add macos sign step

Author: lucarin91

.github/workflows/release.yml

@@ -81,6 +81,83 @@ jobs:
         name: ${{ env.ARTIFACT_NAME }}_${{ matrix.config.os }}_${{ matrix.config.arch }}
         path: ${{ env.PROJECT_NAME }}_${{ github.ref_name }}_${{ matrix.config.os }}_${{ matrix.config.arch }}.tar.gz
 
+  notarize-macos:
+    name: notarize (macOS, 64bit)
+    runs-on: macos-latest 
+    needs: build
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository 
+        uses: actions/checkout@v4
+
+      - name: Set up temporary directory for notarization
+        run: mkdir -p ${{ env.DIST_DIR }}/notarize_temp
+
+      - name: Download macOS artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ env.ARTIFACT_NAME }}_macOS_64bit 
+          path: ${{ env.DIST_DIR }}/notarize_temp
+
+      - name: Extract macOS binary
+        working-directory: ${{ env.DIST_DIR }}/notarize_temp
+        run: tar -xzvf ${{ env.PROJECT_NAME }}_${{ github.ref_name }}_macOS_64bit.tar.gz
+
+      - name: Import Code-Signing Certificates
+        env:
+          KEYCHAIN: "build.keychain" 
+          INSTALLER_CERT_MAC_PATH: "/tmp/signing_cert.p12"
+          KEYCHAIN_PASSWORD: "keychainpassword" # Arbitrary, as it's temporary
+        run: |
+          echo "${{ secrets.INSTALLER_CERT_MAC_P12 }}" | base64 --decode > "${{ env.INSTALLER_CERT_MAC_PATH }}"
+          security create-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
+          security default-keychain -s "${{ env.KEYCHAIN }}"
+          security unlock-keychain -p "${{ env.KEYCHAIN_PASSWORD }}" "${{ env.KEYCHAIN }}"
+          security import \
+            "${{ env.INSTALLER_CERT_MAC_PATH }}" \
+            -k "${{ env.KEYCHAIN }}" \
+            -f pkcs12 \
+            -A \
+            -T "/usr/bin/codesign" \
+            -P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}"
+          security set-key-partition-list \
+            -S apple-tool:,apple: \
+            -s \
+            -k "${{ env.KEYCHAIN_PASSWORD }}" \
+            "${{ env.KEYCHAIN }}"
+
+      - name: Install gon for code signing and app notarization
+        run: |
+          wget -q https://github.com/Bearer/gon/releases/download/v0.0.27/gon_macos.zip 
+          unzip -q gon_macos.zip -d /usr/local/bin
+
+      - name: Sign and notarize binary
+        env:
+          AC_USERNAME: ${{ secrets.AC_USERNAME }}
+          AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
+          AC_PROVIDER: ${{ secrets.AC_PROVIDER }} # May not be needed
+        working-directory: ${{ env.DIST_DIR }}/notarize_temp 
+        run: |
+          cp ../../gon.config.hcl .
+          gon gon.config.hcl
+
+      - name: Re-package notarized binary
+        working-directory: ${{ env.DIST_DIR }}/notarize_temp
+        run: |
+          chmod +x qdl
+          tar -czvf ${{ env.PROJECT_NAME }}_${{ github.ref_name }}_macOS_64bit.tar.gz qdl
+          mv ${{ env.PROJECT_NAME }}_${{ github.ref_name }}_macOS_64bit.tar.gz ../
+
+      - name: Upload notarized macOS artifact
+        uses: actions/upload-artifact@v4
+        with:
+          if-no-files-found: error
+          name: ${{ env.ARTIFACT_NAME }}_macOS_64bit 
+          path: ${{ env.DIST_DIR }}/${{ env.PROJECT_NAME }}_${{ github.ref_name }}_macOS_64bit.tar.gz
+          overwrite: true # Important: replace the original macOS artifact
+
   create-release:
     needs: build
     runs-on: ubuntu-latest

gon.config.hcl

@@ -0,0 +1,14 @@
+# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/general/gon.config.hcl
+# See: https://github.com/Bearer/gon#configuration-file
+source = ["dist/qdl_macOS_64bit/bin/qdl"]
+bundle_id = "cc.arduino.qdl"
+
+sign {
+  application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)"
+}
+
+# Ask Gon for zip output to force notarization process to take place.
+# The CI will ignore the zip output, using the signed binary only.
+zip {
+  output_path = "unused.zip"
+}