From ef5d5c780bcf7ac2c66417dcacb493c5a2a67abc Mon Sep 17 00:00:00 2001
From: Ty <amfobes@gmail.com>
Date: Thu, 30 Jan 2025 11:58:13 -0500
Subject: [PATCH] CI: Sign and notarize macos binaries

---
 .github/workflows/macos_build.yml        | 22 +++++++++++++++++++++-
 .github/workflows/macos_build_matrix.yml |  1 +
 .github/workflows/release_cut_new.yml    |  1 +
 3 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/macos_build.yml b/.github/workflows/macos_build.yml
index 59811d477a..771371309d 100644
--- a/.github/workflows/macos_build.yml
+++ b/.github/workflows/macos_build.yml
@@ -25,6 +25,10 @@ on:
         required: false
         type: boolean
         default: false
+      sign:
+        required: false
+        type: boolean
+        default: false
 
 jobs:
   build_macos:
@@ -143,6 +147,22 @@ jobs:
         run: make -j$(getconf _NPROCESSORS_ONLN) unittests
 
       - name: Prepare Build Artifacts
+        run: mv build/pcsx2*/PCSX2.app Build.app
+
+      - name: Sign binary
+        if: ${{ inputs.sign }}
+        uses: lando/code-sign-action@v2
+        with:
+          file: "Build.app"
+          certificate-data: ${{ secrets.APPLE_CERT_DATA }}
+          certificate-password: ${{ secrets.APPLE_CERT_PASSWORD }}
+          apple-notary-user: ${{ secrets.APPLE_NOTARY_USER }}
+          apple-notary-password: ${{ secrets.APPLE_NOTARY_PASSWORD }}
+          apple-team-id: ${{ secrets.APPLE_TEAM_ID }}
+          apple-notary-tool: altool
+          apple-product-id: net.pcsx2.pcsx2
+
+      - name: Zip Build Artifacts
         run: |
           TAG="$(git tag --points-at HEAD)"
           if [ -z "$TAG" ]; then
@@ -150,7 +170,7 @@ jobs:
           else
             APPNAME="PCSX2-$TAG"
           fi
-          mv build/pcsx2*/PCSX2.app "$APPNAME.app"
+          mv Build.app "$APPNAME.app"
           tar --options xz:compression-level=9 -cvJf "${{ steps.artifact-metadata.outputs.artifact-name }}.tar.xz" "$APPNAME.app"
           mkdir ci-artifacts
           cp "${{ steps.artifact-metadata.outputs.artifact-name }}.tar.xz" ci-artifacts/macOS.tar.xz
diff --git a/.github/workflows/macos_build_matrix.yml b/.github/workflows/macos_build_matrix.yml
index b620a3c1f6..27f68547f5 100644
--- a/.github/workflows/macos_build_matrix.yml
+++ b/.github/workflows/macos_build_matrix.yml
@@ -16,4 +16,5 @@ jobs:
     with:
       jobName: "MacOS Build"
       artifactPrefixName: "PCSX2-macos-Qt"
+      sign: true # testing 
     secrets: inherit
diff --git a/.github/workflows/release_cut_new.yml b/.github/workflows/release_cut_new.yml
index d43e600a85..fb9002d3bb 100644
--- a/.github/workflows/release_cut_new.yml
+++ b/.github/workflows/release_cut_new.yml
@@ -148,6 +148,7 @@ jobs:
       artifactPrefixName: "PCSX2-macos-Qt"
       fetchTags: true
       stableBuild: ${{ github.event_name == 'workflow_dispatch' && inputs.is_prelease == 'false' }}
+      sign: true
     secrets: inherit
 
   # Upload the Artifacts