ea55cac32d
This adds the notarization (see #469) of the libzim binary for macOS during the build. It it not dependent on RELEASE so it benefits all builds. It basically does two things: - sign the build with our Developer ID certificate from Apple. - Request notarization from Apple for the binary. At the moment, it concerns only libzim. Might expand that to libkiwix and the zim/kiwix tools once we start releasing those. Github Actions prepare the certificate and environment, and signing+request is done in `notarize_macos_build()` (common.py) It required the following new secrets: | secret | value | |---|---| | `APPLE_SIGNING_CERTIFICATE` | base64 of the P12 certificate | | `APPLE_SIGNING_P12_PASSWORD` | password for the P12 certificate (we chose that when exporting to P12. Apple doesnt provide P12) | | `APPLE_SIGNING_IDENTITY`| Common name of our certificate. Not a private info but seems better suited there than in the CI | | `APPLE_SIGNING_TEAM`| Apple Developer Team ID (mentionned in the signing identity) | | `APPLE_SIGNING_ALTOOL_PASSWORD`| app-specific password created to request notarization | | `APPLE_SIGNING_ALTOOL_USERNAME`| username associated with the app-specific password. Must be an Apple ID with perms on the Certificate. Currently mine. | |
||
|---|---|---|
| .. | ||
| ci_images | ||
| scripts | ||
| workflows | ||
| FUNDING.yml | ||
| move.yml | ||
| stale.yml | ||