization Credentials + if: ${{ inputs.sign_and_notarize == true }} + run: | + echo "${{ secrets.APPLE_SIGN_P12_B64 }}" | base64 -d > cert.p12 + echo "${{ secrets.APPLE_APPSTORECONNECT_CFG }}" | base64 -d > key.json + + - name: Sign the Application + if: ${{ inputs.sign_and_notarize == true }} + uses: indygreg/apple-code-sign-action@v1.1 + with: + input_path: 'PCSX2.app' + p12_file: cert.p12 + p12_password: "${{ secrets.APPLE_SIGN_P12_PASS }}" + sign_args: | + --for-notarization + --code-signature-flags=runtime + --entitlements-xml-file=pcsx2/Resources/PCSX2.entitlements + notarize: true + # max_wait_seconds is only present on my fork located at F0bes/apple-code-sign-action@demo4 + # If we are timing out we should switch to the newest upstream (if I get it upstreamed) + # or use my fork. + # max_wait_seconds: '2000' + staple: true + # Generated using rcodesign + # Despite what the docs say, I found that this file is required and I had 0 luck + # passing the issuer id, key, etc through arguments. + app_store_connect_api_key_json_file: 'key.json' + + - name: Zip Build Artifacts run: | TAG="$(git tag --points-at HEAD)" if [ -z "$TAG" ]; then @@ -150,7 +186,7 @@ jobs: else APPNAME="PCSX2-$TAG" fi - mv build/pcsx2*/PCSX2.app "$APPNAME.app" + mv PCSX2.app "$APPNAME.app" tar --options xz:compression-level=9 -cvJf "${{ steps.artifact-metadata.outputs.artifact-name }}.tar.xz" "$APPNAME.app" mkdir ci-artifacts cp "${{ steps.artifact-metadata.outputs.artifact-name }}.tar.xz" ci-artifacts/macOS.tar.xz diff --git a/.github/workflows/macos_build_matrix.yml b/.github/workflows/macos_build_matrix.yml index b620a3c1f6..3466ad0f6b 100644 --- a/.github/workflows/macos_build_matrix.yml +++ b/.github/workflows/macos_build_matrix.yml @@ -16,4 +16,5 @@ jobs: with: jobName: "MacOS Build" artifactPrefixName: "PCSX2-macos-Qt" + sign_and_notarize: true # If we find that notarization takes a long time we should disable that on PR builds secrets: inherit diff --git a/.github/workflows/release_cut_new.yml b/.github/workflows/release_cut_new.yml index efd818e1e2..a6a8abd91e 100644 --- a/.github/workflows/release_cut_new.yml +++ b/.github/workflows/release_cut_new.yml @@ -148,6 +148,7 @@ jobs: artifactPrefixName: "PCSX2-macos-Qt" fetchTags: true stableBuild: ${{ github.event_name == 'workflow_dispatch' && inputs.is_prelease == 'false' }} + sign_and_notarize: true secrets: inherit # Upload the Artifacts diff --git a/pcsx2/CMakeLists.txt b/pcsx2/CMakeLists.txt index d99c68fb27..44ee9fd58f 100644 --- a/pcsx2/CMakeLists.txt +++ b/pcsx2/CMakeLists.txt @@ -1347,6 +1347,7 @@ function(setup_main_executable target) set_target_properties(${target} PROPERTIES MACOSX_BUNDLE true MACOSX_BUNDLE_INFO_PLIST "${PCSX2_SOURCE_DIR}/Resources/Info.plist.in" + XCODE_ATTRIBUTE_CODE_SIGN_ENTITLEMENTS "${PCSX2_SOURCE_DIR}/Resources/PCSX2.entitlements" OUTPUT_NAME PCSX2 # Fixes complaints when Xcode tries to sign for running locally about MoltenVK not being signed XCODE_ATTRIBUTE_OTHER_CODE_SIGN_FLAGS --deep diff --git a/pcsx2/Resources/PCSX2.entitlements b/pcsx2/Resources/PCSX2.entitlements new file mode 100644 index 0000000000..f7d1e35227 --- /dev/null +++ b/pcsx2/Resources/PCSX2.entitlements @@ -0,0 +1,14 @@ + + + + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.disable-library-validation + + com.apple.security.device.audio-input + + +