macOS Code Signing and Notarization

.github/workflows/build.yml

@@ -1,18 +1,25 @@
 name: Descent 3 Build
 
+
 on:
-  workflow_dispatch:
-  push:
-    branches: [ "main" ]
-    paths-ignore:
-      - '**/*.md'
-  pull_request:
-    branches: [ "main" ]
-    paths-ignore:
-      - '**/README.md'
-      - '**/LICENSE'
+  workflow_call:
+    secrets:
+      MACOS_SIGNING_IDENTITY:
+        required: false
+      MACOS_SIGNING_CERTIFICATE_P12:
+        required: false
+      MACOS_SIGNING_CERTIFICATE_P12_PASSWORD:
+        required: false
+      MACOS_APP_STORE_CONNECT_KEY:
+        required: false
+      MACOS_APP_STORE_CONNECT_KEY_ID:
+        required: false
+      MACOS_APP_STORE_CONNECT_ISSUER_ID:
+        required: false
+
 
 jobs:
+
   build:
     name: ${{ matrix.os.name }}, ${{ matrix.build_type }}
     strategy:
@@ -50,6 +57,9 @@ jobs:
 
     runs-on: ${{ matrix.os.runner }}
 
+    env:
+      MACOS_AND_CODE_SIGNING: ${{ matrix.os.preset == 'mac' && secrets.MACOS_SIGNING_IDENTITY != '' }}
+
     steps:
       - uses: actions/checkout@v4
         with:
@@ -103,12 +113,19 @@ jobs:
           cp ./arm64-osx.cmake ./community/universal-osx.cmake
           sed -i '' 's/^set(VCPKG_OSX_ARCHITECTURES.*$/set(VCPKG_OSX_ARCHITECTURES "arm64;x86_64")/' ./community/universal-osx.cmake
 
+      - name: Import macOS code signing certificate
+        if: ${{ env.MACOS_AND_CODE_SIGNING == 'true' }}
+        uses: DescentDevelopers/import-codesign-certs@v1
+        with:
+          p12-file-base64: ${{ secrets.MACOS_SIGNING_CERTIFICATE_P12 }}
+          p12-password: ${{ secrets.MACOS_SIGNING_CERTIFICATE_P12_PASSWORD }}
+
       - name: Configure CMake
         if: ${{ matrix.os.preset != 'linux-cross-arm64' }}
         env:
           CC: ${{ matrix.os.cc }}
           CXX: ${{ matrix.os.cxx }}
-        run: cmake --preset ${{ matrix.os.preset }} -DBUILD_TESTING=ON -DENABLE_LOGGER=ON -DFORCE_PORTABLE_INSTALL=ON -DBUILD_EDITOR=ON -DUSE_EXTERNAL_PLOG=ON
+        run: cmake --preset ${{ matrix.os.preset }} -DCODESIGN_IDENTITY=${{ secrets.MACOS_SIGNING_IDENTITY }} -DBUILD_TESTING=ON -DENABLE_LOGGER=ON -DFORCE_PORTABLE_INSTALL=ON -DBUILD_EDITOR=ON -DUSE_EXTERNAL_PLOG=ON
 
       - name: Build ${{ matrix.build_type }}
         run: cmake --build --preset ${{ matrix.os.preset }} --config ${{ matrix.build_type }} --verbose
@@ -121,6 +138,25 @@ jobs:
         # There no cmake install presets so install in traditional way
         run: cmake --install builds/${{ matrix.os.preset }}/ --config ${{ matrix.build_type }}
 
+      - name: Sign, package, and notarize for macOS
+        if: ${{ env.MACOS_AND_CODE_SIGNING == 'true' }}
+        uses: DescentDevelopers/macos-sign-package-notarize@v1
+        with:
+          path-to-binaries: builds/${{ matrix.os.preset }}/installed/Descent3.app builds/${{ matrix.os.preset }}/installed/netgames/*
+          signing-identity: ${{ secrets.MACOS_SIGNING_IDENTITY }}
+          app-store-connect-key: ${{ secrets.MACOS_APP_STORE_CONNECT_KEY }}
+          app-store-connect-key-id: ${{ secrets.MACOS_APP_STORE_CONNECT_KEY_ID }}
+          app-store-connect-issuer-id: ${{ secrets.MACOS_APP_STORE_CONNECT_ISSUER_ID }}
+          archive-files: builds/${{ matrix.os.preset }}/installed/*
+          archive-disk-name: Descent 3
+          archive-file-path: builds/${{ matrix.os.preset }}/Descent3-${{ matrix.build_type }}-${{ matrix.os.name }}.dmg
+
+      - name: Swap macOS DMG disk image into installed folder
+        if: ${{ env.MACOS_AND_CODE_SIGNING == 'true' }}
+        run: |
+          rm -rf builds/${{ matrix.os.preset }}/installed/*
+          mv builds/${{ matrix.os.preset }}/Descent3-${{ matrix.build_type }}-${{ matrix.os.name }}.dmg builds/${{ matrix.os.preset }}/installed/
+
       - name: Upload Artifacts
         uses: actions/upload-artifact@v4
         with:

.github/workflows/cd.yml

@@ -0,0 +1,23 @@
+name: Continuous Delivery
+
+
+on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '**/*.md'
+
+
+jobs:
+
+  build:
+    name: Build for main branch
+    uses: ./.github/workflows/build.yml
+    secrets:
+      MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }}
+      MACOS_SIGNING_CERTIFICATE_P12: ${{ secrets.MACOS_SIGNING_CERTIFICATE_P12 }}
+      MACOS_SIGNING_CERTIFICATE_P12_PASSWORD: ${{ secrets.MACOS_SIGNING_CERTIFICATE_P12_PASSWORD }}
+      MACOS_APP_STORE_CONNECT_KEY: ${{ secrets.MACOS_APP_STORE_CONNECT_KEY }}
+      MACOS_APP_STORE_CONNECT_KEY_ID: ${{ secrets.MACOS_APP_STORE_CONNECT_KEY_ID }}
+      MACOS_APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.MACOS_APP_STORE_CONNECT_ISSUER_ID }}

.github/workflows/ci.yml

@@ -0,0 +1,18 @@
+name: Continuous Integration
+
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths-ignore:
+      - '**/README.md'
+      - '**/LICENSE'
+
+
+jobs:
+
+  build:
+    name: Build for PR
+    uses: ./.github/workflows/build.yml
+    # explicitly not passing secrets into the build

BUILD.md

@@ -205,3 +205,4 @@ cmake --preset linux -DENABLE_LOGGER=ON
 | `FORCE_PORTABLE_INSTALL` | Install all files into local directory defined by `CMAKE_INSTALL_PREFIX`.                                                                                                                                                                                                                               | `ON`                                                                                         |
       | `OFF`                                                                                        |
 | `USE_VCPKG`              | Explicitly control whether or not to use vcpkg for dependency resolution. `ON` requires the environment variable `VCPKG_ROOT` to be set.                                                                                                                                                                | Determined by the existence of `VCPKG_ROOT` in the environment: If it exists, vcpkg is used. |
+| `CODESIGN_IDENTITY`      | Sets the macOS code signing identity. If set to something besides the empty string, then the dynamic libraries put into the hog files will be signed using this identity.                                                                                                                               | The empty string, `""`.                                                                      |

CMakeLists.txt

@@ -5,6 +5,15 @@ if(NOT CMAKE_BUILD_TYPE AND NOT DEFINED ENV{CMAKE_BUILD_TYPE})
   set(CMAKE_BUILD_TYPE "Debug" CACHE STRING "default build type")
 endif()
 
+set(CODESIGN_IDENTITY "" CACHE STRING "Sets the macOS code signing identity. If set to something besides the empty string, then the dynamic libraries put into the hog files will be signed using this identity.")
+function (macos_sign target)
+  if(DEFINED CODESIGN_IDENTITY AND NOT "${CODESIGN_IDENTITY}" STREQUAL "")
+    message(STATUS "Code signing ${target}")
+    add_custom_command(TARGET ${target} POST_BUILD
+            COMMAND codesign --verbose --sign "${CODESIGN_IDENTITY}" --force --timestamp --deep -o runtime $<TARGET_FILE:${target}>)
+  endif()
+endfunction()
+
 # toolchain setup for vcpkg must be done before the 'project' call
 set(USE_VCPKG "DEFAULT" CACHE STRING "Use vcpkg for dependency management. DEFAULT defers to existence of $VCPKG_ROOT environment variable.")
 set_property(CACHE USE_VCPKG PROPERTY STRINGS "DEFAULT" "ON" "OFF")

USAGE.md

@@ -63,12 +63,7 @@ conflicts.
     - On Linux, `cd` to `D3-open-source` and run `./Descent3`. Wayland users
       may need to set environment variable `SDL_VIDEODRIVER=wayland` before
       launching the game.
-    - On macOS, the `.app` bundle is currently not signed, so your operating
-      system will not let you run it by double-clicking it. To remediate that,
-      open your terminal and `cd` to `D3-open-source`. Run
-      `xattr -c ./Descent3.app`, `xattr -c ./netgames/*`,
-      `chmod +x ./Descent3.app/Contents/MacOS/Descent3`, and then run the game
-      using `./Descent3.app/Contents/MacOS/Descent3`
+    - On macOS, open the terminal, `cd` to `D3-open-source`, and run `./Descent3.app/Contents/MacOS/Descent3`.
 
 ## Troubleshooting
 

netcon/descent3onlineclient/CMakeLists.txt

@@ -27,6 +27,7 @@ target_link_libraries(Descent3_Online_TCP_IP PRIVATE
 target_include_directories(Descent3_Online_TCP_IP PRIVATE ${SDL3_INCLUDE_DIRS})
 if(CMAKE_SYSTEM_NAME STREQUAL "Darwin")
   set_target_properties(Descent3_Online_TCP_IP PROPERTIES SUFFIX ".dylib")
+  macos_sign(Descent3_Online_TCP_IP)
 endif()
 
 include(HogMaker)

netcon/lanclient/CMakeLists.txt

@@ -19,6 +19,7 @@ target_link_libraries(Direct_TCP_IP PRIVATE
 target_include_directories(Direct_TCP_IP PRIVATE ${SDL3_INCLUDE_DIRS})
 if(CMAKE_SYSTEM_NAME STREQUAL "Darwin")
   set_target_properties(Direct_TCP_IP PROPERTIES SUFFIX ".dylib")
+  macos_sign(Direct_TCP_IP)
 endif()
 
 include(HogMaker)

netcon/mtclient/CMakeLists.txt

@@ -29,6 +29,7 @@ target_link_libraries(Parallax_Online PRIVATE
 target_include_directories(Parallax_Online PRIVATE ${SDL3_INCLUDE_DIRS})
 if(CMAKE_SYSTEM_NAME STREQUAL "Darwin")
   set_target_properties(Parallax_Online PROPERTIES SUFFIX ".dylib")
+  macos_sign(Parallax_Online)
 endif()
 
 include(HogMaker)

scripts/CMakeLists.txt

@@ -87,6 +87,7 @@ foreach(SCRIPT ${SCRIPTS})
   set_target_properties(${SCRIPT} PROPERTIES CXX_VISIBILITY_PRESET "hidden")
   if(CMAKE_SYSTEM_NAME STREQUAL "Darwin")
     set_target_properties(${SCRIPT} PROPERTIES SUFFIX ".dylib")
+    macos_sign(${SCRIPT})
   endif()
 endforeach()