Implement macOS build signing in workflow

.github/workflows/cmake.yml

@@ -44,8 +44,6 @@ jobs:
         shell: pwsh
         run: winget install -e --id Mono.Mono --silent --accept-source-agreements
         if: runner.os == 'Windows'
-      # - uses: ilammy/msvc-dev-cmd@v1
-      #   if: runner.os == 'Windows'
 
       - name: Download vcpkg
         uses: actions/checkout@v6
@@ -62,7 +60,7 @@ jobs:
         shell: pwsh
         run: ${{ github.workspace }}/vcpkg/bootstrap-vcpkg.bat
       - name: Add NuGet sources
-        if: ${{ ! contains(matrix.config.os, 'windows') }}
+        if: runner.os != 'Windows'
         run: |
           mono `${{ env.VCPKG_EXE }} fetch nuget | tail -n 1` \
             sources add \
@@ -104,38 +102,88 @@ jobs:
             out/build/${{ matrix.config.preset }}/snfm_user_manual.md
             out/build/${{ matrix.config.preset }}/snfm_config_example.yaml
 
+  sign:
+    runs-on: macos-latest
+    needs: build
+    steps:
+      - name: unpack Apple signing credentials
+        env:
+          TEMP_PASSWORD: build.keychain
+        run: |
+          echo "${{secrets.MACOS_CERTIFICATE}}" | base64 -D > certificate.p12 
+          security create-keychain -p $TEMP_PASSWORD build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p $TEMP_PASSWORD build.keychain
+          security import certificate.p12 -k build.keychain -P "${{secrets.MACOS_CERTIFICATE_PWD}}" -T /usr/bin/codesign
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $TEMP_PASSWORD build.keychain
+      - name: Get artifact (arm)
+        uses: actions/download-artifact@v6
+        with:
+          name: snfm-macos-arm64-release
+          path: macos-arm64
+      - name: Get artifact (x64)
+        uses: actions/download-artifact@v6
+        with:
+          name: snfm-macos-x64-release
+          path: macos-x64
+      - name: Create universal binaries
+        run: |
+          mkdir -p out
+          ls -al macos-arm64
+          lipo -create -output out/manage_files macos-arm64/manage_files macos-x64/manage_files
+          lipo -create -output out/send_file macos-arm64/send_file macos-x64/send_file
+          ls -al out
+      - name: Sign macOS binaries
+        run: |
+          /usr/bin/codesign --options runtime --force -s ${{ secrets.MACOS_IDENTITY_ID }} out/manage_files
+          /usr/bin/codesign --options runtime --force -s ${{ secrets.MACOS_IDENTITY_ID }} out/send_file
+      - name: Zip for upload to Apple
+        run: zip -j
+              snfm-apple.zip
+              out/manage_files
+              out/send_file
+      - name: Add additional files
+        run: |
+          cp macos-arm64/snfm_user_manual.md out
+          cp macos-arm64/snfm_config_example.yaml out
+      - name: Archive build
+        uses: actions/upload-artifact@v5
+        with:
+          name: snfm-macos-universal-release
+          path: out/
+      - name: notarize macOS build
+        run: xcrun notarytool submit --wait
+              --apple-id ${{ secrets.APPLE_ID }}
+              --team-id ${{ secrets.APPLE_DEVELOPER_TEAM_ID }}
+              --password ${{ secrets.APP_SPECIFIC_PASS }}
+              snfm-apple.zip
+
   release:
     if: github.event_name == 'release'
     runs-on: ubuntu-latest
     needs: build
     steps:
       - name: Inject slug/short variables
         uses: rlespinasse/github-slug-action@v3.x
-      - name: Get artifact
+      - name: Get artifact (windows)
         uses: actions/download-artifact@v6
         with:
           name: snfm-windows-x64-release
           path: windows
-      - name: Get artifact
+      - name: Get artifact (linux)
         uses: actions/download-artifact@v6
         with:
           name: snfm-linux-x64-release
           path: linux
-      - name: Get artifact
-        uses: actions/download-artifact@v6
-        with:
-          name: snfm-macos-arm64-release
-          path: macos-arm64
-      - name: Get artifact
+      - name: Get artifact (mac)
         uses: actions/download-artifact@v6
         with:
-          name: snfm-macos-x64-release
-          path: macos-x64
+          name: snfm-macos-universal-release
+          path: macos
       - name: Fix +x
         run: |
           chmod +x */send_file
           chmod +x */manage_files
-
       - name: Archive Release
         uses: thedoctor0/zip-release@main
         with:
@@ -152,7 +200,7 @@ jobs:
         uses: thedoctor0/zip-release@main
         with:
           type: zip
-          filename: ../snfm-macos-x64-release.zip
+          filename: ../snfm-macos-universal-release.zip
           directory: macos
       - name: Upload binaries to release
         uses: svenstaro/upload-release-action@v2
@@ -173,12 +221,5 @@ jobs:
         with:
           tag: ${{ env.GITHUB_REF_SLUG }}
           overwrite: true
-          asset_name: snfm-$tag-macos-x64.zip
-          file: snfm-macos-x64-release.zip
-      - name: Upload binaries to release
-        uses: svenstaro/upload-release-action@v2
-        with:
-          tag: ${{ env.GITHUB_REF_SLUG }}
-          overwrite: true
-          asset_name: snfm-$tag-macos-arm64.zip
-          file: snfm-macos-arm64-release.zip
+          asset_name: snfm-$tag-macos-universal.zip
+          file: snfm-macos-universal-release.zip