build(macos): allow local codesign [skip ci]

build/build.sh

@@ -120,5 +120,11 @@ if [[ "${SKIP_ASSETS}" == "no" ]]; then
     rm -rf build/windows/msi/releasedir
   fi
 
+  if [[ "${OS_NAME}" == "osx" && -f "./macos-codesign.env" ]]; then
+    . macos-codesign.env
+
+    echo "CERTIFICATE_OSX_ID: ${CERTIFICATE_OSX_ID}"
+  fi
+
   . prepare_assets.sh
 fi

macos-codesign.env.template

@@ -0,0 +1,5 @@
+CERTIFICATE_OSX_APP_PASSWORD=
+CERTIFICATE_OSX_ID=
+CERTIFICATE_OSX_P12_DATA=
+CERTIFICATE_OSX_P12_PASSWORD=
+CERTIFICATE_OSX_TEAM_ID=

patches/fix-darwin-codesign.patch

@@ -0,0 +1,28 @@
+diff --git a/build/darwin/sign.js b/build/darwin/sign.js
+index f5913b7..100b950 100644
+--- a/build/darwin/sign.js
++++ b/build/darwin/sign.js
+@@ -53,5 +53,7 @@ async function main(buildDir) {
+         ignore: (filePath) => {
++						const ext = path.extname(filePath);
+             return filePath.includes(gpuHelperAppName) ||
+                 filePath.includes(rendererHelperAppName) ||
+-                filePath.includes(pluginHelperAppName);
++                filePath.includes(pluginHelperAppName) ||
++								ext == '.asar' || ext == '.dat' || ext == '.gif' || ext == '.icns' || ext == '.ico' || ext == '.json' || ext == '.mp3' || ext == '.nib' || ext == '.pak' || ext == '.png' || ext == '.scpt' || ext == '.ttf' || ext == '.wasm' || ext == '.woff' || ext == '.woff2';
+         }
+@@ -83,3 +85,3 @@ async function main(buildDir) {
+             '-string',
+-            'An application in Visual Studio Code wants to use AppleScript.',
++            'An application in VSCodium wants to use AppleScript.',
+             `${infoPlistPath}`
+@@ -90,3 +92,3 @@ async function main(buildDir) {
+             '-string',
+-            'An application in Visual Studio Code wants to use the Microphone.',
++            'An application in VSCodium wants to use the Microphone.',
+             `${infoPlistPath}`
+@@ -97,3 +99,3 @@ async function main(buildDir) {
+             '-string',
+-            'An application in Visual Studio Code wants to use the Camera.',
++            'An application in VSCodium wants to use the Camera.',
+             `${infoPlistPath}`

patches/fix-darwin-sign.patch

@@ -1,19 +0,0 @@
-diff --git a/build/darwin/sign.js b/build/darwin/sign.js
-index f5913b7..c861e3e 100644
---- a/build/darwin/sign.js
-+++ b/build/darwin/sign.js
-@@ -83,3 +83,3 @@ async function main(buildDir) {
-             '-string',
--            'An application in Visual Studio Code wants to use AppleScript.',
-+            'An application in VSCodium wants to use AppleScript.',
-             `${infoPlistPath}`
-@@ -90,3 +90,3 @@ async function main(buildDir) {
-             '-string',
--            'An application in Visual Studio Code wants to use the Microphone.',
-+            'An application in VSCodium wants to use the Microphone.',
-             `${infoPlistPath}`
-@@ -97,3 +97,3 @@ async function main(buildDir) {
-             '-string',
--            'An application in Visual Studio Code wants to use the Camera.',
-+            'An application in VSCodium wants to use the Camera.',
-             `${infoPlistPath}`

prepare_assets.sh

@@ -20,13 +20,19 @@ sum_file() {
 mkdir -p assets
 
 if [[ "${OS_NAME}" == "osx" ]]; then
-  if [[ "${CI_BUILD}" != "no" ]]; then
+  if [[ -n "${CERTIFICATE_OSX_P12_DATA}" ]]; then
+    if [[ "${CI_BUILD}" == "no" ]]; then
+      RUNNER_TEMP="${TMPDIR}"
+    fi
+
     CERTIFICATE_P12="${APP_NAME}.p12"
     KEYCHAIN="${RUNNER_TEMP}/buildagent.keychain"
     AGENT_TEMPDIRECTORY="${RUNNER_TEMP}"
     # shellcheck disable=SC2006
     KEYCHAINS=`security list-keychains | xargs`
 
+    rm -f "${KEYCHAIN}"
+
     echo "${CERTIFICATE_OSX_P12_DATA}" | base64 --decode > "${CERTIFICATE_P12}"
 
     echo "+ create temporary keychain"
@@ -48,6 +54,7 @@ if [[ "${OS_NAME}" == "osx" ]]; then
     export CODESIGN_IDENTITY AGENT_TEMPDIRECTORY
 
     DEBUG="electron-osx-sign*" node vscode/build/darwin/sign.js "$( pwd )"
+    # codesign --display --entitlements :- ""
 
     echo "+ notarize"
 
@@ -57,6 +64,7 @@ if [[ "${OS_NAME}" == "osx" ]]; then
     zip -r -X -y "${ZIP_FILE}" ./*.app
 
     xcrun notarytool store-credentials "${APP_NAME}" --apple-id "${CERTIFICATE_OSX_ID}" --team-id "${CERTIFICATE_OSX_TEAM_ID}" --password "${CERTIFICATE_OSX_APP_PASSWORD}" --keychain "${KEYCHAIN}"
+    # xcrun notarytool history --keychain-profile "${APP_NAME}" --keychain "${KEYCHAIN}"
     xcrun notarytool submit "${ZIP_FILE}" --keychain-profile "${APP_NAME}" --wait --keychain "${KEYCHAIN}"
 
     echo "+ attach staple"