From c877bfe88616ba9ae294763877091af1606c3418 Mon Sep 17 00:00:00 2001
From: David Wendt <dcrkid@yahoo.com>
Date: Fri, 18 Mar 2022 19:28:01 -0600
Subject: [PATCH] build: Add a workflow for signing the app bundle with a set
 of entitlements

---
 .github/workflows/release_nightly.yml  | 15 +++++++++++++++
 desktop/assets/macOSEntitlements.plist |  5 +++++
 2 files changed, 20 insertions(+)
 create mode 100644 desktop/assets/macOSEntitlements.plist

diff --git a/.github/workflows/release_nightly.yml b/.github/workflows/release_nightly.yml
index 9c8758f7e..2b9581d92 100644
--- a/.github/workflows/release_nightly.yml
+++ b/.github/workflows/release_nightly.yml
@@ -204,6 +204,21 @@ jobs:
           mkdir package/Ruffle.app/Contents/Resources
           xcrun actool --compile package/Ruffle.app/Contents/Resources desktop/assets/Assets.xcassets --minimum-deployment-target 10.0 --platform macosx --warnings --errors --notices --include-all-app-icons
 
+      - name: Sign bundle
+        continue-on-error: true
+        env:
+          APPLE_DEVELOPER_KEY: ${{ secrets.APPLE_DEVELOPER_KEY }}
+          APPLE_DEVELOPER_KEY_PASSWORD: ${{ secrets.APPLE_DEVELOPER_KEY_PASSWORD }}
+        run: |
+          echo $APPLE_DEVELOPER_KEY | base64 -decode > certificate.p12
+          security create-keychain -p correct-horse-battery-staple build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p correct-horse-battery-staple build.keychain
+          security import certificate.p12 -k build.keychain -P $APPLE_DEVELOPER_KEY_PASSWORD -T /usr/bin/codesign
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k correct-horse-battery-staple build.keychain
+          codesign -s ${{ secrets.APPLE_DEVELOPER_IDENTITY }} -f --entitlements desktop/assets/macOSEntitlements.plist package/Ruffle.app
+          codesign --verify -vvvv package/Ruffle.app
+
       - name: Package macOS
         run: |
           # We must enter the package/ directory in order to create a flat tarball (i.e. without a directory in it).
diff --git a/desktop/assets/macOSEntitlements.plist b/desktop/assets/macOSEntitlements.plist
new file mode 100644
index 000000000..58f9cad35
--- /dev/null
+++ b/desktop/assets/macOSEntitlements.plist
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="utf-8"?>
+<plist version="1.0">
+    <dict>
+    </dict>
+</plist>
\ No newline at end of file