feat(ci): macos app sign & notary (#26)

MiaoMint · web-flow · commit fe84f435ab62 · 2026-01-11T21:29:08.000+08:00
* feat(ci): macos app sign &amp; notary

* fix(ci): remove macOS application archiving step and update artifact uploads

* fix: update CFBundleIdentifier in Info.plist and enhance product info in wails.json
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -45,17 +45,103 @@ jobs:
       - name: Build Wails app
         run: |
           wails build
+      
+      # macOS signing and notarization
+      - name: Import Code Signing Certificate
+        if: matrix.platform == 'macos-26'
+        env:
+          CERTIFICATE_P12: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
+          CERTIFICATE_PASSWORD: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
+          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+        run: |
+          # Create variables
+          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          
+          # Import certificate from secrets
+          echo -n "$CERTIFICATE_P12" | base64 --decode -o $CERTIFICATE_PATH
+          
+          # Create temporary keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          
+          # Import certificate to keychain
+          security import $CERTIFICATE_PATH -P "$CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
+          
+          # Allow codesign to access the keychain
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+      
+      - name: Code Sign Application
+        if: matrix.platform == 'macos-26'
+        env:
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+        run: |
+          # Sign the application
+          codesign --deep --force --verify --verbose --sign "Developer ID Application: Mint Miao ($APPLE_TEAM_ID)" \
+            --options runtime \
+            --entitlements build/darwin/entitlements.plist \
+            build/bin/VisionFlow.app
+          
+          # Verify signature
+          codesign --verify --deep --strict --verbose=2 build/bin/VisionFlow.app
+      
+      - name: Create DMG
+        if: matrix.platform == 'macos-26'
+        run: |
+          # Install create-dmg
+          brew install create-dmg
+          
+          # Create DMG
+          create-dmg \
+            --volname "VisionFlow" \
+            --volicon "build/appicon.png" \
+            --window-pos 200 120 \
+            --window-size 800 400 \
+            --icon-size 100 \
+            --icon "VisionFlow.app" 200 190 \
+            --hide-extension "VisionFlow.app" \
+            --app-drop-link 600 185 \
+            "VisionFlow.dmg" \
+            "build/bin/VisionFlow.app"
+      
+      - name: Code Sign DMG
+        if: matrix.platform == 'macos-26'
+        env:
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+        run: |
+          codesign --force --sign "Developer ID Application: Mint Miao ($APPLE_TEAM_ID)" VisionFlow.dmg
+          codesign --verify --verbose=2 VisionFlow.dmg
+      
+      - name: Notarize Application
+        if: matrix.platform == 'macos-26'
+        env:
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+        run: |
+          # Submit for notarization
+          xcrun notarytool submit VisionFlow.dmg \
+            --apple-id "$APPLE_ID" \
+            --password "$APPLE_ID_PASSWORD" \
+            --team-id "$APPLE_TEAM_ID" \
+            --wait
+          
+          # Staple the notarization ticket
+          xcrun stapler staple VisionFlow.dmg
+          
+          # Verify notarization
+          xcrun stapler validate VisionFlow.dmg
+      
       - name: upload artifacts macOS
         if: matrix.platform == 'macos-26'
         uses: actions/upload-artifact@v4
         with:
           name: VisionFlow-macos
-          path: build/bin/*
-      - name: archive application
-        if: matrix.platform == 'macos-26'
-        run: |
-          cd build/bin
-          zip -r ../../VisionFlow-macos.zip VisionFlow.app
+          path: |
+            build/bin/*
+            VisionFlow.dmg
       - name: upload artifacts windows
         if: matrix.platform == 'windows-latest'
         uses: actions/upload-artifact@v4
@@ -66,7 +152,7 @@ jobs:
         if: matrix.platform == 'macos-26'
         uses: ncipollo/release-action@v1
         with:
-          artifacts: VisionFlow-macos.zip
+          artifacts: VisionFlow.dmg
           allowUpdates: true
           omitBody: true
       - name: Upload release Windows
diff --git a/build/darwin/Info.plist b/build/darwin/Info.plist
@@ -8,7 +8,7 @@
         <key>CFBundleExecutable</key>
         <string>{{.OutputFilename}}</string>
         <key>CFBundleIdentifier</key>
-        <string>com.wails.{{.Name}}</string>
+        <string>art.vision-flow.app</string>
         <key>CFBundleVersion</key>
         <string>{{.Info.ProductVersion}}</string>
         <key>CFBundleGetInfoString</key>
diff --git a/build/darwin/entitlements.plist b/build/darwin/entitlements.plist
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>com.apple.security.app-sandbox</key>
+  <true/>
+  <key>com.apple.security.network.client</key>
+  <true/>
+  <key>com.apple.security.network.server</key>
+  <true/>
+  <key>com.apple.security.files.user-selected.read-write</key>
+  <true/>
+  <key>com.apple.security.files.downloads.read-write</key>
+  <true/>
+</dict>
+</plist>
diff --git a/main.go b/main.go
@@ -92,7 +92,8 @@ func main() {
 			aiService,
 			appService,
 		},
-		OnStartup: aiService.SetContext,
+		HideWindowOnClose: true,
+		OnStartup:         aiService.SetContext,
 		Mac: &mac.Options{
 			TitleBar: mac.TitleBarHiddenInset(),
 		},
diff --git a/wails.json b/wails.json
@@ -11,6 +11,10 @@
     "email": "44718819+MiaoMint@users.noreply.github.com"
   },
   "info": {
-    "productVersion": "0.0.1"
+    "companyName": "MiaoMint",
+    "productName": "VisionFlow",
+    "productVersion": "0.0.1",
+    "copyright": "Copyright © 2026 MiaoMint. All rights reserved.",
+    "comments": "VisionFlow - Visual AI Workflow Builder"
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,10 @@`
`11`	`11`	`"email": "[email protected]"`
`12`	`12`	`},`
`13`	`13`	`"info": {`
`14`		`- "productVersion": "0.0.1"`
	`14`	`+ "companyName": "MiaoMint",`
	`15`	`+ "productName": "VisionFlow",`
	`16`	`+ "productVersion": "0.0.1",`
	`17`	`+ "copyright": "Copyright © 2026 MiaoMint. All rights reserved.",`
	`18`	`+ "comments": "VisionFlow - Visual AI Workflow Builder"`
`15`	`19`	`}`
`16`	`20`	`}`