Support codesign/notarize via local credentials file

.gitignore

@@ -3,3 +3,5 @@ xcuserdata/
 DerivedData/
 build/
 Build/
+dist/
+.signing.env

README.md

@@ -39,13 +39,13 @@ open iKeyMon.xcodeproj
 
 ### Local release build
 
-Use the helper script to produce a zipped `.app` in `dist/`:
+Use the helper script to produce distributables in `dist/`:
 
 ```bash
 ./scripts/build_release.sh
 ```
 
-It cleans previous artifacts, builds the `Release` configuration, and drops `iKeyMon-<version>.zip` into the `dist` folder (ignored by git).
+It cleans previous artifacts, builds the `Release` configuration, and drops both `iKeyMon-<version>.zip` and `iKeyMon-<version>.dmg` into the `dist` folder (ignored by git). To enable codesigning + notarization, copy `signing.env.example` to `.signing.env`, fill in your Developer ID identity, Apple ID, team ID, and app-specific password. The script sources that file locally (it remains gitignored) and performs signing/notarization when the values are present.
 ## 📦 License
 
 MIT — see [LICENSE](LICENSE) for details.

scripts/build_release.sh

@@ -6,6 +6,12 @@ BUILD_DIR="$ROOT_DIR/build"
 ARTIFACTS_DIR="$ROOT_DIR/dist"
 SCHEME="iKeyMon"
 PROJECT="iKeyMon.xcodeproj"
+CREDENTIALS_FILE="$ROOT_DIR/.signing.env"
+
+if [[ -f "$CREDENTIALS_FILE" ]]; then
+  # shellcheck disable=SC1090
+  source "$CREDENTIALS_FILE"
+fi
 
 rm -rf "$BUILD_DIR" "$ARTIFACTS_DIR"
 mkdir -p "$ARTIFACTS_DIR"
@@ -23,6 +29,13 @@ if [[ ! -d "$APP_PATH" ]]; then
   exit 1
 fi
 
+if [[ -n "${CODESIGN_IDENTITY:-}" ]]; then
+  echo "🔏 Codesigning app with identity: $CODESIGN_IDENTITY"
+  codesign --deep --force --options runtime --sign "$CODESIGN_IDENTITY" "$APP_PATH"
+else
+  echo "⚠️ Skipping codesign (CODESIGN_IDENTITY not set)."
+fi
+
 VERSION=$(xcodebuild \
   -project "$ROOT_DIR/$PROJECT" \
   -scheme "$SCHEME" \
@@ -39,4 +52,18 @@ popd >/dev/null
 DMG_NAME="iKeyMon-${VERSION}.dmg"
 hdiutil create -volname "iKeyMon" -srcfolder "$APP_PATH" -ov -format UDZO "$ARTIFACTS_DIR/$DMG_NAME"
 
-echo "✅ Build complete. Artifact: $ARTIFACTS_DIR/$ZIP_NAME"
+if [[ -n "${NOTARY_APPLE_ID:-}" && -n "${NOTARY_TEAM_ID:-}" && -n "${NOTARY_PASSWORD:-}" ]]; then
+  echo "📝 Submitting DMG for notarization..."
+  xcrun notarytool submit "$ARTIFACTS_DIR/$DMG_NAME" \
+    --apple-id "$NOTARY_APPLE_ID" \
+    --team-id "$NOTARY_TEAM_ID" \
+    --password "$NOTARY_PASSWORD" \
+    --wait
+  xcrun stapler staple "$ARTIFACTS_DIR/$DMG_NAME"
+else
+  echo "⚠️ Skipping notarization (NOTARY_* variables not set)."
+fi
+
+echo "✅ Build complete. Artifacts:"
+echo "   - $ARTIFACTS_DIR/$ZIP_NAME"
+echo "   - $ARTIFACTS_DIR/$DMG_NAME"

signing.env.example

@@ -0,0 +1,4 @@
+CODESIGN_IDENTITY="Developer ID Application: Your Name (TEAMID1234)"
+NOTARY_APPLE_ID="appleid@example.com"
+NOTARY_TEAM_ID="TEAMID1234"
+NOTARY_PASSWORD="app-specific-password"