Notarizing the macOS binary to avoid the warning message

[ggrossetie]

Since the binary isn’t registered with Apple, users will get a warning dialog.
It's possible to workaround this warning dialog but it would be better to notarize the binary: https://support.apple.com/guide/mac-help/open-a-mac-app-from-an-unidentified-developer-mh40616/mac

Fortunately, @brunchboy already did that on one project and can give us some tips yay! 😉

[brunchboy]

I had intended to write a Medium post about how I got this working, but then the pandemic intervened and totally wiped the details and plans from my brain. 😞

The first step is to get the binary signed and notarized locally on your development machine. Have you been able to do that? My signing experience isn’t going to be helpful because it centered on using jlink and jpackage to create a signed native application bundle containing a Java runtime environment from a Clojure project. I have no idea how one signs node binaries, but I can only imagine there is documentation about that.

Once you have that working, I can share the elements I needed to add to get notarization working, and how to do that inside of GitHub actions. The workflow that does it is here: https://github.com/Deep-Symmetry/beat-link-trigger/blob/master/.github/workflows/uberjar.yml

You’ll want to focus on the build_dmg job that begins on line 147, and the shell script it uses: https://github.com/Deep-Symmetry/beat-link-trigger/blob/master/.github/scripts/build_dmg.zsh

[brunchboy]

Once you are ready to dig into those I can give more details about sections, and things that tripped me up, and how I configured the secrets needed for the workflow to sign things using my developer identity without leaking them to people who fork the repository.