From 11b6c52395ca156a51dc1f3b4a002eefe323cdea Mon Sep 17 00:00:00 2001
From: Zui Young <younglim@users.noreply.github.com>
Date: Tue, 13 Aug 2024 15:10:54 +0800
Subject: [PATCH] auto sign binaries (macos) (#391)

* Use find tool to find binaries that need signing

* Check if binary is indeed signed before
---
 .github/workflows/image.yml | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/image.yml b/.github/workflows/image.yml
index f5168535..2b9f2740 100644
--- a/.github/workflows/image.yml
+++ b/.github/workflows/image.yml
@@ -69,7 +69,30 @@ jobs:
       - name: Install Purple dependencies for MacOS
         run: |
           ./install_purple_dependencies.command
-        
+
+      - name: Sign required binaries for MacOS
+        run: |
+          # Find a valid signing certificate in your keychain
+          CERTIFICATE=$(security find-identity -v -p codesigning -s - | tail -n +2 | grep -o '"[^"]*"' | sed 's/"//g')
+          
+          # Paths to the binaries you want to sign
+          BINARIES=($(find . -type f -perm +111 ! -path "*.framework/*" ! -path "*.dSYM/*"))
+      
+          # Loop through the binary paths and sign each one with a secure timestamp
+          for binary in "${BINARIES[@]}"; do
+            # Check if the binary is already signed
+            if codesign -v "$binary" &>/dev/null; then
+              echo "Already signed: $binary"
+            else
+              codesign --timestamp -s "$CERTIFICATE" "$binary"
+              if [ $? -eq 0 ]; then
+                echo "Successfully signed (with secure timestamp): $binary"
+              else
+                echo "Failed to sign: $binary"
+              fi
+            fi
+          done
+          
       - name: Zip entire Purple folder (Mac)
         run: |
           zip purple-a11y-portable-mac.zip -y -r ./