From ef6e46731e3517737910feb41cb70eb18e1b3dfd Mon Sep 17 00:00:00 2001
From: Andrew Belt <andrewpbelt@gmail.com>
Date: Thu, 4 Jul 2019 23:28:33 -0700
Subject: [PATCH] Add working notarization target and Entitlements file for
 Mac.

---
 Entitlements.plist | 18 ++++++++++++++++++
 Makefile           | 27 ++++++++++++++++++++++++---
 2 files changed, 42 insertions(+), 3 deletions(-)
 create mode 100644 Entitlements.plist

diff --git a/Entitlements.plist b/Entitlements.plist
new file mode 100644
index 00000000..db3305d2
--- /dev/null
+++ b/Entitlements.plist
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.get-task-allow</key>
+	<true/>
+	<key>com.apple.security.cs.allow-jit</key>
+	<true/>
+	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+	<true/>
+	<key>com.apple.security.cs.disable-library-validation</key>
+	<true/>
+	<key>com.apple.security.device.audio-input</key>
+	<true/>
+	<key>com.apple.security.device.camera</key>
+	<true/>
+</dict>
+</plist>
diff --git a/Makefile b/Makefile
index d4f15799..2bf6f2da 100644
--- a/Makefile
+++ b/Makefile
@@ -83,9 +83,10 @@ valgrind: $(TARGET)
 clean:
 	rm -rfv $(TARGET) libRack.a Rack.res build dist
 
-ifdef ARCH_WIN
+
 # For Windows resources
 %.res: %.rc
+ifdef ARCH_WIN
 	windres $^ -O coff -o $@
 endif
 
@@ -96,6 +97,7 @@ dist: $(TARGET)
 	mkdir -p dist
 
 	$(MAKE) -C plugins/Fundamental dist
+	$(MAKE) -C plugins/Fundamental sign-dist
 
 ifdef ARCH_LIN
 	mkdir -p dist/Rack
@@ -126,9 +128,9 @@ ifdef ARCH_MAC
 	# Clean up and sign bundle
 	xattr -cr dist/$(TARGET).app
 	# This will only work if you have the private key to my certificate
-	codesign --verbose --sign "Developer ID Application: Andrew Belt (VRF26934X5)" --deep dist/$(TARGET).app
+	codesign --verbose --sign "Developer ID Application: Andrew Belt (VRF26934X5)" --options runtime --entitlements Entitlements.plist --deep dist/$(TARGET).app
 	codesign --verify --deep --strict --verbose=2 dist/$(TARGET).app
-	#spctl --assess --type execute --ignore-cache --no-cache -vv dist/$(TARGET).app
+# 	spctl --assess --type execute --ignore-cache --no-cache -vv dist/$(TARGET).app
 	# Make ZIP
 	cd dist && zip -q -9 -r Rack-$(VERSION)-$(ARCH).zip $(TARGET).app
 endif
@@ -163,6 +165,25 @@ endif
 	cd dist && zip -q -9 -r Rack-SDK-$(VERSION).zip Rack-SDK
 
 
+notarize:
+ifdef ARCH_MAC
+	# This will only work if you have my Apple ID password in your keychain
+	xcrun altool --notarize-app -f dist/Rack-$(VERSION)-$(ARCH).zip --primary-bundle-id=com.vcvrack.rack -u "andrewpbelt@gmail.com" -p @keychain:notarize --output-format xml > dist/UploadInfo.plist
+	# Wait for Apple's servers to approve the app
+	while true; do \
+		xcrun altool --notarization-info `/usr/libexec/PlistBuddy -c "Print :notarization-upload:RequestUUID" dist/UploadInfo.plist` -u "andrewpbelt@gmail.com" -p @keychain:notarize --output-format xml > dist/RequestInfo.plist ; \
+		if [ "`/usr/libexec/PlistBuddy -c "Print :notarization-info:Status" dist/RequestInfo.plist`" != "in progress" ]; then \
+			break ; \
+		fi ; \
+		sleep 10 ; \
+	done
+	# Mark app as notarized, check, and re-zip
+	xcrun stapler staple dist/$(TARGET).app
+	spctl --assess --type execute --ignore-cache --no-cache -vv dist/$(TARGET).app
+	cd dist && zip -q -9 -r Rack-$(VERSION)-$(ARCH).zip $(TARGET).app
+endif
+
+
 UPLOAD_URL := vortico@vcvrack.com:files/
 upload:
 	# This will only work if you have a private key to my server