Add DeveloperID certificate and improve macOS signing script

Use keychain option for codesign and restore login keychain to list
after signing

deploy/build_macos.sh

@@ -83,7 +83,7 @@ cp "$DEPLOY_DATA_DIR/$PLIST_NAME" "$BUNDLE_DIR/Contents/Resources/$PLIST_NAME"
 security find-identity -p codesigning || true
 
   echo "Signing App bundle..."
-  /usr/bin/codesign --deep --force --verbose --timestamp -o runtime --sign "$MAC_SIGNER_ID" "$BUNDLE_DIR"
+  /usr/bin/codesign --deep --force --verbose --timestamp -o runtime --keychain "$KEYCHAIN_PATH" --sign "$MAC_SIGNER_ID" "$BUNDLE_DIR"
   /usr/bin/codesign --verify -vvvv "$BUNDLE_DIR" || true
   spctl -a -vvvv "$BUNDLE_DIR" || true
 
@@ -213,4 +213,13 @@ if [ "${MAC_CERT_PW+x}" ]; then
   spctl -a -vvvv "$FINAL_PKG" || true
 fi
 
+# Sign app bundle
+/usr/bin/codesign --deep --force --verbose --timestamp -o runtime --keychain "$KEYCHAIN_PATH" --sign "$MAC_SIGNER_ID" "$BUNDLE_DIR"
+spctl -a -vvvv "$BUNDLE_DIR" || true
+
+# Add login keychain back to list and set as default
+KEYCHAIN="$HOME/Library/Keychains/login.keychain-db"
+security list-keychains -d user -s "$KEYCHAIN" "$KEYCHAIN_PATH" "$(security list-keychains -d user | tr '\n' ' ')"
+security list-keychains -d user -s "$KEYCHAIN"
+
 echo "Finished, artifact is $FINAL_PKG"