sign

Author: Architeuthis-Flux

.github/workflows/build-and-package.yml

@@ -10,6 +10,8 @@ on:
 
 env:
   PYTHON_VERSION: "3.11"
+  DISABLE_MACOS_DMG: "true"  # Flag to disable DMG creation for macOS
+  DISABLE_MACOS_NOTARIZATION: "true"  # Flag to disable notarization for macOS
 
 jobs:
   build:
@@ -25,6 +27,13 @@ jobs:
             executable-name: "Jumperless"
             icon-path: "assets/icons/icon.png"
 
+          - os: ubuntu-latest
+            platform: linux
+            arch: x86
+            artifact-name: "Jumperless-Linux-x86"
+            executable-name: "Jumperless"
+            icon-path: "assets/icons/icon.png"
+            
           # macOS builds (Intel)
           - os: macos-13
             platform: macos
@@ -48,6 +57,13 @@ jobs:
             artifact-name: "Jumperless-Windows-x64"
             executable-name: "Jumperless"
             icon-path: "assets/icons/icon.ico"
+            
+          - os: windows-latest
+            platform: windows
+            arch: x86
+            artifact-name: "Jumperless-Windows-x86"
+            executable-name: "Jumperless"
+            icon-path: "assets/icons/icon.ico"
 
     runs-on: ${{ matrix.os }}
 
@@ -84,7 +100,10 @@ jobs:
     - name: Install system dependencies (macOS)
       if: matrix.platform == 'macos'
       run: |
-        brew install create-dmg
+        # Only install create-dmg if DMG creation is enabled
+        if [ "${{ env.DISABLE_MACOS_DMG }}" != "true" ]; then
+          brew install create-dmg
+        fi
         
     - name: Install Python dependencies
       run: |
@@ -128,6 +147,92 @@ jobs:
         # Use PyInstaller with direct command line arguments for consistent builds
         echo "Building with PyInstaller"
         python -m PyInstaller --clean --windowed --name "Jumperless" --distpath dist/macos --workpath build/macos --icon "assets/icons/icon.icns" JumperlessWokwiBridge.py
+        
+    - name: Code Sign macOS App
+      if: matrix.platform == 'macos'
+      env:
+        MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+        MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
+      run: |
+        # Only proceed if certificate is available
+        if [ -z "$MACOS_CERTIFICATE" ]; then
+          echo "No signing certificate provided, skipping code signing"
+          exit 0
+        fi
+        
+        # Create temporary keychain
+        security create-keychain -p temp_keychain_password temp_keychain
+        security default-keychain -s temp_keychain
+        security unlock-keychain -p temp_keychain_password temp_keychain
+        
+        # Decode and import certificate
+        echo "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12
+        security import certificate.p12 -k temp_keychain -P "$MACOS_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
+        
+        # Enable codesign to access the keychain
+        security set-key-partition-list -S apple-tool:,apple: -s -k temp_keychain_password temp_keychain
+        
+        # Find the app bundle
+        APP_PATH="dist/macos/Jumperless.app"
+        if [ -d "$APP_PATH" ]; then
+          echo "Signing $APP_PATH"
+          # Sign the app bundle
+          codesign --force --sign "Developer ID Application" --deep --options runtime "$APP_PATH"
+          
+          # Verify the signature
+          codesign --verify --verbose "$APP_PATH"
+          echo "Code signing completed successfully"
+        else
+          echo "App bundle not found at $APP_PATH"
+          exit 1
+        fi
+        
+        # Clean up
+        rm certificate.p12
+        security delete-keychain temp_keychain
+        
+    - name: Notarize macOS App
+      if: matrix.platform == 'macos'
+      env:
+        MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+        APPLE_ID: ${{ secrets.APPLE_ID }}
+        APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+        APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+        DISABLE_MACOS_NOTARIZATION: ${{ env.DISABLE_MACOS_NOTARIZATION }}
+      run: |
+        # Check if notarization is disabled
+        if [ "$DISABLE_MACOS_NOTARIZATION" = "true" ]; then
+          echo "Notarization disabled by DISABLE_MACOS_NOTARIZATION flag"
+          exit 0
+        fi
+        
+        # Only proceed if both signing certificate and Apple ID are available
+        if [ -z "$MACOS_CERTIFICATE" ] || [ -z "$APPLE_ID" ]; then
+          echo "No signing certificate or Apple ID provided, skipping notarization"
+          exit 0
+        fi
+        
+        APP_PATH="dist/macos/Jumperless.app"
+        if [ -d "$APP_PATH" ]; then
+          echo "Creating archive for notarization"
+          ditto -c -k --keepParent "$APP_PATH" "Jumperless.zip"
+          
+          echo "Submitting for notarization"
+          xcrun notarytool submit "Jumperless.zip" \
+            --apple-id "$APPLE_ID" \
+            --password "$APPLE_ID_PASSWORD" \
+            --team-id "$APPLE_TEAM_ID" \
+            --wait
+          
+          echo "Stapling notarization"
+          xcrun stapler staple "$APP_PATH"
+          
+          echo "Notarization completed successfully"
+          rm "Jumperless.zip"
+        else
+          echo "App bundle not found for notarization"
+          exit 1
+        fi
           
     - name: Build with PyInstaller (Windows)
       if: matrix.platform == 'windows'
@@ -147,11 +252,15 @@ jobs:
       if: matrix.platform == 'linux'
       run: |
         python Scripts/package_app.py --platform linux --arch ${{ matrix.arch }}
+      env:
+        PREFER_TARGZ: "true"  # Signal to prefer tar.gz over zip for Linux
 
     - name: Create platform-specific package (macOS)
       if: matrix.platform == 'macos'
       run: |
         python Scripts/package_app.py --platform macos --arch ${{ matrix.arch }}
+      env:
+        DISABLE_MACOS_DMG: ${{ env.DISABLE_MACOS_DMG }}
 
     - name: Create platform-specific package (Windows)
       if: matrix.platform == 'windows'
@@ -220,10 +329,22 @@ jobs:
           Multi-platform release of the Jumperless Wokwi Bridge application.
           
           ### Downloads
-          - **Linux x64**: Jumperless-Linux-x64 (AppImage + Python fallback)
-          - **macOS Intel**: Jumperless-macOS-Intel (DMG + Python fallback)
-          - **macOS Apple Silicon**: Jumperless-macOS-Apple-Silicon (DMG + Python fallback)
+          - **Linux x64**: Jumperless-Linux-x64 (tar.gz + Python fallback)
+          - **Linux x86**: Jumperless-Linux-x86 (tar.gz + Python fallback)
+          - **macOS Intel**: Jumperless-macOS-Intel (App bundle + Python fallback)
+          - **macOS Apple Silicon**: Jumperless-macOS-Apple-Silicon (App bundle + Python fallback)
           - **Windows x64**: Jumperless-Windows-x64 (EXE + Python fallback)
+          - **Windows x86**: Jumperless-Windows-x86 (EXE + Python fallback)
+          
+          ### macOS Users - Important Note
+          If the app is code-signed with a Developer ID, you should be able to run it directly.
+          
+          **If you get a security warning, try these steps:**
+          1. Right-click the app and select "Open" to bypass Gatekeeper
+          2. Or remove the quarantine attribute:
+             ```bash
+             xattr -d com.apple.quarantine Jumperless.app
+             ```
           
           ### Installation Methods
           Each package includes multiple ways to run Jumperless:
@@ -239,10 +360,12 @@ jobs:
           See the README.md in each package for detailed instructions.
           
           ### What's New
-          - Multi-platform CI/CD pipeline
+          - Multi-platform CI/CD pipeline with x86 support
+          - macOS code signing support (notarization disabled by default for faster builds)
           - Improved packaging with modern tools
           - Better error handling and logging
           - Enhanced platform-specific optimizations
+          - Linux packages now use tar.gz format
           
         draft: false
         prerelease: ${{ !startsWith(github.ref, 'refs/tags/') }}

BridgeDocs/MACOS_CODE_SIGNING_SETUP.md

@@ -0,0 +1,95 @@
+# macOS Code Signing Setup Guide
+
+This guide explains how to set up code signing for the Jumperless macOS app using GitHub secrets.
+
+## Prerequisites
+
+- Apple Developer Program membership
+- macOS with Xcode installed
+- Developer ID Application certificate in your Keychain
+
+## Step 1: Export Your Certificate
+
+1. Open **Keychain Access** on your Mac
+2. Select **login** keychain and **My Certificates** category
+3. Find your "Developer ID Application" certificate
+4. Right-click and select **Export**
+5. Choose **Personal Information Exchange (.p12)** format
+6. Save as `Certificates.p12` and set a strong password
+7. Remember this password - you'll need it for GitHub secrets
+
+## Step 2: Prepare Certificate for GitHub
+
+```bash
+# Convert the .p12 file to base64 for GitHub secrets
+base64 -i Certificates.p12 -o Certificates.p12.base64.txt
+
+# The output file contains the base64-encoded certificate
+cat Certificates.p12.base64.txt
+```
+
+## Step 3: Set Up GitHub Secrets
+
+Go to your GitHub repository → Settings → Secrets and variables → Actions
+
+Add these secrets:
+
+### Required for Code Signing:
+- `MACOS_CERTIFICATE`: Contents of `Certificates.p12.base64.txt`
+- `MACOS_CERTIFICATE_PASSWORD`: Password you used when exporting the .p12 file
+- `APPLE_TEAM_ID`: Your Apple Developer Team ID (found in Apple Developer Console)
+
+### Optional for Notarization (disabled by default):
+- `APPLE_ID`: Your Apple ID email
+- `APPLE_ID_PASSWORD`: App-specific password (create in Apple ID settings)
+
+**Note**: Notarization is disabled by default via the `DISABLE_MACOS_NOTARIZATION` environment variable. This is sufficient for direct distribution of developer tools.
+
+To enable notarization, set `DISABLE_MACOS_NOTARIZATION: "false"` in the workflow environment variables.
+
+## Step 4: Get Your Team ID
+
+1. Go to [Apple Developer Console](https://developer.apple.com/account/)
+2. Sign in with your Apple ID
+3. Go to **Membership** tab
+4. Copy your **Team ID** (10-character string)
+
+## Step 5: Create App-Specific Password (Optional)
+
+1. Go to [Apple ID Account Page](https://appleid.apple.com/)
+2. Sign in and go to **Security** section
+3. Under **App-Specific Passwords**, click **Generate Password**
+4. Label it "GitHub Actions Notarization"
+5. Save the generated password as `APPLE_ID_PASSWORD` secret
+
+## Security Notes
+
+- Never commit certificates or passwords to your repository
+- Use strong, unique passwords for certificate export
+- App-specific passwords are safer than your main Apple ID password
+- Consider rotating secrets periodically
+
+## Testing
+
+After setting up secrets, the GitHub Actions workflow will automatically:
+1. Import your certificate into the build environment
+2. Sign the app bundle with your Developer ID
+3. Optionally notarize the app (disabled by default, enable by setting `DISABLE_MACOS_NOTARIZATION=false`)
+
+With code signing alone, most users will no longer need to use `xattr` commands to run your app!
+
+## Troubleshooting
+
+### "No signing identity found" error
+- Verify `MACOS_CERTIFICATE` and `MACOS_CERTIFICATE_PASSWORD` are correct
+- Ensure you exported the certificate with its private key
+
+### Notarization fails
+- Check `APPLE_ID` and `APPLE_ID_PASSWORD` are correct
+- Verify the app is properly signed before notarization
+- Check Apple Developer Console for any account issues
+
+### Certificate expires
+- Renew your Developer ID certificate in Apple Developer Console
+- Export and re-encode the new certificate
+- Update the `MACOS_CERTIFICATE` secret 

Scripts/package_app.py

@@ -306,6 +306,12 @@ def create_python_readme(python_dir, platform):
 ./run_jumperless.sh
 ```
 
+### macOS Security Warning
+If you get a security warning about unidentified developer:
+```bash
+xattr -d com.apple.quarantine run_jumperless.sh
+```
+
 ### Missing Dependencies
 ```bash
 pip install -r requirements.txt
@@ -369,7 +375,12 @@ def package_platform(platform, arch, output_dir):
     print(f"{platform.title()} package created in {platform_dir}")
 
 def try_create_macos_dmg(macos_dir, arch):
-    """Try to create macOS DMG if create-dmg is available"""
+    """Try to create macOS DMG if create-dmg is available and not disabled"""
+    # Check if DMG creation is disabled by environment variable
+    if os.environ.get("DISABLE_MACOS_DMG", "").lower() == "true":
+        print("DMG creation disabled by DISABLE_MACOS_DMG environment variable")
+        return
+    
     try:
         subprocess.run(["create-dmg", "--version"], check=True, capture_output=True)
         create_macos_dmg(macos_dir, arch)
@@ -484,6 +495,13 @@ def create_platform_readme(platform_dir, platform):
 ```
 
 The app will automatically launch in a new Terminal window for the best CLI experience.
+
+**Important for macOS users:** If you get a security warning about the app being from an unidentified developer, you may need to:
+1. Right-click the app and select "Open" to bypass Gatekeeper, OR
+2. Remove the quarantine attribute:
+   ```bash
+   xattr -d com.apple.quarantine Jumperless.app
+   ```
 '''
     elif platform == "windows":
         readme_content += '''
@@ -541,20 +559,30 @@ def create_archives(platform, output_dir):
         print(f"WARNING: No {platform} directory found")
         return
 
-    # Create ZIP archive (universal)
+    # Check if we should prefer tar.gz over zip
+    prefer_targz = os.environ.get("PREFER_TARGZ", "").lower() == "true"
+    
+    # Create tar.gz for Linux/macOS (especially when preferred)
+    if platform in ['linux', 'macos']:
+        tar_path = output_dir / f"Jumperless-{platform.title()}.tar.gz"
+        with tarfile.open(tar_path, 'w:gz') as tar:
+            tar.add(platform_dir, arcname=f"Jumperless-{platform.title()}")
+        print(f"Created tar.gz archive: {tar_path}")
+        
+        # Skip ZIP creation for Linux if tar.gz is preferred
+        if platform == 'linux' and prefer_targz:
+            print("Skipping ZIP creation for Linux (tar.gz preferred)")
+            return
+    
+    # Create ZIP archive (universal fallback or for Windows)
     zip_path = output_dir / f"Jumperless-{platform.title()}.zip"
     with zipfile.ZipFile(zip_path, 'w', zipfile.ZIP_DEFLATED) as zipf:
         for root, dirs, files in os.walk(platform_dir):
             for file in files:
                 file_path = Path(root) / file
                 arcname = file_path.relative_to(platform_dir)
                 zipf.write(file_path, arcname)
-    
-    # Create tar.gz for Linux/macOS
-    if platform in ['linux', 'macos']:
-        tar_path = output_dir / f"Jumperless-{platform.title()}.tar.gz"
-        with tarfile.open(tar_path, 'w:gz') as tar:
-            tar.add(platform_dir, arcname=f"Jumperless-{platform.title()}")
+    print(f"Created ZIP archive: {zip_path}")
 
     print(f"Archives created for {platform}")