From 0710d66092dfc5b7c362325e3d542663541e3533 Mon Sep 17 00:00:00 2001
From: Nathan Sobo <nathan@zed.dev>
Date: Fri, 10 Sep 2021 22:07:20 -0600
Subject: [PATCH] Perform code signing with Apple-issued certificate on CI

---
 .github/workflows/ci.yml |  3 +++
 script/bundle            | 15 ++++++++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2ca39c8420..94f3caaabf 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -38,6 +38,9 @@ jobs:
   bundle:
     name: Bundle app
     runs-on: self-hosted
+    env:
+      MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+      MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
     steps:
       - name: Install Rust x86_64-apple-darwin target
         uses: actions-rs/toolchain@v1
diff --git a/script/bundle b/script/bundle
index 8c8475e01b..d7aae506b8 100755
--- a/script/bundle
+++ b/script/bundle
@@ -17,7 +17,20 @@ cargo build --release --target aarch64-apple-darwin
 lipo -create target/x86_64-apple-darwin/release/Zed target/aarch64-apple-darwin/release/Zed -output target/x86_64-apple-darwin/release/bundle/osx/Zed.app/Contents/MacOS/zed
 
 # Sign the app bundle with an ad-hoc signature so it runs on the M1. We need a real certificate but this works for now.
-codesign --force --deep -s - target/x86_64-apple-darwin/release/bundle/osx/Zed.app
+if [[ -z $MACOS_CERTIFICATE || -z $MACOS_CERTIFICATE_PASSWORD ]]; then
+    echo "Missing MACOS_CERTIFICATE and MACOS_CERTIFICATE_PASSWORD environment variables – performing ad-hoc signature"
+    codesign --force --deep -s - target/x86_64-apple-darwin/release/bundle/osx/Zed.app -v
+else
+    echo "Signing bundle with Apple-issued certificate"
+    security create-keychain -p $MACOS_CERTIFICATE_PASSWORD zed.keychain || echo ""
+    security unlock-keychain -p $MACOS_CERTIFICATE_PASSWORD zed.keychain
+    security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_CERTIFICATE_PASSWORD zed.keychain
+    echo $MACOS_CERTIFICATE | base64 --decode > /tmp/zed-certificate.p12
+    security import /tmp/zed-certificate.p12 -k zed.keychain -P $MACOS_CERTIFICATE_PASSWORD -T /usr/bin/codesign
+    rm /tmp/zed-certificate.p12
+    security default-keychain -s zed.keychain
+    /usr/bin/codesign --force -s "Zed Industries, Inc." target/x86_64-apple-darwin/release/bundle/osx/Zed.app -v
+fi
 
 # Create a DMG
 mkdir -p target/release