@@ -623,11 +623,21 @@ build_mac_intel() {
623623 # Add target if not exists
624624 rustup target add " $target " 2> /dev/null || true
625625
626- pnpm tauri build --target " $target "
626+ # IMPORTANT: When signing is enabled, we must disable Tauri's built-in notarization
627+ # because Resources/cli-bundle binaries need to be signed AFTER Tauri copies them.
628+ if [ " $SKIP_SIGNING " != " true" && [ " $BUNDLE_CLI " = " true" ; then
629+ log_info " Disabling Tauri notarization (will notarize manually after signing cli-bundle)..."
630+ TAURI_SKIP_NOTARIZATION=true pnpm tauri build --target " $target "
631+ else
632+ pnpm tauri build --target " $target "
633+ fi
627634
628635 # Sign cli-bundle in app bundle Resources (after Tauri build)
629636 sign_cli_bundle_in_app " $target "
630637
638+ # Notarize the app (after all binaries are signed)
639+ notarize_app " $target "
640+
631641 # Recreate DMG with bundle included
632642 recreate_dmg " $target "
633643
@@ -718,6 +728,90 @@ sign_cli_bundle_in_app() {
718728 fi
719729}
720730
731+ # Notarize the app bundle (after all signing is complete)
732+ notarize_app () {
733+ local target=" $1 "
734+
735+ if [ " $SKIP_SIGNING " = " true" ; then
736+ return 0
737+ fi
738+
739+ if [ " $BUNDLE_CLI " != " true" ; then
740+ # If no cli-bundle, Tauri already handled notarization
741+ return 0
742+ fi
743+
744+ log_info " Notarizing app bundle..."
745+
746+ local app_path=" "
747+ case " $target " in
748+ aarch64-apple-darwin)
749+ app_path=" $PROJECT_ROOT /src-tauri/target/$target /release/bundle/macos/WorkAny.app"
750+ ;;
751+ x86_64-apple-darwin)
752+ app_path=" $PROJECT_ROOT /src-tauri/target/$target /release/bundle/macos/WorkAny.app"
753+ ;;
754+ current)
755+ local arch=$( uname -m)
756+ if [ " $arch " = " arm64" ; then
757+ app_path=" $PROJECT_ROOT /src-tauri/target/aarch64-apple-darwin/release/bundle/macos/WorkAny.app"
758+ else
759+ app_path=" $PROJECT_ROOT /src-tauri/target/x86_64-apple-darwin/release/bundle/macos/WorkAny.app"
760+ fi
761+ ;;
762+ * )
763+ return 0
764+ ;;
765+ esac
766+
767+ if [ ! -d " $app_path " ; then
768+ log_warn " App bundle not found at $app_path "
769+ return 0
770+ fi
771+
772+ # Create a zip for notarization
773+ local temp_zip=$( mktemp)
774+ log_info " Creating zip for notarization..."
775+ ditto -c -k --keepParent " $app_path " " $temp_zip "
776+
777+ # Submit for notarization
778+ local notarize_output
779+ if [ -n " $APPLE_ID " && [ -n " $APPLE_PASSWORD " && [ -n " $APPLE_TEAM_ID " ; then
780+ log_info " Submitting to Apple notary service (this may take a few minutes)..."
781+ notarize_output=$( xcrun notarytool submit " $temp_zip "
782+ --apple-id " $APPLE_ID "
783+ --password " $APPLE_PASSWORD "
784+ --team-id " $APPLE_TEAM_ID "
785+ --wait 2>&1 ) || true
786+ else
787+ # Try keychain profile as fallback
788+ log_info " Submitting to Apple notary service using keychain profile..."
789+ notarize_output=$( xcrun notarytool submit " $temp_zip "
790+ --keychain-profile " notarytool-profile"
791+ --wait 2>&1 ) || {
792+ log_warn " Notarization failed. Set APPLE_ID, APPLE_PASSWORD, APPLE_TEAM_ID or configure keychain profile."
793+ rm -f " $temp_zip "
794+ return 0
795+ }
796+ fi
797+
798+ rm -f " $temp_zip "
799+
800+ if echo " $notarize_output " | grep -q " status: Accepted" ; then
801+ log_info " App notarization successful!"
802+
803+ # Staple the notarization ticket to the app
804+ log_info " Stapling notarization ticket to app..."
805+ xcrun stapler staple " $app_path " || {
806+ log_warn " Failed to staple app, but notarization was successful"
807+ }
808+ else
809+ log_error " App notarization failed:"
810+ echo " $notarize_output "
811+ return 1
812+ fi
813+ }
814+
721815# Recreate DMG after modifying app bundle
722816recreate_dmg () {
723817 local target=" $1 "
@@ -841,11 +935,22 @@ build_mac_arm() {
841935 # Add target if not exists
842936 rustup target add " $target " 2> /dev/null || true
843937
844- pnpm tauri build --target " $target "
938+ # IMPORTANT: When signing is enabled, we must disable Tauri's built-in notarization
939+ # because Resources/cli-bundle binaries need to be signed AFTER Tauri copies them.
940+ # Flow: Tauri build -> sign cli-bundle in Resources -> re-sign app -> manual notarize
941+ if [ " $SKIP_SIGNING " != " true" && [ " $BUNDLE_CLI " = " true" ; then
942+ log_info " Disabling Tauri notarization (will notarize manually after signing cli-bundle)..."
943+ TAURI_SKIP_NOTARIZATION=true pnpm tauri build --target " $target "
944+ else
945+ pnpm tauri build --target " $target "
946+ fi
845947
846948 # Sign cli-bundle in app bundle Resources (after Tauri build)
847949 sign_cli_bundle_in_app " $target "
848950
951+ # Notarize the app (after all binaries are signed)
952+ notarize_app " $target "
953+
849954 # Recreate DMG with bundle included
850955 recreate_dmg " $target "
851956
@@ -864,11 +969,23 @@ build_current() {
864969 bundle_cli_tools " current"
865970 update_tauri_config
866971
867- pnpm tauri build
972+ # IMPORTANT: When signing is enabled, we must disable Tauri's built-in notarization
973+ if [ " $SKIP_SIGNING " != " true" && [ " $BUNDLE_CLI " = " true" ; then
974+ log_info " Disabling Tauri notarization (will notarize manually after signing cli-bundle)..."
975+ TAURI_SKIP_NOTARIZATION=true pnpm tauri build
976+ else
977+ pnpm tauri build
978+ fi
868979
869980 # Sign cli-bundle in app bundle Resources
870981 sign_cli_bundle_in_app " current"
871982
983+ # Notarize the app (after all binaries are signed)
984+ notarize_app " current"
985+
986+ # Recreate DMG with bundle included
987+ recreate_dmg " current"
988+
872989 log_info " Build completed!"
873990 log_info " Output: src-tauri/target/release/bundle/"
874991}
0 commit comments