Feature: Sign macOS builds

.github/workflows/release.yml

@@ -420,6 +420,16 @@ jobs:
     - name: Install GCC problem matcher
       uses: ammaraskar/gcc-problem-matcher@master
 
+    - name: Import code signing certificates
+      uses: Apple-Actions/import-codesign-certs@v1
+      with:
+        # The certificates in a PKCS12 file encoded as a base64 string
+        p12-file-base64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
+        # The password used to import the PKCS12 file.
+        p12-password: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
+      # If this is run on a fork, there may not be a certificate set up - continue in this case
+      continue-on-error: true
+
     - name: Build
       run: |
         mkdir build
@@ -432,6 +442,8 @@ jobs:
           -DCMAKE_TOOLCHAIN_FILE=/tmp/vcpkg/scripts/buildsystems/vcpkg.cmake \
           -DHOST_BINARY_DIR=${GITHUB_WORKSPACE}/build-host \
           -DCMAKE_BUILD_TYPE=RelWithDebInfo \
+          -DCPACK_BUNDLE_APPLE_CERT_APP=${{ secrets.APPLE_DEVELOPER_CERTIFICATE_ID }} \
+          "-DCPACK_BUNDLE_APPLE_CODESIGN_PARAMETER=--deep -f --options runtime" \
           # EOF
         echo "::endgroup::"
 
@@ -440,9 +452,21 @@ jobs:
         make -j$(sysctl -n hw.logicalcpu) package
         echo "::endgroup::"
 
-        # Remove the sha256 files CPack generates; we will do this ourself at
-        # the end of this workflow.
-        rm -f bundles/*.sha256
+    - name: Install gon
+      env:
+        HOMEBREW_NO_AUTO_UPDATE: 1
+        HOMEBREW_NO_INSTALL_CLEANUP: 1
+      run: |
+        brew tap mitchellh/gon
+        brew install mitchellh/gon/gon
+
+    - name: Notarize
+      env:
+        AC_USERNAME: ${{ secrets.APPLE_DEVELOPER_APP_USERNAME }}
+        AC_PASSWORD: ${{ secrets.APPLE_DEVELOPER_APP_PASSWORD }}
+      run: |
+        cd build
+        ../os/macosx/notarize.sh
 
     - name: Store bundles
       uses: actions/upload-artifact@v2