From 21bf00d1df0285a2a74afcb3b6dd33070a7ea816 Mon Sep 17 00:00:00 2001
From: Tom Dewey <tom.dewey@raspberrypi.com>
Date: Thu, 15 Aug 2024 11:44:55 +0100
Subject: [PATCH] macOS: Parameterise signing, notarising

---
 src/CMakeLists.txt | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index cb71384..2eeec1b 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -24,6 +24,15 @@ if (WIN32)
     set(MINGW64_ROOT "" CACHE PATH "Your MinGW64 root path, likely provided by QtCreator")
 endif()
 
+if (APPLE)
+    set(IMAGER_SIGNED_APP OFF CACHE BOOL "Perform singing of the Imager .app as part of the build")
+    set(IMAGER_SIGNING_IDENTITY "" CACHE STRING "The Developer Identity to use for signing.")
+    set(IMAGER_NOTARIZED_APP OFF CACHE BOOL "Perform notarization of the Imager .dmg for distribution outside of the App Store")
+    set(IMAGER_NOTARIZING_EMAIL "" CACHE STRING "The e-mail address to notarized the .dmg with")
+    set(IMAGER_NOTARIZING_APP_PASSWORD "" STRING "The application-specific Apple Password for notarizing the .dmg")
+    set(IMAGER_NOTARIZING_TEAM_ID "" CACHE STRING "The team identity to use for notarizing")
+endif(APPLE)
+
 ## Preferentially build the bundled code. Full vendoring is to follow in a later version.
 
 # Bundled liblzma
@@ -384,6 +393,27 @@ elseif(APPLE)
         POST_BUILD
         COMMAND "${MACDEPLOYQT}" "${CMAKE_BINARY_DIR}/${PROJECT_NAME}.app" -qmldir="${CMAKE_CURRENT_SOURCE_DIR}")
 
+    if(IMAGER_SIGNED_APP)
+        if(IMAGER_SIGNING_IDENTITY)
+            add_custom_command(TARGET ${PROJECT_NAME}
+                POST_BUILD
+                COMMAND codesign --deep --digest-algorithm=sha1,sha256 --force --verify --verbose --sign "${IMAGER_SIGNING_IDENTITY}" --options runtime "${CMAKE_BINARY_DIR}/${PROJECT_NAME}.app")
+            if(IMAGER_NOTARIZED_APP)
+                add_custom_command(TARGET ${PROJECT_NAME}
+                    POST_BUILD
+                    COMMAND create-dmg "${CMAKE_BINARY_DIR}/${PROJECT_NAME}.dmg" "${CMAKE_BINARY_DIR}/${PROJECT_NAME}.app")
+                add_custom_command(TARGET ${PROJECT_NAME}
+                    POST_BUILD
+                    COMMAND xcrun altool --notarize-app -t osx -f "${CMAKE_BINARY_DIR}/${PROJECT_NAME}.dmg" --primary-bundle-id="org.raspberrypi.imagingutility" -u "${IMAGER_NOTARIZING_EMAIL}" -p "${IMAGER_NOTARIZING_APP_PASSWORD}" -itc_provider "${IMAGER_NOTARIZING_TEAM_ID}")
+                add_custom_command(TARGET ${PROJECT_NAME}
+                    POST_BUILD
+                    COMMAND xcrun stapler staple "${CMAKE_BINARY_DIR}/${PROJECT_NAME}.dmg")
+            endif(IMAGER_NOTARIZED_APP)
+        else()
+            message(FATAL_ERROR "Signing requested, but no signing identity provided")
+        endif(IMAGER_SIGNING_IDENTITY)
+    endif(IMAGER_SIGNED_APP)
+
 else()
     # UNIX, Linux systems
     if (NOT CMAKE_CROSSCOMPILING)