feat: rework CI/CD for macos

.github/actions/setup-keychain/action.yml

@@ -0,0 +1,56 @@
+# .github/actions/setup-keychain/action.yml
+name: Setup apple keychain
+description: Creates and configures a temporary build keychain
+
+inputs:
+  keychain-path:
+    description: Name of the keychain
+    required: true
+  keychain-password:
+    description: Temporary keychain password
+    required: true
+  app-cert-base64:
+    description: Base64-encoded P12 app certificate
+    required: true
+  app-cert-password:
+    description: Application certificate password
+    required: true
+  installer-cert-base64:
+    description: Base64-encoded P12 installer certificate
+    required: true
+  installer-cert-password:
+    description: Installer certificate password
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Create keychain
+      shell: bash
+      env:
+        KEYCHAIN_PATH: ${{ inputs.keychain-path }}
+        KEYCHAIN_PASSWORD: ${{ inputs.keychain-password }}
+        APP_CERT_BASE64: ${{ inputs.app-cert-base64 }}
+        APP_CERT_PASSWORD: ${{ inputs.app-cert-password }}
+        INSTALLER_CERT_BASE64: ${{ inputs.installer-cert-base64 }}
+        INSTALLER_CERT_PASSWORD: ${{ inputs.installer-cert-password }}
+      run: |
+        set -e
+
+        APP_CERT_PATH=$RUNNER_TEMP/DeveloperIdApplicationCertificate.p12
+        INSTALLER_CERT_PATH=$RUNNER_TEMP/DeveloperIdInstallerCertificate.p12
+
+        echo -n "$APP_CERT_BASE64" | base64 --decode -o "$APP_CERT_PATH"
+        echo -n "$INSTALLER_CERT_BASE64" | base64 --decode -o "$INSTALLER_CERT_PATH"
+
+        security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+        security default-keychain -s "$KEYCHAIN_PATH"
+        security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+        security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+        security import "${{ github.action_path }}/DeveloperIDG2CA.cer" -k "$KEYCHAIN_PATH" -A
+        security import "$APP_CERT_PATH" -k "$KEYCHAIN_PATH" -P "$APP_CERT_PASSWORD" -A -t cert -f pkcs12
+        security import "$INSTALLER_CERT_PATH" -k "$KEYCHAIN_PATH" -P "$INSTALLER_CERT_PASSWORD" -A -t cert -f pkcs12
+
+        security set-key-partition-list -S apple-tool:,apple:,codesign: -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+        security list-keychain -d user -s "$KEYCHAIN_PATH"

.github/workflows/deploy.yml

@@ -379,19 +379,8 @@ jobs:
 
     env:
       QT_VERSION: 6.10.1
-
-      MAC_TEAM_ID: ${{ secrets.MAC_TEAM_ID }}
-
-      MAC_APP_CERT_CERT: ${{ secrets.MAC_APP_CERT_CERT }}
-      MAC_SIGNER_ID: ${{ secrets.MAC_SIGNER_ID }}
-      MAC_APP_CERT_PW: ${{ secrets.MAC_APP_CERT_PW }}
-
-      MAC_INSTALLER_SIGNER_CERT: ${{ secrets.MAC_INSTALLER_SIGNER_CERT }}
-      MAC_INSTALLER_SIGNER_ID: ${{ secrets.MAC_INSTALLER_SIGNER_ID }}
-      MAC_INSTALL_CERT_PW: ${{ secrets.MAC_INSTALL_CERT_PW }}
-
-      APPLE_DEV_EMAIL: ${{ secrets.APPLE_DEV_EMAIL }}
-      APPLE_DEV_PASSWORD: ${{ secrets.APPLE_DEV_PASSWORD }}
+      KEYCHAIN_NAME: "build.keychain"
+      KEYCHAIN_PASSWORD: ""
 
       PROD_AGW_PUBLIC_KEY: ${{ secrets.PROD_AGW_PUBLIC_KEY }}
       PROD_S3_ENDPOINT: ${{ secrets.PROD_S3_ENDPOINT }}
@@ -420,7 +409,14 @@ jobs:
         set-env: 'true'
         aqtversion: '==3.3.0'       
         py7zrversion: '==0.22.*'  
-        extra: '--base ${{ env.QT_MIRROR }}' 
+        extra: '--base ${{ env.QT_MIRROR }}'
+
+    - uses: actions/setup-python@v6
+      with:
+        python-version: 3.14
+      
+    - name: 'Install conan'
+      run: pip install "conan==2.26.2"
 
     - name: 'Get sources'
       uses: actions/checkout@v4
@@ -428,39 +424,33 @@ jobs:
         submodules: 'true'
         fetch-depth: 10
 
-    - name: 'Get version from CMakeLists.txt'
-      id: get_version
-      run: |
-        VERSION=$(grep 'set(AMNEZIAVPN_VERSION' CMakeLists.txt | sed -E 's/.*AMNEZIAVPN_VERSION ([0-9]+.[0-9]+.[0-9]+.[0-9]+)\)/\1/')
-        echo "VERSION=$VERSION" >> $GITHUB_ENV
-        echo "Version: $VERSION"
-
-    # - name: 'Setup ccache'
-    #   uses: hendrikmuhs/ccache-action@v1.2
+    - name: 'Install certs'
+      uses: ./.github/actions/setup-keychain
+      with:
+        keychain-path: ${{ env.KEYCHAIN_NAME }}
+        keychain-password: ${{ env.KEYCHAIN_PASSWORD }}
+        app-cert-base64: ${{ secrets.MAC_APP_CERT_CERT }}
+        app-cert-password: ${{ secrets.MAC_APP_CERT_PW }}
+        installer-cert-base64: ${{ secrets.MAC_INSTALLER_SIGNER_CERT }}
+        installer-cert-password: ${{ secrets.MAC_INSTALL_CERT_PW }}
 
     - name: 'Build project'
-      run: |
-        export QT_BIN_DIR="${{ runner.temp }}/Qt/${{ env.QT_VERSION }}/macos/bin"
-        bash deploy/build_macos.sh -n
-
-    - name: 'Pack macOS installer'
-      run: |
-        cd deploy/build/pkg
-        zip -r ../../AmneziaVPN_${VERSION}_macos.zip AmneziaVPN.pkg
-        cd ../../..
+      env:
+        CODESIGN_KEYCHAIN: ${{ env.KEYCHAIN_NAME }}
+        CODESIGN_SIGNATURE: ${{ secrets.MAC_SIGNER_ID }}
+        CODESIGN_INSTALLER_KEYCHAIN: ${{ env.KEYCHAIN_NAME }}
+        CODESIGN_INSTALLER_SIGNATURE: ${{ secrets.MAC_INSTALLER_SIGNER_ID }}
+        NOTARYTOOL_TEAM_ID: ${{ secrets.MAC_TEAM_ID }}
+        NOTARYTOOL_EMAIL: ${{ secrets.APPLE_DEV_EMAIL }}
+        NOTARYTOOL_PASSWORD: ${{ secrets.APPLE_DEV_PASSWORD }}
+      shell: bash
+      run: deploy/build.sh
 
     - name: 'Upload installer artifact'
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v7
       with:
-        name: AmneziaVPN_${{ env.VERSION }}_macos.zip
-        path: deploy/AmneziaVPN_${{ env.VERSION }}_macos.zip
-        retention-days: 7
-
-    - name: 'Upload unpacked artifact'
-      uses: actions/upload-artifact@v4
-      with:
-        name: AmneziaVPN_MacOS_unpacked
-        path: deploy/build/client/AmneziaVPN.app
+        path: deploy/build/AmneziaVPN-*-Darwin.pkg
+        archive: false
         retention-days: 7
 
   Build-MacOS-NE:

cmake/CPackOptions.cmake

@@ -3,3 +3,15 @@ set(CPACK_COMPONENTS_ALL AmneziaVPN)
 if (CPACK_GENERATOR STREQUAL productbuild)
     list(APPEND CPACK_COMPONENTS_ALL Uninstall)
 endif()
+
+if(NOT CODESIGN_INSTALLER_SIGNATURE)
+    set(CODESIGN_INSTALLER_SIGNATURE    "$ENV{CODESIGN_INSTALLER_SIGNATURE}")
+endif()
+set(CPACK_PRODUCTBUILD_IDENTITY_NAME    "${CODESIGN_INSTALLER_SIGNATURE}")
+set(CPACK_PKGBUILD_IDENTITY_NAME        "${CODESIGN_INSTALLER_SIGNATURE}")
+
+if(NOT CODESIGN_INSTALLER_KEYCHAIN)
+    set(CODESIGN_INSTALLER_KEYCHAIN     "$ENV{CODESIGN_INSTALLER_KEYCHAIN}")
+endif()
+set(CPACK_PRODUCTBUILD_KEYCHAIN_PATH    "${CODESIGN_INSTALLER_KEYCHAIN}")
+set(CPACK_PKGBUILD_KEYCHAIN_PATH        "${CODESIGN_INSTALLER_KEYCHAIN}")

cmake/sign_binaries.cmake

@@ -1,3 +1,13 @@
+if(NOT DEFINED SIGNTOOL_SUBJECT_NAME)
+    set(SIGNTOOL_SUBJECT_NAME "$ENV{SIGNTOOL_SUBJECT_NAME}")
+endif()
+if(NOT DEFINED CODESIGN_SIGNATURE)
+    set(CODESIGN_SIGNATURE "$ENV{CODESIGN_SIGNATURE}")
+endif()
+if(NOT DEFINED CODESIGN_KEYCHAIN)
+    set(CODESIGN_KEYCHAIN "$ENV{CODESIGN_KEYCHAIN}")
+endif()
+
 if(WIN32)
     file(GLOB_RECURSE BINARIES
         "${CPACK_TEMPORARY_DIRECTORY}/*.dll"
@@ -11,18 +21,26 @@ if(WIN32)
 endif()
 
 if(APPLE)
-    file(GLOB_RECURSE framework_files
-        "${CPACK_TEMPORARY_DIRECTORY}/*.framework"
-        "${CPACK_TEMPORARY_DIRECTORY}/*.dylib"
-        "${CPACK_TEMPORARY_DIRECTORY}/*.appex"
-        "${CPACK_TEMPORARY_DIRECTORY}/*.bundle"
-        "${CPACK_TEMPORARY_DIRECTORY}/*.xpc"
-    )
-    file(GLOB_RECURSE exec_files
-        "${CPACK_TEMPORARY_DIRECTORY}/Contents/MacOS/*"
-    )
+    file(GLOB_RECURSE all_subdirs LIST_DIRECTORIES true "${CPACK_TEMPORARY_DIRECTORY}/*")
 
-    set(files ${framework_files} ${exec_files})
+    set(frameworks ${all_subdirs})
+    list(FILTER frameworks INCLUDE REGEX [[.*\.framework$]])
+
+    file(GLOB_RECURSE dylibs "${CPACK_TEMPORARY_DIRECTORY}/*.dylib")
+
+    set(bundle ${all_subdirs})
+    list(FILTER bundle INCLUDE REGEX [[.*\.app$]])
+    list(GET bundle 0 bundle)
+
+    file(GLOB_RECURSE execs "${bundle}/Contents/MacOS/*")
+    set(client_exec ${execs})
+    list(FILTER client_exec INCLUDE REGEX [[AmneziaVPN$]])
+    set(service_exec ${execs})
+    list(FILTER service_exec INCLUDE REGEX [[AmneziaVPN-service$]])
+    set(other_execs ${execs})
+    list(FILTER other_execs EXCLUDE REGEX [[AmneziaVPN$|AmneziaVPN-service$]])
+
+    list(APPEND files "${frameworks}" "${dylibs}" "${other_execs}" "${service_exec}" "${client_exec}" "${bundle}")
 
     if (files AND CODESIGN_SIGNATURE)
         include(${CMAKE_CURRENT_LIST_DIR}/util/codesign.cmake)

cmake/sign_packages.cmake

@@ -1,3 +1,16 @@
+if(NOT DEFINED SIGNTOOL_SUBJECT_NAME)
+    set(SIGNTOOL_SUBJECT_NAME "$ENV{SIGNTOOL_SUBJECT_NAME}")
+endif()
+if(NOT DEFINED NOTARYTOOL_EMAIL)
+    set(NOTARYTOOL_EMAIL "$ENV{NOTARYTOOL_EMAIL}")
+endif()
+if(NOT DEFINED NOTARYTOOL_TEAM_ID)
+    set(NOTARYTOOL_TEAM_ID "$ENV{NOTARYTOOL_TEAM_ID}")
+endif()
+if(NOT DEFINED NOTARYTOOL_PASSWORD)
+    set(NOTARYTOOL_PASSWORD "$ENV{NOTARYTOOL_PASSWORD}")
+endif()
+
 if(WIN32)
     if (SIGNTOOL_SUBJECT_NAME)
         include(${CMAKE_CURRENT_LIST_DIR}/util/signtool.cmake)
@@ -8,11 +21,6 @@ if(WIN32)
 endif()
 
 if(APPLE)
-    if(CODESIGN_SIGNATURE)
-        include(${CMAKE_CURRENT_LIST_DIR}/util/codesign.cmake)
-        codesign_sign_files("${CPACK_PACKAGE_FILES}" "${CODESIGN_SIGNATURE}" "${CODESIGN_KEYCHAIN}")
-    endif()
-
     if(NOTARYTOOL_EMAIL AND NOTARYTOOL_TEAM_ID AND NOTARYTOOL_PASSWORD)
         include(${CMAKE_CURRENT_LIST_DIR}/util/notarytool.cmake)
         foreach(file IN LISTS CPACK_PACKAGE_FILES)

cmake/util/notarytool.cmake

@@ -8,7 +8,7 @@ function(notarize_file file email team_id password)
         --wait
     )
 
-    set(cmd ${XCRUN_COMMAND} notarytool ${args} ${file})
+    set(cmd ${XCRUN_COMMAND} notarytool submit ${args} ${file})
 
     list(JOIN cmd " " cmd_str)
     message(STATUS ${cmd_str})
@@ -24,7 +24,7 @@ function(notarize_file file email team_id password)
 endfunction()
 
 function(staple_file file)
-    set(cmd ${XCRUN_COMMAND} staple ${file})
+    set(cmd ${XCRUN_COMMAND} stapler staple ${file})
 
     list(JOIN cmd " " cmd_str)
     message(STATUS ${cmd_str})

deploy/build.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+set -o errexit
+
+PROJECT_DIR=$(pwd)
+BUILD_DIR="$PROJECT_DIR/deploy/build"
+
+folders=()
+for base in ~/Qt /opt/Qt; do
+    for dir in "$base"/${QT_VERSION:-6.*}; do
+        [ -d "$dir" ] && folders+=("$dir")
+    done
+done
+
+: ${QT_ROOT_PATH:=$(printf '%s\n' "${folders[@]}" | sort -V | tail -1)}
+
+case "$(uname -s)" in
+    Linux)
+        : ${QT_PREFIX_PATH:="$QT_ROOT_PATH"/gcc_64}
+        ;;
+    Darwin)
+        : ${QT_PREFIX_PATH:="$QT_ROOT_PATH"/macos}
+        ;;
+esac
+
+args=()
+if [ -n "${QT_PREFIX_PATH}" ]; then
+    args+=("-DCMAKE_PREFIX_PATH=$QT_PREFIX_PATH")
+fi
+
+set -o xtrace
+
+cmake -S "$PROJECT_DIR" -B "$BUILD_DIR" -DCMAKE_BUILD_TYPE=Release "${args[@]}"
+cmake --build "$BUILD_DIR" --target all
+(cd "$BUILD_DIR" && cpack)

deploy/build_linux.sh

@@ -1,90 +0,0 @@
-#!/bin/bash
-echo "Build script started ..."
-
-set -o errexit -o nounset
-
-
-# Hold on to current directory
-PROJECT_DIR=$(pwd)
-DEPLOY_DIR=$PROJECT_DIR/deploy
-
-mkdir -p $DEPLOY_DIR/build
-BUILD_DIR=$DEPLOY_DIR/build
-
-APP_DIR=$DEPLOY_DIR/AppDir
-mkdir -p $APP_DIR
-
-TOOLS_DIR=$DEPLOY_DIR/Tools
-mkdir -p $TOOLS_DIR
-
-CQTDEPLOYER_DIR=$TOOLS_DIR/cqtdeployer
-mkdir -p $CQTDEPLOYER_DIR
-
-echo "Project dir: ${PROJECT_DIR}" 
-echo "Build dir: ${BUILD_DIR}"
-
-APP_NAME=AmneziaVPN
-APP_FILENAME=$APP_NAME.app
-APP_DOMAIN=org.amneziavpn.package
-
-DEPLOY_DATA_DIR=$PROJECT_DIR/deploy/data/linux
-PREBUILT_DEPLOY_DATA_DIR=$PROJECT_DIR/client/3rd-prebuilt/deploy-prebuilt/linux/client/bin
-INSTALLER_DATA_DIR=$PROJECT_DIR/deploy/installer/packages/$APP_DOMAIN/data
-
-PRO_FILE_PATH=$PROJECT_DIR/$APP_NAME.pro
-QMAKE_STASH_FILE=$PROJECT_DIR/.qmake_stash
-
-# Search Qt
-if [ -z "${QT_VERSION+x}" ]; then
-  QT_VERSION=6.6.2
-  if [ -f /opt/Qt/$QT_VERSION/gcc_64/bin/qmake ]; then
-    QT_BIN_DIR=/opt/Qt/$QT_VERSION/gcc_64/bin
-  elif [ -f $HOME/Qt/$QT_VERSION/gcc_64/bin/qmake ]; then
-    QT_BIN_DIR=$HOME/Qt/$QT_VERSION/gcc_64/bin
-  elif [ -f /usr/lib/qt6/bin/qmake ]; then
-    QT_BIN_DIR=/usr/lib/qt6/bin
-  elif [ -f /usr/lib/x86_64-linux-gnu/qt6/bin/qmake ]; then
-    QT_BIN_DIR=/usr/lib/x86_64-linux-gnu/qt6/bin
-  fi
-fi
-
-echo "Using Qt in $QT_BIN_DIR"
-
-
-# Checking env
-$QT_BIN_DIR/qt-cmake --version
-gcc -v
-
-# Build App
-echo "Building App..."
-cd $BUILD_DIR
-
-$QT_BIN_DIR/qt-cmake -S $PROJECT_DIR
-cmake --build . -j --config release
-
-# Build and run tests here
-
-#echo "............Deploy.................."
-
-cp -r $DEPLOY_DATA_DIR/* $APP_DIR
-cp -r $PREBUILT_DEPLOY_DATA_DIR $APP_DIR/client
-
-if [ ! -f $CQTDEPLOYER_DIR/cqtdeployer.sh ]; then
-  wget -O $TOOLS_DIR/CQtDeployer.zip https://github.com/QuasarApp/CQtDeployer/releases/download/v1.5.4.17/CQtDeployer_1.5.4.17_Linux_x86_64.zip
-  unzip -o $TOOLS_DIR/CQtDeployer.zip -d $CQTDEPLOYER_DIR/
-  chmod +x -R $CQTDEPLOYER_DIR
-fi
-
-
-$CQTDEPLOYER_DIR/cqtdeployer.sh -bin $BUILD_DIR/client/AmneziaVPN -qmake $QT_BIN_DIR/qmake -qmlDir $PROJECT_DIR/client/ui/qml/ -targetDir $APP_DIR/client/
-$CQTDEPLOYER_DIR/cqtdeployer.sh -bin $BUILD_DIR/service/server/AmneziaVPN-service -qmake $QT_BIN_DIR/qmake -targetDir $APP_DIR/service/
-
-rm -f $INSTALLER_DATA_DIR/data.7z
-
-7z a $INSTALLER_DATA_DIR/data.7z $APP_DIR/*
-
-ldd $CQTDEPLOYER_DIR/bin/binarycreator
-
-cp -r $PROJECT_DIR/deploy/installer $BUILD_DIR
-
-$CQTDEPLOYER_DIR/binarycreator.sh --offline-only -v -c $BUILD_DIR/installer/config/linux.xml -p $BUILD_DIR/installer/packages -f $PROJECT_DIR/deploy/AmneziaVPN_Linux_Installer.bin

deploy/build_macos.sh

@@ -1,287 +0,0 @@
-#!/bin/bash
-# -----------------------------------------------------------------------------
-# Usage:
-#   Export the required signing credentials before running this script, e.g.:
-#     export MAC_APP_CERT_PW='pw-for-DeveloperID-Application'
-#     export MAC_INSTALL_CERT_PW='pw-for-DeveloperID-Installer'
-#     export MAC_SIGNER_ID='Developer ID Application: Some Company Name (XXXXXXXXXX)'
-#     export MAC_INSTALLER_SIGNER_ID='Developer ID Installer: Some Company Name (XXXXXXXXXX)'
-#     export APPLE_DEV_EMAIL='your@email.com'
-#     export APPLE_DEV_PASSWORD='<your-password>'
-#     bash deploy/build_macos.sh [-n]
-# -----------------------------------------------------------------------------
-echo "Build script started ..."
-
-set -o errexit -o nounset
-
-while getopts n flag
-do
-    case "${flag}" in
-        n) NOTARIZE_APP=1;;
-    esac
-done
-
-# Hold on to current directory
-PROJECT_DIR=$(pwd)
-DEPLOY_DIR=$PROJECT_DIR/deploy
-
-mkdir -p "$DEPLOY_DIR/build"
-BUILD_DIR="$DEPLOY_DIR/build"
-
-echo "Project dir: ${PROJECT_DIR}"
-echo "Build dir: ${BUILD_DIR}"
-
-APP_NAME=AmneziaVPN
-APP_FILENAME=$APP_NAME.app
-APP_DOMAIN=org.amneziavpn.package
-PLIST_NAME=$APP_NAME.plist
-
-OUT_APP_DIR=$BUILD_DIR/client
-BUNDLE_DIR=$OUT_APP_DIR/$APP_FILENAME
-
-# Prebuilt deployment assets are available via the symlink under deploy/data
-PREBUILT_DEPLOY_DATA_DIR=$PROJECT_DIR/deploy/data/deploy-prebuilt/macos
-DEPLOY_DATA_DIR=$PROJECT_DIR/deploy/data/macos
-
-
-# Search Qt
-if [ -z "${QT_VERSION+x}" ]; then
-QT_VERSION=6.8.3;
-QT_BIN_DIR=$HOME/Qt/$QT_VERSION/macos/bin
-fi
-
-echo "Using Qt in $QT_BIN_DIR"
-
-
-# Checking env
-"$QT_BIN_DIR/qt-cmake" --version
-cmake --version
-clang -v
-
-# Build App
-echo "Building App..."
-cd "$BUILD_DIR"
-
-"$QT_BIN_DIR/qt-cmake" -S "$PROJECT_DIR" -B "$BUILD_DIR"
-cmake --build . --config release --target all
-
-# Build and run tests here
-
-# Create a temporary keychain and import certificates
-KEYCHAIN_PATH="$PROJECT_DIR/mac_sign.keychain"
-trap 'echo "Cleaning up mac_sign.keychain..."; security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true; rm -f "$KEYCHAIN_PATH" 2>/dev/null || true' EXIT
-KEYCHAIN=$(security default-keychain -d user | tr -d '"[:space:]"')
-
-# Build a clean list of the *existing* user key-chains. The raw output of
-#   security list-keychains -d user
-# looks roughly like:
-#     "    \"/Users/foo/Library/Keychains/login.keychain-db\"\n    \"/Library/Keychains/System.keychain\""
-# Every entry is surrounded by quotes and indented with a few blanks. Feeding
-# that verbatim back to `security list-keychains -s` inside a single quoted
-# argument leads to one long, invalid path on some systems. We therefore strip
-# the quotes and rely on the shell to split the string on whitespace so that
-# each path becomes its own argument.
-
-read -ra EXISTING_KEYCHAINS <<< "$(security list-keychains -d user | tr -d '"')"
-
-security list-keychains -d user -s "$KEYCHAIN_PATH" "$KEYCHAIN" "${EXISTING_KEYCHAINS[@]}"
-KEYCHAIN_PWD=""  # Empty password keeps things simple for CI jobs
-# Create, unlock and configure the temporary key-chain so that `codesign` can
-# access the imported identities without triggering interactive prompts.
-security create-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_PATH"
-# Keep the key-chain unlocked for the duration of the job (6 hours is plenty).
-security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
-security unlock-keychain -p "$KEYCHAIN_PWD" "$KEYCHAIN_PATH"
-
-# Import the signing certificates only when the corresponding passwords are
-# available in the environment.  This allows the script to run in environments
-# where code-signing is intentionally turned off (e.g. CI jobs that just build
-# the artefacts without releasing them).
-
-if [ -n "${MAC_APP_CERT_PW-}" ]; then
-  # If the certificate is provided via environment variable, decode it.
-  if [ -n "${MAC_APP_CERT_CERT-}" ]; then
-    echo "$MAC_APP_CERT_CERT" | base64 -d > "$DEPLOY_DIR/DeveloperIdApplicationCertificate.p12"
-  fi
-  security import "$DEPLOY_DIR/DeveloperIdApplicationCertificate.p12" \
-          -k "$KEYCHAIN_PATH" -P "$MAC_APP_CERT_PW" -A
-fi
-
-if [ -n "${MAC_INSTALL_CERT_PW-}" ]; then
-  # Same logic for the installer certificate.
-  if [ -n "${MAC_INSTALLER_SIGNER_CERT-}" ]; then
-    echo "$MAC_INSTALLER_SIGNER_CERT" | base64 -d > "$DEPLOY_DIR/DeveloperIdInstallerCertificate.p12"
-  fi
-  security import "$DEPLOY_DIR/DeveloperIdInstallerCertificate.p12" \
-          -k "$KEYCHAIN_PATH" -P "$MAC_INSTALL_CERT_PW" -A
-fi
-
-# This certificate has no password.
-security import "$DEPLOY_DIR/DeveloperIDG2CA.cer" -k "$KEYCHAIN_PATH" -T /usr/bin/codesign
-
-security list-keychains -d user -s "$KEYCHAIN_PATH"
-
-echo "____________________________________"
-echo "............Deploy.................."
-echo "____________________________________"
-
-# Package
-echo "Packaging ..."
-
-
-cp -Rv "$PREBUILT_DEPLOY_DATA_DIR"/* "$BUNDLE_DIR/Contents/macOS"
-"$QT_BIN_DIR/macdeployqt" "$OUT_APP_DIR/$APP_FILENAME" -always-overwrite -qmldir="$PROJECT_DIR"
-cp -av "$BUILD_DIR/service/server/$APP_NAME-service" "$BUNDLE_DIR/Contents/macOS"
-rsync -av --exclude="$PLIST_NAME" --exclude=post_install.sh --exclude=post_uninstall.sh "$DEPLOY_DATA_DIR/" "$BUNDLE_DIR/Contents/macOS/"
-
-if [ "${MAC_APP_CERT_PW+x}" ]; then
-
-  # Path to the p12 that contains the Developer ID *Application* certificate
-  CERTIFICATE_P12=$DEPLOY_DIR/DeveloperIdApplicationCertificate.p12
-
-  # Ensure launchd plist is bundled, but place it inside Resources so that
-  # the bundle keeps a valid structure (nothing but `Contents` at the root).
-  mkdir -p "$BUNDLE_DIR/Contents/Resources"
-  cp "$DEPLOY_DATA_DIR/$PLIST_NAME" "$BUNDLE_DIR/Contents/Resources/$PLIST_NAME"
-
-  # Show available signing identities (useful for debugging)
-  security find-identity -p codesigning || true
-
-  echo "Signing App bundle..."
-  /usr/bin/codesign --deep --force --verbose --timestamp -o runtime --keychain "$KEYCHAIN_PATH" --sign "$MAC_SIGNER_ID" "$BUNDLE_DIR"
-  /usr/bin/codesign --verify -vvvv "$BUNDLE_DIR" || true
-  spctl -a -vvvv "$BUNDLE_DIR" || true
-
-fi
-
-echo "Packaging installer..."
-PKG_DIR=$BUILD_DIR/pkg
-# Remove any stale packaging data from previous runs
-rm -rf "$PKG_DIR"
-PKG_ROOT=$PKG_DIR/root
-SCRIPTS_DIR=$PKG_DIR/scripts
-RESOURCES_DIR=$PKG_DIR/resources
-INSTALL_PKG=$PKG_DIR/${APP_NAME}_install.pkg
-UNINSTALL_PKG=$PKG_DIR/${APP_NAME}_uninstall.pkg
-FINAL_PKG=$PKG_DIR/${APP_NAME}.pkg
-UNINSTALL_SCRIPTS_DIR=$PKG_DIR/uninstall_scripts
-
-mkdir -p "$PKG_ROOT/Applications" "$SCRIPTS_DIR" "$RESOURCES_DIR" "$UNINSTALL_SCRIPTS_DIR"
-
-cp -R "$BUNDLE_DIR" "$PKG_ROOT/Applications"
-# launchd plist is already inside the bundle; no need to add it again after signing
-/usr/bin/codesign --deep --force --verbose --timestamp -o runtime --keychain "$KEYCHAIN_PATH" --sign "$MAC_SIGNER_ID" "$PKG_ROOT/Applications/$APP_FILENAME"
-/usr/bin/codesign --verify --deep --strict --verbose=4 "$PKG_ROOT/Applications/$APP_FILENAME" || true
-cp "$DEPLOY_DATA_DIR/post_install.sh" "$SCRIPTS_DIR/post_install.sh"
-cp "$DEPLOY_DATA_DIR/post_uninstall.sh" "$UNINSTALL_SCRIPTS_DIR/postinstall"
-mkdir -p "$RESOURCES_DIR/scripts"
-cp "$DEPLOY_DATA_DIR/check_install.sh" "$RESOURCES_DIR/scripts/check_install.sh"
-cp "$DEPLOY_DATA_DIR/check_uninstall.sh" "$RESOURCES_DIR/scripts/check_uninstall.sh"
-
-cat > "$SCRIPTS_DIR/postinstall" <<'EOS'
-#!/bin/bash
-SCRIPT_DIR="$(dirname "$0")"
-bash "$SCRIPT_DIR/post_install.sh"
-exit 0
-EOS
-
-chmod +x "$SCRIPTS_DIR"/*
-chmod +x "$UNINSTALL_SCRIPTS_DIR"/*
-chmod +x "$RESOURCES_DIR/scripts"/*
-cp "$PROJECT_DIR/LICENSE" "$RESOURCES_DIR/LICENSE"
-
-APP_VERSION=$(grep -m1 -E 'project\(' "$PROJECT_DIR/CMakeLists.txt" | sed -E 's/.*VERSION ([0-9.]+).*/\1/')
-echo "Building component package $INSTALL_PKG ..."
-
-# Disable bundle relocation so the app always ends up in /Applications even if
-# another copy is lying around somewhere. We do this by letting pkgbuild
-# analyse the contents, flipping the BundleIsRelocatable flag to false for every
-# bundle it discovers and then feeding that plist back to pkgbuild.
-
-COMPONENT_PLIST="$PKG_DIR/component.plist"
-# Create the component description plist first
-pkgbuild --analyze --root "$PKG_ROOT" "$COMPONENT_PLIST"
-
-# Turn all `BundleIsRelocatable` keys to false (PlistBuddy is available on all
-# macOS systems). We first convert to xml1 to ensure predictable formatting.
-
-# Turn relocation off for every bundle entry in the plist. PlistBuddy cannot
-# address keys that contain slashes without quoting, so we iterate through the
-# top-level keys it prints.
-plutil -convert xml1 "$COMPONENT_PLIST"
-for bundle_key in $(/usr/libexec/PlistBuddy -c "Print" "$COMPONENT_PLIST" | awk '/^[ \t]*[A-Za-z0-9].*\.app/ {print $1}'); do
-  /usr/libexec/PlistBuddy -c "Set :'${bundle_key}':BundleIsRelocatable false" "$COMPONENT_PLIST" || true
-done
-
-# Now build the real payload package with the edited plist so that the final
-# PackageInfo contains relocatable="false".
-pkgbuild --root "$PKG_ROOT" \
-         --identifier "$APP_DOMAIN" \
-         --version "$APP_VERSION" \
-         --install-location "/" \
-         --scripts "$SCRIPTS_DIR" \
-         --component-plist "$COMPONENT_PLIST" \
-         --sign "$MAC_INSTALLER_SIGNER_ID" \
-         "$INSTALL_PKG"
-
-# Build uninstaller component package
-UNINSTALL_COMPONENT_PKG=$PKG_DIR/${APP_NAME}_uninstall_component.pkg
-echo "Building uninstaller component package $UNINSTALL_COMPONENT_PKG ..."
-pkgbuild --nopayload \
-         --identifier "$APP_DOMAIN.uninstall" \
-         --version "$APP_VERSION" \
-         --scripts "$UNINSTALL_SCRIPTS_DIR" \
-         --sign "$MAC_INSTALLER_SIGNER_ID" \
-         "$UNINSTALL_COMPONENT_PKG"
-
-# Wrap uninstaller component in a distribution package for clearer UI
-echo "Building uninstaller distribution package $UNINSTALL_PKG ..."
-UNINSTALL_RESOURCES=$PKG_DIR/uninstall_resources
-rm -rf "$UNINSTALL_RESOURCES"
-mkdir -p "$UNINSTALL_RESOURCES"
-cp "$DEPLOY_DATA_DIR/uninstall_welcome.html" "$UNINSTALL_RESOURCES"
-cp "$DEPLOY_DATA_DIR/uninstall_conclusion.html" "$UNINSTALL_RESOURCES"
-productbuild \
-  --distribution "$DEPLOY_DATA_DIR/distribution_uninstall.xml" \
-  --package-path "$PKG_DIR" \
-  --resources "$UNINSTALL_RESOURCES" \
-  --sign "$MAC_INSTALLER_SIGNER_ID" \
-  "$UNINSTALL_PKG"
-
-cp "$PROJECT_DIR/deploy/data/macos/distribution.xml" "$PKG_DIR/distribution.xml"
-
-echo "Creating final installer $FINAL_PKG ..."
-productbuild --distribution "$PKG_DIR/distribution.xml" \
-             --package-path "$PKG_DIR" \
-             --resources "$RESOURCES_DIR" \
-             --sign "$MAC_INSTALLER_SIGNER_ID" \
-             "$FINAL_PKG"
-
-if [ "${MAC_INSTALL_CERT_PW+x}" ] && [ "${NOTARIZE_APP+x}" ]; then
-  echo "Notarizing installer package..."
-  xcrun notarytool submit "$FINAL_PKG" \
-    --apple-id "$APPLE_DEV_EMAIL" \
-    --team-id "$MAC_TEAM_ID" \
-    --password "$APPLE_DEV_PASSWORD" \
-    --wait
-
-  echo "Stapling ticket..."
-  xcrun stapler staple "$FINAL_PKG"
-  xcrun stapler validate "$FINAL_PKG"
-fi
-
-if [ "${MAC_INSTALL_CERT_PW+x}" ]; then
-  /usr/bin/codesign --verify -vvvv "$FINAL_PKG" || true
-  spctl -a -vvvv "$FINAL_PKG" || true
-fi
-
-# Sign app bundle
-/usr/bin/codesign --deep --force --verbose --timestamp -o runtime --keychain "$KEYCHAIN_PATH" --sign "$MAC_SIGNER_ID" "$BUNDLE_DIR"
-spctl -a -vvvv "$BUNDLE_DIR" || true
-
-# Restore login keychain as the only user keychain and delete the temporary keychain
-KEYCHAIN="$HOME/Library/Keychains/login.keychain-db"
-security list-keychains -d user -s "$KEYCHAIN"
-security delete-keychain "$KEYCHAIN_PATH"
-
-echo "Finished, artifact is $FINAL_PKG"