ci: Notarize disk image instead of .zip (#7718)

Rather than notarizing the embedded app, the `notarytool` supports notarizing the entire disk image instead which will recursively notarize relevant binaries inside.
2026-01-27 18:18:55 +00:00 · 2025-01-09 15:24:25 -08:00
parent 216ca9b8bc
commit 4eb8a5b9be
1 changed files with 25 additions and 23 deletions
--- a/scripts/build/macos-standalone.sh
+++ b/scripts/build/macos-standalone.sh
@@ -49,29 +49,6 @@ xcodebuild build \
    -sdk macosx \
    -destination 'platform=macOS'

-# Notarize app before embedding within disk image
-if [ "$notarize" = "true" ]; then
-    # Notary service expects a single file, not app bundle
-    ditto -c -k "$temp_dir/Firezone.app" "$temp_dir/Firezone.zip"
-
-    private_key_path="$temp_dir/firezone-api-key.p8"
-    base64_decode "$API_KEY" "$private_key_path"
-
-    # Submit app bundle to be notarized. Can take a few minutes.
-    # Notarizes embedded app bundle as well.
-    xcrun notarytool submit "$temp_dir/Firezone.zip" \
-        --key "$private_key_path" \
-        --key-id "$API_KEY_ID" \
-        --issuer "$ISSUER_ID" \
-        --wait
-
-    # Clean up private key
-    rm "$private_key_path"
-
-    # Staple notarization ticket to app bundle
-    xcrun stapler staple "$temp_dir/Firezone.app"
-fi
-
 # Create disk image
 mkdir -p "$dmg_dir/.background"
 mv "$temp_dir/Firezone.app" "$dmg_dir/Firezone.app"
@@ -121,6 +98,31 @@ codesign --force --sign "$codesign_identity" "$dmg_path"

 echo "Disk image created at $dmg_path"

+# Notarize disk image; notarizes embedded app bundle as well
+if [ "$notarize" = "true" ]; then
+    private_key_path="$temp_dir/firezone-api-key.p8"
+    base64_decode "$API_KEY" "$private_key_path"
+
+    # Submit app bundle to be notarized. Can take a few minutes.
+    # Notarizes embedded app bundle as well.
+    xcrun notarytool submit "$dmg_path" \
+        --key "$private_key_path" \
+        --key-id "$API_KEY_ID" \
+        --issuer "$ISSUER_ID" \
+        --wait
+
+    # Clean up private key
+    rm "$private_key_path"
+
+    # Staple notarization ticket to app bundle
+    xcrun stapler staple "$dmg_path"
+
+    # Verify notarization
+    xcrun stapler validate "$dmg_path"
+
+    echo "Disk image notarized!"
+fi
+
 # Move to final location the uploader expects
 if [[ -n "${ARTIFACT_PATH:-}" ]]; then
    mv "$dmg_path" "$ARTIFACT_PATH"