fix codesign for windows and macos

.github/workflows/ci-tests.yml

@@ -57,14 +57,6 @@ jobs:
         uses: arduino/setup-protoc@9b1ee5b22b0a3f1feb8c2ff99b32c89b3c3191e9 # v2.0.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-        if: contains(fromJSON('["Linux", "macOS"]'), runner.os)
-
-      # Workaround to resolve https://github.com/arduino/setup-protoc/issues/86
-      - name: Install Protoc
-        uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0
-        with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-        if: runner.os == 'Windows'
 
       # Workaround to resolve link error with C:\msys64\mingw64\bin\libclang.dll
       - name: Remove msys64

.github/workflows/release.yml

@@ -75,14 +75,6 @@ jobs:
         uses: arduino/setup-protoc@9b1ee5b22b0a3f1feb8c2ff99b32c89b3c3191e9 # v2.0.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-        if: contains(fromJSON('["Linux", "macOS"]'), runner.os)
-
-      # Workaround to resolve https://github.com/arduino/setup-protoc/issues/86
-      - name: Install Protoc
-        uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0
-        with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-        if: runner.os == 'Windows'
 
       # Workaround to resolve link error with C:\msys64\mingw64\bin\libclang.dll
       - name: Remove msys64
@@ -109,7 +101,7 @@ jobs:
           command: build
           args: --locked -Z build-std --target ${{ matrix.build.target }} --profile aarch64linux --bin subspace-cli
 
-      - name: Sign Application (macOS)
+      - name: Sign and Notarize Application (macOS)
         run: |
           echo "Importing certificate"
           echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12
@@ -125,16 +117,35 @@ jobs:
           cp ${{ matrix.build.production_target }}/subspace-cli ${{ matrix.build.production_target }}/macos-binaries
           ditto -c -k --rsrc ${{ matrix.build.production_target }}/macos-binaries subspace-binaries.zip
           echo "Notarizing"
-          xcrun altool --notarize-app --primary-bundle-id binaries-${{ github.ref_name }} --username "${{ secrets.MACOS_APPLE_ID}}" --password "${{ secrets.MACOS_APP_PASSWORD }}" --file subspace-binaries.zip
-          # echo "Stapling farmer"
-          # xcrun stapler staple ${{ matrix.build.production_target }}/subspace-cli
+          curl -sL https://github.com/mitchellh/gon/releases/download/v0.2.5/gon_macos.zip -o gon.zip
+          unzip gon.zip -d .
+          cat << EOF > gon.hcl
+          source = ["subspace-binaries.zip"]
+          bundle_id = "${{ secrets.MACOS_BUNDLE_ID }}"
+          sign {
+            application_identity = "${{ secrets.MACOS_IDENTITY }}"
+          }
+          apple_id {
+              username = "${{ secrets.MACOS_APPLE_ID }}"
+              password = "${{ secrets.MACOS_APP_PASSWORD }}"
+          }
+          EOF
+          ./gon -log-level=info -log-json gon.hcl
+
+          # Notarize the ZIP using notarytool
+          xcrun notarytool submit subspace-binaries.zip --apple-id "${{ secrets.MACOS_APPLE_ID }}" --password "${{ secrets.MACOS_APP_PASSWORD }}" --team-id "${{ secrets.MACOS_TEAM_ID }}" --wait
+
+          # // todo stapling for macOS artifacts
+          # Staple the zip package
+          # xcrun stapler staple subspace-binaries.zip
+
           echo "Done!"
         # Allow code signing to fail on non-release builds and in non-subspace repos (forks)
         continue-on-error: ${{ github.github.repository_owner != 'subspace' || github.event_name != 'push' || github.ref_type != 'tag' }}
         if: runner.os == 'macOS'
 
       - name: Sign Application (Windows)
-        uses: skymatic/code-sign-action@cfcc1c15b32938bab6dea25192045b6d2989e4d0 # @v1.1.0
+        uses: skymatic/code-sign-action@500ce4f8261ca9bd8f85978c1652b34fb511bdf4 # @v2.0.1
         with:
           certificate: "${{ secrets.WINDOWS_CERTIFICATE }}"
           password: "${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}"