From 76361b0cbf5af400b05c81ab1edac2bc6b1b5f73 Mon Sep 17 00:00:00 2001
From: Tom Dewey <tom.dewey@raspberrypi.com>
Date: Wed, 4 Sep 2024 13:29:20 +0100
Subject: [PATCH] CMake: macOS: Reintroduce automated notarisation

---
 src/CMakeLists.txt | 34 ++++++++++++++++++++++++++++++++--
 1 file changed, 32 insertions(+), 2 deletions(-)

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index a328f5b..232a35e 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -29,6 +29,8 @@ endif()
 if (APPLE)
     set(IMAGER_SIGNED_APP OFF CACHE BOOL "Perform singing of the Imager .app as part of the build")
     set(IMAGER_SIGNING_IDENTITY "" CACHE STRING "The Developer Identity to use for signing.")
+    set(IMAGER_NOTARIZE_APP OFF CACHE BOOL "Perform notarization of the Imager .dmg as part of the build")
+    set(IMAGER_NOTARIZE_KEYCHAIN_PROFILE "" CACHE STRING "The name of the Keychain item containing your notarization credentials")
 endif(APPLE)
 
 ## Preferentially build the bundled code. Full vendoring is to follow in a later version.
@@ -392,10 +394,38 @@ elseif(APPLE)
 
     if(IMAGER_SIGNED_APP)
         if(IMAGER_SIGNING_IDENTITY)
-            # Sign, but don't notarize
+            # Create the .app, leveraging macdeployqt's knowledge of Qt libraries and configuration files
             add_custom_command(TARGET ${PROJECT_NAME}
                 POST_BUILD
-                COMMAND "${MACDEPLOYQT_EXECUTABLE}" "${CMAKE_BINARY_DIR}/${PROJECT_NAME}.app" -qmldir="${CMAKE_CURRENT_SOURCE_DIR}" -sign-for-notarization="${IMAGER_SIGNING_IDENTITY}" -dmg)
+                COMMAND "${MACDEPLOYQT_EXECUTABLE}" "${CMAKE_BINARY_DIR}/${PROJECT_NAME}.app" -qmldir="${CMAKE_CURRENT_SOURCE_DIR}")
+            # Sign the .app.
+            add_custom_command(TARGET ${PROJECT_NAME}
+                POST_BUILD
+                COMMAND codesign -f --deep --digest-algorithm=sha1,sha256 -o runtime --timestamp -s "${IMAGER_SIGNING_IDENTITY}" "${CMAKE_BINARY_DIR}/${PROJECT_NAME}.app")
+
+            # Create the .dmg for distribution
+            add_custom_command(TARGET ${PROJECT_NAME}
+                POST_BUILD
+                COMMAND hdiutil create -volname "Raspberry Pi Imager" -srcfolder "${CMAKE_BINARY_DIR}/${PROJECT_NAME}.app" -ov -format UDBZ "${CMAKE_BINARY_DIR}/${PROJECT_NAME}.dmg")
+
+            # Sign the .dmg for distribution, but do not initialise notarisation
+            add_custom_command(TARGET ${PROJECT_NAME}
+                POST_BUILD
+                COMMAND codesign -f --digest-algorithm=sha1,sha256 -o runtime --timestamp -s "${IMAGER_SIGNING_IDENTITY}" "${CMAKE_BINARY_DIR}/${PROJECT_NAME}.dmg")
+
+            if(IMAGER_NOTARIZE_APP)
+                if(IMAGER_NOTARIZE_KEYCHAIN_PROFILE)
+                    add_custom_command(TARGET ${PROJECT_NAME}
+                        POST_BUILD
+                        COMMAND xcrun notarytool submit "${CMAKE_BINARY_DIR}/${PROJECT_NAME}.dmg" --wait --keychain-profile "${IMAGER_NOTARIZE_KEYCHAIN_PROFILE}")
+                    add_custom_command(TARGET ${PROJECT_NAME}
+                        POST_BUILD
+                        COMMAND xcrun stapler staple "${CMAKE_BINARY_DIR}/${PROJECT_NAME}.dmg")
+                else()
+                    message(FATAL_ERROR "Notarization requested, but no keychain profile is supplied")
+                endif(IMAGER_NOTARIZE_KEYCHAIN_PROFILE)
+
+            endif(IMAGER_NOTARIZE_APP)
         else()
             message(FATAL_ERROR "Signing requested, but no signing identity provided")
         endif(IMAGER_SIGNING_IDENTITY)