From 8bb083bdaace600e7a86b147e79d0d4e31f3547c Mon Sep 17 00:00:00 2001
From: Rithvik Vibhu <rithvikvibhu@gmail.com>
Date: Tue, 14 Feb 2023 22:59:29 +0530
Subject: [PATCH 1/3] ci: add cirrus for macos m1 builds

---
 .cirrus.yml                  | 60 ++++++++++++++++++++++++++++++++++++
 package.json                 |  3 +-
 resources/entitlements.plist | 10 ++++++
 scripts/macos-ci-sign.sh     | 58 ++++++++++++++++++++++++++++++++++
 4 files changed, 130 insertions(+), 1 deletion(-)
 create mode 100644 .cirrus.yml
 create mode 100644 resources/entitlements.plist
 create mode 100644 scripts/macos-ci-sign.sh

diff --git a/.cirrus.yml b/.cirrus.yml
new file mode 100644
index 000000000..dfdaeeba4
--- /dev/null
+++ b/.cirrus.yml
@@ -0,0 +1,60 @@
+macos_instance:
+  image: ghcr.io/cirruslabs/macos-ventura-xcode:latest
+
+build_task:
+  # Load public key to env
+  environment:
+    SIGNING_PUBLIC_KEY: ENCRYPTED[9ecd1dce11858b0bdbaf664e08c89de152aa57a32cf46bd56a28c3ed38127464ca4f17f1fbca1e00894f442949ba6205]
+    APPSTORECONNECT_KEY: ENCRYPTED[7ff7b3572ccb3bbe0e4ca4c1b3219731b5a6eaa9296ad3446ef67557e843725d3f64955983620c135542e6d7cd1620a5]
+
+  # Save public key from env to file
+  signing_public_key_file:
+    path: /tmp/signing_public_key.pem
+    variable_name: SIGNING_PUBLIC_KEY
+
+  # Save appstoreconnect key from env to file
+  appstoreconnect_key_file:
+    path: /tmp/appstoreconnect_key.json
+    variable_name: APPSTORECONNECT_KEY
+
+  # Install nodejs
+  nodejs_script:
+    # - brew update
+    - brew install node
+
+  # # Cache
+  # node_modules_cache:
+  #   folder: node_modules
+  #   reupload_on_changes: false # since there is a fingerprint script
+  #   fingerprint_script:
+  #     - echo $CIRRUS_OS
+  #     - node --version
+  #     - cat package.json package-lock.json
+
+  # Install deps
+  install_deps_script:
+    - npm install dmg-license --no-save
+    - npm rebuild
+
+  # Build and Test
+  test_script:
+    - npm run test
+
+  # Package app
+  package_script:
+    - npm run package-mac
+    - unzip release/Bob-2.0.0-arm64-mac.zip -d release/
+
+  # # Install rcodesign
+  # install_rcodesign_script:
+  #   - curl -sL https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F0.22.0/apple-codesign-0.22.0-aarch64-apple-darwin.tar.gz | tar xzvf -
+
+  # # Sign and notarize zip
+  # sign_and_notarize_script:
+  #   - chmod +x scripts/macos-ci-sign.sh
+  #   - ./scripts/macos-ci-sign.sh `pwd`/apple-codesign-0.22.0-aarch64-apple-darwin/rcodesign
+  #   - zip -r release/Bob-macos-arm64-signed.zip --symlinks release/Bob.app
+
+  # Upload artifacts
+  binaries_artifacts:
+    path: "release/*"
diff --git a/package.json b/package.json
index 844f3c28c..318266c80 100644
--- a/package.json
+++ b/package.json
@@ -48,7 +48,8 @@
     ],
     "mac": {
       "target": [
-        "dmg"
+        "dmg",
+        "zip"
       ],
       "icon": "resources/icon.icns"
     },
diff --git a/resources/entitlements.plist b/resources/entitlements.plist
new file mode 100644
index 000000000..19f583e42
--- /dev/null
+++ b/resources/entitlements.plist
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-jit</key><true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+    <key>com.apple.security.cs.disable-executable-page-protection</key><true/>
+  </dict>
+</plist>
\ No newline at end of file
diff --git a/scripts/macos-ci-sign.sh b/scripts/macos-ci-sign.sh
new file mode 100644
index 000000000..b83ca1392
--- /dev/null
+++ b/scripts/macos-ci-sign.sh
@@ -0,0 +1,58 @@
+set -e
+
+if command -v rcodesign &> /dev/null; then
+    # If rcodesign is in PATH, call it directly
+    program="rcodesign"
+else
+    # If not, check if a path was provided as first argument
+    if [[ -n "$1" && "$1" == *rcodesign ]]; then
+        # If a path was provided, call rcodesign with that path
+        program="$1"
+    else
+        # If no path was provided, print an error message
+        echo "Error: rcodesign not found in PATH and no path provided as argument" >&2
+        echo "Usage: ./macos-ci-sign.sh [</path/to/rcodesign>]" >&2
+        exit 1
+    fi
+fi
+
+entitlements="`pwd`/resources/entitlements.plist"
+release_dir="`pwd`/release/Bob.app"
+
+echo "using rcodesign: $program"
+echo "using entitlements: $entitlements"
+echo "using release_dir: $release_dir"
+
+# Sign
+echo "[*] Signing..."
+
+additional_files=(
+    "Contents/Resources/app.asar.unpacked/node_modules/leveldown/build/Release/leveldown.node"
+    "Contents/Resources/app.asar.unpacked/node_modules/leveldown/build/node_gyp_bins/python3"
+    "Contents/Resources/app.asar.unpacked/node_modules/leveldown/prebuilds/darwin-x64/node.napi.node"
+    "Contents/Resources/app.asar.unpacked/node_modules/mrmr/build/Release/mrmr.node"
+    "Contents/Resources/app.asar.unpacked/node_modules/mrmr/build/node_gyp_bins/python3"
+    "Contents/Resources/app.asar.unpacked/node_modules/node-hid/build/Release/HID.node"
+    "Contents/Resources/app.asar.unpacked/node_modules/node-hid/build/node_gyp_bins/python3"
+    "Contents/Resources/app.asar.unpacked/node_modules/bdb/build/Release/leveldown.node"
+    "Contents/Resources/app.asar.unpacked/node_modules/bdb/build/node_gyp_bins/python3"
+    "Contents/Resources/app.asar.unpacked/node_modules/bcrypto/build/Release/bcrypto.node"
+    "Contents/Resources/app.asar.unpacked/node_modules/bcrypto/build/node_gyp_bins/python3"
+    "Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt"
+    "Contents/Frameworks/Electron\ Framework.framework/Versions/A/Libraries/libffmpeg.dylib"
+)
+
+# Sign each file individally, rcodesign does not pick them up (bug)
+echo "[*] Signing ${#additional_files[@]} additional files first..."
+for s in "${additional_files[@]}"; do
+    $program sign --remote-signer --remote-public-key-pem-file /tmp/signing_public_key.pem --code-signature-flags runtime --entitlements-xml-path $entitlements $release_dir/$s
+done
+
+echo "[*] Signing final bundle..."
+$program sign --remote-signer --remote-public-key-pem-file /tmp/signing_public_key.pem --code-signature-flags runtime --entitlements-xml-path $entitlements $release_dir
+
+# Notarize
+echo "[*] Notarizing..."
+$program notary-submit --api-key-path /tmp/appstoreconnect_key.json --staple $release_dir
+
+echo "[*] Done."

From 1adfa225b18b2b855d847ab71b2267a12d488871 Mon Sep 17 00:00:00 2001
From: Rithvik Vibhu <rithvikvibhu@gmail.com>
Date: Tue, 14 Feb 2023 23:21:23 +0530
Subject: [PATCH 2/3] ci: add zip as artifact

---
 .github/workflows/package.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
index 32378c5be..737b341c1 100644
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@@ -63,3 +63,4 @@ jobs:
             release/*.AppImage
             release/*.msi
             release/*.dmg
+            release/*.zip

From 3f3bf88fa27b66726b130703e6c8127d3fe0f42b Mon Sep 17 00:00:00 2001
From: Rithvik Vibhu <rithvikvibhu@gmail.com>
Date: Fri, 17 Feb 2023 11:52:06 +0530
Subject: [PATCH 3/3] ci: uninstall gmp before macos build

---
 .github/workflows/package.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
index 737b341c1..4602a1073 100644
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@@ -52,6 +52,10 @@ jobs:
         if: startsWith(matrix.os, 'macos')
         run: npm i dmg-license --no-save
 
+      - name: Uninstall gmp (macos only)
+        if: startsWith(matrix.os, 'macos')
+        run: brew uninstall gmp --ignore-dependencies
+
       - name: Generate Executable
         run: ${{ matrix.cmd_package }}