From 703d9e1291eb9183d544d196eee240767616efd5 Mon Sep 17 00:00:00 2001
From: Yaroslav Yashin <yaroslav.yashin@gmail.com>
Date: Tue, 8 Jul 2025 03:14:19 +0300
Subject: [PATCH 1/4] Fixing broken ci/cd for macos pkg bundle

---
 .github/workflows/deploy.yml | 16 +++++++++++++-
 deploy/build_macos.sh        | 43 ++++++++++++++++++++++++++++++++----
 2 files changed, 54 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 0c9dfb32..b4a7b07a 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -317,7 +317,21 @@ jobs:
     runs-on: macos-latest
 
     env:
-      QT_VERSION: 6.8.0
+      QT_VERSION: 6.9.1
+
+      MAC_TEAM_ID: ${{ secrets.MAC_TEAM_ID }}
+
+      MAC_APP_CERT_CERT: ${{ secrets.MAC_APP_CERT_CERT }}
+      MAC_SIGNER_ID: ${{ secrets.MAC_SIGNER_ID }}
+      MAC_APP_CERT_PW: ${{ secrets.MAC_APP_CERT_PW }}
+
+      MAC_INSTALLER_SIGNER_CERT: ${{ secrets.MAC_INSTALLER_SIGNER_CERT }}
+      MAC_INSTALLER_SIGNER_ID: ${{ secrets.MAC_INSTALLER_SIGNER_ID }}
+      MAC_INSTALL_CERT_PW: ${{ secrets.MAC_INSTALL_CERT_PW }}
+
+      APPLE_DEV_EMAIL: ${{ secrets.APPLE_DEV_EMAIL }}
+      APPLE_DEV_PASSWORD: ${{ secrets.APPLE_DEV_PASSWORD }}
+
       PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
       PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
       DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
diff --git a/deploy/build_macos.sh b/deploy/build_macos.sh
index 03f286fc..6bf41d96 100644
--- a/deploy/build_macos.sh
+++ b/deploy/build_macos.sh
@@ -71,11 +71,46 @@ cmake --build . --config release --target all
 KEYCHAIN_PATH="$PROJECT_DIR/mac_sign.keychain"
 trap 'echo "Cleaning up mac_sign.keychain..."; security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true; rm -f "$KEYCHAIN_PATH" 2>/dev/null || true' EXIT
 KEYCHAIN=$(security default-keychain -d user | tr -d '"[:space:]"')
-security list-keychains -d user -s "$KEYCHAIN_PATH" "$KEYCHAIN" "$(security list-keychains -d user | tr '\n' ' ')"
-security create-keychain -p "" "$KEYCHAIN_PATH"
-security import "$DEPLOY_DIR/DeveloperIdApplicationCertificate.p12" -k "$KEYCHAIN_PATH" -P "$MAC_APP_CERT_PW" -T /usr/bin/codesign
-security import "$DEPLOY_DIR/DeveloperIdInstallerCertificate.p12" -k "$KEYCHAIN_PATH" -P "$MAC_INSTALL_CERT_PW" -T /usr/bin/codesign
+
+# Build a clean list of the *existing* user key-chains. The raw output of
+#   security list-keychains -d user
+# looks roughly like:
+#     "    \"/Users/foo/Library/Keychains/login.keychain-db\"\n    \"/Library/Keychains/System.keychain\""
+# Every entry is surrounded by quotes and indented with a few blanks. Feeding
+# that verbatim back to `security list-keychains -s` inside a single quoted
+# argument leads to one long, invalid path on some systems. We therefore strip
+# the quotes and rely on the shell to split the string on whitespace so that
+# each path becomes its own argument.
+
+read -ra EXISTING_KEYCHAINS <<< "$(security list-keychains -d user | tr -d '"')"
+
+security list-keychains -d user -s "$KEYCHAIN_PATH" "$KEYCHAIN" "${EXISTING_KEYCHAINS[@]}"
+KEYCHAIN_PWD=""  # Empty password keeps things simple for CI jobs
+# Create, unlock and configure the temporary key-chain so that `codesign` can
+# access the imported identities without triggering interactive prompts.
+security create-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_PATH"
+# Keep the key-chain unlocked for the duration of the job (6 hours is plenty).
+security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+security unlock-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_PATH"
+
+# Import the signing certificates only when the corresponding passwords are
+# available in the environment.  This allows the script to run in environments
+# where code-signing is intentionally turned off (e.g. CI jobs that just build
+# the artefacts without releasing them).
+
+if [ -n "${MAC_APP_CERT_PW-}" ]; then
+  security import "$DEPLOY_DIR/DeveloperIdApplicationCertificate.p12" \
+          -k "$KEYCHAIN_PATH" -P "$MAC_APP_CERT_PW" -A
+fi
+
+if [ -n "${MAC_INSTALL_CERT_PW-}" ]; then
+  security import "$DEPLOY_DIR/DeveloperIdInstallerCertificate.p12" \
+          -k "$KEYCHAIN_PATH" -P "$MAC_INSTALL_CERT_PW" -A
+fi
+
+# This certificate has no password.
 security import "$DEPLOY_DIR/DeveloperIDG2CA.cer" -k "$KEYCHAIN_PATH" -T /usr/bin/codesign
+
 security list-keychains -d user -s "$KEYCHAIN_PATH"
 
 echo "____________________________________"

From 577b2ec3c3ffdc5af4fd41c6e288af446b9d588c Mon Sep 17 00:00:00 2001
From: "vladimir.kuznetsov" <nethiuswork@gmail.com>
Date: Tue, 8 Jul 2025 12:03:45 +0800
Subject: [PATCH 2/4] chore: fix cert parsing

---
 .github/workflows/deploy.yml | 14 ++++++++++++++
 deploy/build_macos.sh        |  2 ++
 2 files changed, 16 insertions(+)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index b4a7b07a..a875b8a3 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -255,6 +255,20 @@ jobs:
     env:
       # Keep compat with MacOS 10.15 aka Catalina by Qt 6.4
       QT_VERSION: 6.4.3
+
+      MAC_TEAM_ID: ${{ secrets.MAC_TEAM_ID }}
+
+      MAC_APP_CERT_CERT: ${{ secrets.MAC_APP_CERT_CERT }}
+      MAC_SIGNER_ID: ${{ secrets.MAC_SIGNER_ID }}
+      MAC_APP_CERT_PW: ${{ secrets.MAC_APP_CERT_PW }}
+
+      MAC_INSTALLER_SIGNER_CERT: ${{ secrets.MAC_INSTALLER_SIGNER_CERT }}
+      MAC_INSTALLER_SIGNER_ID: ${{ secrets.MAC_INSTALLER_SIGNER_ID }}
+      MAC_INSTALL_CERT_PW: ${{ secrets.MAC_INSTALL_CERT_PW }}
+
+      APPLE_DEV_EMAIL: ${{ secrets.APPLE_DEV_EMAIL }}
+      APPLE_DEV_PASSWORD: ${{ secrets.APPLE_DEV_PASSWORD }}
+
       PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
       PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
       DEV_AGW_PUBLIC_KEY: ${{ secrets.DEV_AGW_PUBLIC_KEY }}
diff --git a/deploy/build_macos.sh b/deploy/build_macos.sh
index 6bf41d96..7a69b3f8 100644
--- a/deploy/build_macos.sh
+++ b/deploy/build_macos.sh
@@ -99,11 +99,13 @@ security unlock-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_PATH"
 # the artefacts without releasing them).
 
 if [ -n "${MAC_APP_CERT_PW-}" ]; then
+  echo "$MAC_APP_CERT_CERT" | base64 -d > "$DEPLOY_DIR/DeveloperIdApplicationCertificate.p12"
   security import "$DEPLOY_DIR/DeveloperIdApplicationCertificate.p12" \
           -k "$KEYCHAIN_PATH" -P "$MAC_APP_CERT_PW" -A
 fi
 
 if [ -n "${MAC_INSTALL_CERT_PW-}" ]; then
+  echo "$MAC_INSTALLER_SIGNER_CERT" | base64 -d > "$DEPLOY_DIR/DeveloperIdInstallerCertificate.p12"
   security import "$DEPLOY_DIR/DeveloperIdInstallerCertificate.p12" \
           -k "$KEYCHAIN_PATH" -P "$MAC_INSTALL_CERT_PW" -A
 fi

From 086780e3976bb50a428da6048877a822fcff2179 Mon Sep 17 00:00:00 2001
From: "vladimir.kuznetsov" <nethiuswork@gmail.com>
Date: Tue, 8 Jul 2025 12:51:08 +0800
Subject: [PATCH 3/4] chore: added notarization flag to macos build

---
 .github/workflows/deploy.yml | 4 ++--
 .gitignore                   | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index a875b8a3..d08b1409 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -309,7 +309,7 @@ jobs:
     - name: 'Build project'
       run: |
         export QT_BIN_DIR="${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/macos/bin"
-        bash deploy/build_macos.sh
+        bash deploy/build_macos.sh -n
 
     - name: 'Upload installer artifact'
       uses: actions/upload-artifact@v4
@@ -386,7 +386,7 @@ jobs:
     - name: 'Build project'
       run: |
         export QT_BIN_DIR="${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/macos/bin"
-        bash deploy/build_macos.sh
+        bash deploy/build_macos.sh -n
 
     - name: 'Upload installer artifact'
       uses: actions/upload-artifact@v4
diff --git a/.gitignore b/.gitignore
index 503adc2d..d905f1e3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -138,3 +138,4 @@ CMakeFiles/
 ios-ne-build.sh
 macos-ne-build.sh
 macos-signed-build.sh
+macos-with-sign-build.sh

From 564dbbe3efc0a862545e501ff60749952d2ebfee Mon Sep 17 00:00:00 2001
From: Yaroslav Yashin <yaroslav.yashin@gmail.com>
Date: Tue, 8 Jul 2025 18:49:59 +0300
Subject: [PATCH 4/4] refactor: update certificate import logic in
 build_macos.sh script

---
 deploy/build_macos.sh | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/deploy/build_macos.sh b/deploy/build_macos.sh
index 7a69b3f8..6e67ee79 100644
--- a/deploy/build_macos.sh
+++ b/deploy/build_macos.sh
@@ -99,13 +99,19 @@ security unlock-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_PATH"
 # the artefacts without releasing them).
 
 if [ -n "${MAC_APP_CERT_PW-}" ]; then
-  echo "$MAC_APP_CERT_CERT" | base64 -d > "$DEPLOY_DIR/DeveloperIdApplicationCertificate.p12"
+  # If the certificate is provided via environment variable, decode it.
+  if [ -n "${MAC_APP_CERT_CERT-}" ]; then
+    echo "$MAC_APP_CERT_CERT" | base64 -d > "$DEPLOY_DIR/DeveloperIdApplicationCertificate.p12"
+  fi
   security import "$DEPLOY_DIR/DeveloperIdApplicationCertificate.p12" \
           -k "$KEYCHAIN_PATH" -P "$MAC_APP_CERT_PW" -A
 fi
 
 if [ -n "${MAC_INSTALL_CERT_PW-}" ]; then
-  echo "$MAC_INSTALLER_SIGNER_CERT" | base64 -d > "$DEPLOY_DIR/DeveloperIdInstallerCertificate.p12"
+  # Same logic for the installer certificate.
+  if [ -n "${MAC_INSTALLER_SIGNER_CERT-}" ]; then
+    echo "$MAC_INSTALLER_SIGNER_CERT" | base64 -d > "$DEPLOY_DIR/DeveloperIdInstallerCertificate.p12"
+  fi
   security import "$DEPLOY_DIR/DeveloperIdInstallerCertificate.p12" \
           -k "$KEYCHAIN_PATH" -P "$MAC_INSTALL_CERT_PW" -A
 fi