From 3c239bc775940d093ac137a123c4d47449eb27dc Mon Sep 17 00:00:00 2001
From: ann0see <20726856+ann0see@users.noreply.github.com>
Date: Wed, 24 Aug 2022 09:09:21 +0200
Subject: [PATCH] Mac: Enable signing with self signed cert

Co-authored-by: Christian Hoffmann <christian@hoffie.info>
---
 .github/autobuild/mac.sh        | 33 +++++++++++++++++++++++++++++++--
 .github/workflows/autobuild.yml |  8 +++++---
 2 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/.github/autobuild/mac.sh b/.github/autobuild/mac.sh
index 488859ee8f..01f22cd937 100755
--- a/.github/autobuild/mac.sh
+++ b/.github/autobuild/mac.sh
@@ -41,14 +41,27 @@ prepare_signing() {
     [[ -n "${MACOS_CERTIFICATE:-}" ]] || return 1
     [[ -n "${MACOS_CERTIFICATE_ID:-}" ]] || return 1
     [[ -n "${MACOS_CERTIFICATE_PWD:-}" ]] || return 1
-    [[ -n "${NOTARIZATION_PASSWORD:-}" ]] || return 1
     [[ -n "${KEYCHAIN_PASSWORD:-}" ]] || return 1
 
+    # Check for notarization (not wanted on self signed build)
+    if [[ -z "${NOTARIZATION_PASSWORD}" ]]; then
+        echo "Notarization password not found or empty. This suggests we might run a self signed build."
+        if [[ -z "${MACOS_CA_PUBLICKEY}" ]]; then
+            echo "Warning: The CA public key wasn't set or is empty. Skipping signing."
+            return 1
+        fi
+    fi
+
     echo "Signing was requested and all dependencies are satisfied"
 
     # Put the cert to a file
     echo "${MACOS_CERTIFICATE}" | base64 --decode > certificate.p12
 
+    # If set, put the CA public key into a file
+    if [[ -n "${MACOS_CA_PUBLICKEY}" ]]; then
+        echo "${MACOS_CA_PUBLICKEY}" | base64 --decode > CA.cer
+    fi
+
     # Set up a keychain for the build:
     security create-keychain -p "${KEYCHAIN_PASSWORD}" build.keychain
     security default-keychain -s build.keychain
@@ -58,8 +71,24 @@ prepare_signing() {
     security import certificate.p12 -k build.keychain -P "${MACOS_CERTIFICATE_PWD}" -T /usr/bin/codesign
     security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${KEYCHAIN_PASSWORD}" build.keychain
 
-    # Tell Github Workflow that we need notarization & stapling:
+    # Tell Github Workflow that we want signing
     echo "macos_signed=true" >> "$GITHUB_OUTPUT"
+
+    # If set, import CA key to allow self signed key
+    if [[ -n "${MACOS_CA_PUBLICKEY}" ]]; then
+        # bypass any GUI related trusting prompt (https://developer.apple.com/forums/thread/671582)
+        echo "Importing development only CA"
+        # shellcheck disable=SC2024
+        sudo security authorizationdb read com.apple.trust-settings.admin > rights
+        sudo security authorizationdb write com.apple.trust-settings.admin allow
+        sudo security add-trusted-cert -d -r trustRoot -k "build.keychain" CA.cer
+        # shellcheck disable=SC2024
+        sudo security authorizationdb write com.apple.trust-settings.admin < rights
+    else
+        # Tell Github Workflow that we need notarization & stapling (non self signed build)
+        echo "macos_notarize=true" >> "$GITHUB_OUTPUT"
+    fi
+
     return 0
 }
 
diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml
index 3640bcef1c..8b9d07adbd 100644
--- a/.github/workflows/autobuild.yml
+++ b/.github/workflows/autobuild.yml
@@ -365,7 +365,7 @@ jobs:
           MACOS_CERTIFICATE_ID:     ${{ secrets.MACOS_CERT_ID }}
           NOTARIZATION_PASSWORD:    ${{ secrets.NOTARIZATION_PASSWORD }}
           KEYCHAIN_PASSWORD:        ${{ secrets.KEYCHAIN_PASSWORD }}
-
+          MACOS_CA_PUBLICKEY:       ${{ secrets.MACOS_CA_PUBKEY }}
       - name:                       Post-Build for ${{ matrix.config.config_name }}
         id:                         get-artifacts
         run:                        ${{ matrix.config.base_command }} get-artifacts
@@ -394,7 +394,8 @@ jobs:
       - name:                       Notarize macOS Release Build
         if:                         >-
                                     steps.build.outputs.macos_signed == 'true' &&
-                                    needs.create_release.outputs.publish_to_release == 'true'
+                                    needs.create_release.outputs.publish_to_release == 'true' &&
+                                    steps.build.outputs.macos_notarize == 'true'
         id:                         notarize-macOS-app
         uses:                       devbotsxyz/xcode-notarize@d7219e1c390b47db8bab0f6b4fc1e3b7943e4b3b
         with:
@@ -406,7 +407,8 @@ jobs:
       - name:                       Staple macOS Release Build
         if:                         >-
                                     steps.build.outputs.macos_signed == 'true' &&
-                                    needs.create_release.outputs.publish_to_release == 'true'
+                                    needs.create_release.outputs.publish_to_release == 'true' &&
+                                    steps.build.outputs.macos_notarize == 'true'
         id:                         staple-macOS-app
         uses:                       devbotsxyz/xcode-staple@ae68b22ca35d15864b7f7923e1a166533b2944bf
         with: