Add signing/notarization steps to MacOS packaging (#1106)

Author: adamkewley

CHANGELOG.md

@@ -6,6 +6,8 @@ on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## [Upcoming Release]
 
+- The MacOS DMG installers should now be signed and notarized by Adam Kewley, which should make
+  installing OpenSim Creator considerably easier on MacOS (#1106).
 
 ## [0.6.0] - 2025/09/08
 

docs/source/installation.rst

@@ -30,11 +30,12 @@ Installing on MacOS (Sonoma 14.5 or newer)
 
 .. warning::
 
-  OpenSim Creator's build process does not sign (notarize) its binaries, because
-  we'd have to organize and pay a subscription for that service.
+  **>= v0.6.0**: OpenSim Creator now codesigns and notarizes its binaries, so
+  installation should be as easy as dragging and dropping the application.
 
-  For you, this means that OpenSim Creator requires extra steps that depend on
-  your version of MacOS (Apple changes the procedure regularly - $$$).
+  **< 0.6.0**, OpenSim Creator's build process did not sign (notarize) its
+  binaries, because it requires organizing and paying for an Apple Developer
+  account. Unsigned binaries can require additional installation steps:
 
   **On Sequoia**: open a terminal and run ``xattr -cr /path/to/opensimcreator.dmg`` to
   clear any quarantine flags that MacOS added when the dmg was downloaded. Mount the

docs/source/the-release-process.rst

@@ -38,6 +38,9 @@ Creator, it's usually copied into a GitHub issue:
     - [ ] Download release artifacts from the tagged commit CI build
       - [ ] Also, create a source tarball with `git archive --format=tar.xz --prefix=opensimcreator-${VERSION}/ -o opensimcreator-${VERSION}-src.tar.xz $VERSION` (or, on MacOS: git archive --format=tar --prefix=opensimcreator-${VERSION}/ $VERSION | xz > opensimcreator-${VERSION}-src.tar.xz)
       - [ ] You might need to configure `.tar.xz` support with `git config tar.tar.xz.command "xz -c"`
+      - [ ] For MacOS, the release must be built on a developer's machine, and the developer should configure the build with codesigning+notarization and upload
+            the signed+notarized binaries instead. See OSC_CODESIGN_ENABLED and OSC_NOTARIZATION_ENABLED flags in the
+            MacOS packaging. Adam Kewley specifically has the CMake flags, password, keys etc. necessary to do this.
     - [ ] Unzip/rename any artifacts (see prev. releases)
     - [ ] Create new release on github from the tagged commit
       - [ ] Upload all artifacts against it

liboscar/Platform/App.cpp

@@ -471,6 +471,13 @@ namespace
         return rv;
     }
 
+    std::filesystem::path get_current_resources_path_and_log_it(const AppSettings& settings)
+    {
+        auto rv = get_resource_dir_from_settings(settings);
+        log_info("resource directory: %s", rv.string().c_str());
+        return rv;
+    }
+
     // computes the user's data directory and also logs it to the console for user-facing feedback
     std::filesystem::path get_current_user_dir_and_log_it(
         std::string_view organization_name,
@@ -1619,7 +1626,7 @@ class osc::App::Impl final {
 
     // initialization-time resources dir (so that it doesn't have to be fetched
     // from the settings over-and-over)
-    std::filesystem::path resources_dir_ = get_resource_dir_from_settings(config_);
+    std::filesystem::path resources_dir_ = get_current_resources_path_and_log_it(config_);
 
     // path to the directory that the application's executable is contained within
     std::filesystem::path executable_dir_ = get_current_exe_dir_and_log_it();

liboscar/Platform/AppSettings.cpp

@@ -113,32 +113,18 @@ R"(# configuration options
     std::optional<std::filesystem::path>  try_get_system_config_path(
         std::string_view application_config_file_name)
     {
-        // copied from the legacy `AppConfig` implementation for backwards
-        // compatibility with existing settings files
-
-        std::filesystem::path p = current_executable_directory();
-        bool exists = false;
-
-        while (p.has_filename()) {
-            const std::filesystem::path maybe_config = p / application_config_file_name;
-            if (std::filesystem::exists(maybe_config)) {
-                p = maybe_config;
-                exists = true;
-                break;
+        for (std::filesystem::path p = current_executable_directory(); p != p.root_path(); p = p.parent_path()) {
+            if (auto dir_path = p / application_config_file_name; std::filesystem::exists(dir_path)) {
+                return dir_path;  // e.g. `C:/Program Files/App/config.toml`
             }
-
-            // HACK: there is a file at "MacOS/$configName", which is where the settings
-            // is relative to `current_executable_directory`.
-            const std::filesystem::path maybe_macos_config = p / "MacOS" / application_config_file_name;
-            if (std::filesystem::exists(maybe_macos_config)) {
-                p = maybe_macos_config;
-                exists = true;
-                break;
+            else if (auto resources_path_capped = p / "Resources" / application_config_file_name; std::filesystem::exists(resources_path_capped)) {
+                return resources_path_capped;  // e.g. `/Applications/App.app/Resources/config.toml`
+            }
+            else if (auto resources_path = p / "resources" / application_config_file_name; std::filesystem::exists(resources_path)) {
+                return resources_path;  // e.g. `/opt/app/resources/config.toml`
             }
-            p = p.parent_path();
         }
-
-        return exists ? p : std::optional<std::filesystem::path>{};
+        return std::nullopt;
     }
 
     // if available, returns the path to the user-level configuration file

osc/CMakeLists.txt

@@ -186,7 +186,15 @@ include(${OSC_PACKAGING_DIR}/Packaging.cmake)
 #
 #     - this config is switched out at install-time to a configuration that loads
 #       resources from the (copied) resource directory
-configure_file("${CMAKE_CURRENT_SOURCE_DIR}/osc_dev_config.toml.in" "${CMAKE_BINARY_DIR}/osc.toml")
+if(TRUE)
+    set(OSC_CONFIG_RESOURCES_DIR "${CMAKE_CURRENT_SOURCE_DIR}/../resources")
+    configure_file(
+        "${CMAKE_CURRENT_SOURCE_DIR}/osc.toml.in"
+        "${CMAKE_BINARY_DIR}/osc.toml"  # CARE: this MUST be CMAKE_BINARY_DIR: multiple executables depend on it
+        @ONLY
+    )
+    unset(OSC_CONFIG_RESOURCES_DIR)
+endif()
 
 # for development on Windows, copy all runtime dlls to the exe directory
 # (because Windows doesn't have an RPATH)

osc/Debian/Packaging.cmake

@@ -39,11 +39,20 @@ install(
 #
 #     - in contrast to the dev-centric one, this loads resources from the installation dir,
 #       which has a known path relative to the osc executable (../resources)
-install(
-    FILES "${CMAKE_CURRENT_SOURCE_DIR}/osc_installed_config.toml.in"
-    RENAME "osc.toml"
-    DESTINATION "."
-)
+if(TRUE)
+    set(OSC_CONFIG_RESOURCES_DIR "resources")  # relative to `osc.toml`
+    configure_file(
+        "${CMAKE_CURRENT_SOURCE_DIR}/osc.toml.in"
+        "${CMAKE_CURRENT_BINARY_DIR}/generated/osc_debian.toml"
+        @ONLY
+    )
+    unset(OSC_CONFIG_RESOURCES_DIR)
+    install(
+        FILES "${CMAKE_CURRENT_BINARY_DIR}/generated/osc_debian.toml"
+        RENAME "osc.toml"
+        DESTINATION "."
+    )
+endif()
 
 # install-time: copy `resources/` (assets) dir
 install(

osc/MacOS/Info.plist

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>CFBundleName</key>
+  <string>osc</string>
+
+  <key>CFBundleDisplayName</key>
+  <string>OpenSim Creator (osc)</string>
+
+  <key>CFBundleIdentifier</key>
+  <string>com.opensimcreator.gui</string>
+
+  <!-- version/build number: should be unique and monotonically increase -->
+  <key>CFBundleVersion</key>
+  <string>@PROJECT_VERSION@</string>
+
+  <!-- What the user sees: can be duplicated -->
+  <key>CFBundleShortVersionString</key>
+  <string>@PROJECT_VERSION@</string>
+
+  <key>CFBundleExecutable</key>
+  <string>osc</string>
+
+  <key>CFBundleIconFile</key>
+  <string>osc</string>
+
+  <!-- liboscar natively supports HighDPI -->
+  <key>NSHighResolutionCapable</key>
+  <true/>
+
+  <!-- Rarely changes -->
+  <key>CFBundleInfoDictionaryVersion</key>
+  <string>6.0</string>
+  <!-- Rarely changes -->
+  <key>CFBundlePackageType</key>
+  <string>APPL</string>
+  <!-- Rarely changes -->
+  <key>LSApplicationCategoryType</key>
+  <string>public.app-category.utilities</string>
+</dict>
+</plist>

osc/MacOS/Info.plist.in

@@ -2,7 +2,10 @@
 #
 # - Create a DMG (archive) installer that packages the whole application +
 #   libraries into a single directory tree that can be copied to
-#   /Applications/osc
+#   /Applications/osc.app
+
+option(OSC_CODESIGN_ENABLED "Enable codesigning the resulting app bundle and DMG file" OFF)
+option(OSC_NOTARIZATION_ENABLED "Enable notarizing (xcrun notarytool) the resulting DMG file" OFF)
 
 # set RPATH of `osc` on mac to @executable_path/lib, because dir structure is:
 #
@@ -20,32 +23,49 @@ install(
     DESTINATION osc.app/Contents/MacOS/
 )
 
-# install-time: install a user-facing `osc.toml` config file
-#
-#     - in contrast to the dev-centric one, this loads resources from the installation dir,
-#       which has a known path relative to the osc executable (../resources)
-install(
-    FILES "${CMAKE_CURRENT_SOURCE_DIR}/osc_installed_config.toml.in"
-    RENAME "osc.toml"
-    DESTINATION osc.app/Contents/MacOS/
+# generate `Info.plist` file
+configure_file(
+    "${CMAKE_CURRENT_SOURCE_DIR}/MacOS/Info.plist.in"
+    "${CMAKE_CURRENT_BINARY_DIR}/generated/Info.plist"
+    @ONLY
 )
 
-# install-time: install an `Info.plist` file
+# install-time: install the generated `Info.plist` file
 #
 # it's mac-specific XML file that tells Mac OSX about where the
 # executable is, what the icon is, etc.
 install(
-    FILES "${CMAKE_CURRENT_SOURCE_DIR}/MacOS/Info.plist"
+    FILES "${CMAKE_CURRENT_BINARY_DIR}/generated/Info.plist"
     DESTINATION osc.app/Contents/
 )
 
+# install-time: install a user-facing `osc.toml` config file
+#
+#     - in contrast to the dev-centric one, this loads resources from the `osc.app/Resources/` dir,
+#       which has a known path relative to the osc executable (../Resources/osc.toml)
+if(TRUE)
+    set(OSC_CONFIG_RESOURCES_DIR ".")  # relative to `osc.toml`
+    configure_file(
+        "${CMAKE_CURRENT_SOURCE_DIR}/osc.toml.in"
+        "${CMAKE_CURRENT_BINARY_DIR}/generated/osc_macos.toml"
+        @ONLY
+    )
+    unset(OSC_CONFIG_RESOURCES_DIR)
+
+    install(
+            FILES "${CMAKE_CURRENT_BINARY_DIR}/generated/osc_macos.toml"
+            RENAME "osc.toml"
+            DESTINATION osc.app/Contents/Resources
+    )
+endif()
+
 # install-time: copy `resources/` (assets) dir
 install(
     DIRECTORY
         "${PROJECT_SOURCE_DIR}/resources/OpenSimCreator"
         "$<$<BOOL:${OSC_BUNDLE_OSCAR_DEMOS}>:${PROJECT_SOURCE_DIR}/resources/oscar_demos>"
     DESTINATION
-        osc.app/Contents/MacOS/resources/
+        osc.app/Contents/Resources
 )
 
 # install-time: copy the Mac-specific desktop icon (.icns)
@@ -67,7 +87,54 @@ else()
     unset(OSC_ARCH_LOWERCASE)
 endif()
 
+# use a DMG drag-and-drop packaging method
 set(CPACK_GENERATOR DragNDrop)
 
+# Handle code signing (notarization is separate - below)
+if(OSC_CODESIGN_ENABLED)
+    set(OSC_CODESIGN_DEVELOPER_ID "" CACHE STRING "The developer ID string for the codesigning key (e.g. 'Developer ID Application: Some Developer (XYA12398BF)')")
+
+    # Generate required codesigning scripts
+    configure_file(
+        "${CMAKE_CURRENT_SOURCE_DIR}/MacOS/codesign_osc.app.cmake.in"
+        "${CMAKE_CURRENT_BINARY_DIR}/generated/codesign_osc.app.cmake"
+        @ONLY
+    )
+    configure_file(
+        "${CMAKE_CURRENT_SOURCE_DIR}/MacOS/codesign_osc.dmg.cmake.in"
+        "${CMAKE_CURRENT_BINARY_DIR}/generated/codesign_osc.dmg.cmake"
+        @ONLY
+    )
+
+    # Make CPack run the generated `codesign` script on the `osc.app` bundle that CPack
+    # temporarily creates *before* it packages the bundle into the dmg...
+    set(CPACK_PRE_BUILD_SCRIPTS "${CMAKE_CURRENT_BINARY_DIR}/generated/codesign_osc.app.cmake")
+
+    # ... afterwards, make CPack run `codesign` on the resulting DMG file
+    set(CPACK_POST_BUILD_SCRIPTS "${CMAKE_CURRENT_BINARY_DIR}/generated/codesign_osc.dmg.cmake")
+endif()
+
+# If notarizing, assert that codesigning is enabled (you can only notarize signed code)
+# and run notarization on the output DMG
+if(OSC_NOTARIZATION_ENABLED)
+    if(NOT OSC_CODESIGN_ENABLED)
+        message(FATAL_ERROR "OSC_NOTARIZATION_ENABLED is ${OSC_NOTARIZATION_ENABLED} but OSC_CODESIGN_ENABLED is ${OSC_CODESIGN_ENABLED}: notarization requires code signing to be enabled")
+    endif()
+
+    set(OSC_NOTARIZATION_APPLE_ID "" CACHE STRING "Apple ID of the signer (e.g. '[email protected]')")
+    set(OSC_NOTARIZATION_TEAM_ID "" CACHE STRING "Team ID of the signer (usually, random-looking string at the end of OSC_CODESIGN_DEVELOPER_ID)")
+    set(OSC_NOTARIZATION_PASSWORD "" CACHE STRING "App-specific password of the signer (you can create this from your apple ID account)")
+
+    # Generate required notarization script
+    configure_file(
+        "${CMAKE_CURRENT_SOURCE_DIR}/MacOS/notarize_osc.dmg.cmake.in"
+        "${CMAKE_CURRENT_BINARY_DIR}/generated/notarize_osc.dmg.cmake"
+        @ONLY
+    )
+
+    # Make CPack run the generated notarization script after the DMG is created
+    list(APPEND CPACK_POST_BUILD_SCRIPTS "${CMAKE_CURRENT_BINARY_DIR}/generated/notarize_osc.dmg.cmake")
+endif()
+
 # CPack vars etc. now fully configured, so include it
 include(CPack)