bretth18 · bretth18 · Jan 28, 2026 · Dec 30, 2025 · Dec 30, 2025 · Dec 31, 2025
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -12,51 +12,136 @@ jobs:
   release:
     runs-on: macos-26
 
+    env:
+      KEYCHAIN_PATH: ${{ runner.temp }}/build.keychain-db
+      KEYCHAIN_PASSWORD: ${{ github.run_id }}
+
     steps:
     - uses: actions/checkout@v4
 
+    - name: Install certificates
+      env:
+        DEVELOPER_ID_APPLICATION_P12: ${{ secrets.DEVELOPER_ID_APPLICATION_P12 }}
+        DEVELOPER_ID_INSTALLER_P12: ${{ secrets.DEVELOPER_ID_INSTALLER_P12 }}
+        P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
+      run: |
+        # Create temporary keychain
+        security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+        security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+        security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+        # Import Developer ID Application certificate (for app signing)
+        echo "$DEVELOPER_ID_APPLICATION_P12" | base64 --decode > /tmp/app_cert.p12
+        security import /tmp/app_cert.p12 \
+          -P "$P12_PASSWORD" \
+          -A \
+          -t cert \
+          -f pkcs12 \
+          -k "$KEYCHAIN_PATH"
+
+        # Import Developer ID Installer certificate (for pkg signing)
+        echo "$DEVELOPER_ID_INSTALLER_P12" | base64 --decode > /tmp/installer_cert.p12
+        security import /tmp/installer_cert.p12 \
+          -P "$P12_PASSWORD" \
+          -A \
+          -t cert \
+          -f pkcs12 \
+          -k "$KEYCHAIN_PATH"
+
+        # Add keychain to search list
+        security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"')
+        security default-keychain -s "$KEYCHAIN_PATH"
+
+        # Allow codesign to access keychain without UI prompt
+        security set-key-partition-list -S apple-tool:,apple:,codesign:,productsign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+        # Clean up cert files
+        rm -f /tmp/app_cert.p12 /tmp/installer_cert.p12
 
     - name: Archive App
       run: |
         xcodebuild -scheme abledex \
           -archivePath $PWD/build/abledex.xcarchive \
           -configuration Release \
           archive \
-          CODE_SIGN_IDENTITY="-" \
-          CODE_SIGNING_REQUIRED=NO
+          CODE_SIGN_IDENTITY="Developer ID Application: Brett Henderson (94XUGF9CU7)" \
+          OTHER_CODE_SIGN_FLAGS="--keychain $KEYCHAIN_PATH"
 
     - name: Export App
       run: |
-        # Creates a simple export options plist
         cat <<EOF > ExportOptions.plist
         <?xml version="1.0" encoding="UTF-8"?>
         <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
         <plist version="1.0">
         <dict>
             <key>method</key>
-            <string>mac-application</string>
-            <key>destination</key>
-            <string>export</string>
+            <string>developer-id</string>
             <key>signingStyle</key>
             <string>manual</string>
+            <key>signingCertificate</key>
+            <string>Developer ID Application: Brett Henderson (94XUGF9CU7)</string>
+            <key>teamID</key>
+            <string>94XUGF9CU7</string>
         </dict>
         </plist>
         EOF
 
         xcodebuild -exportArchive \
           -archivePath $PWD/build/abledex.xcarchive \
           -exportOptionsPlist ExportOptions.plist \
-          -exportPath $PWD/build \
-          CODE_SIGN_IDENTITY="-" \
-          CODE_SIGNING_REQUIRED=NO
+          -exportPath $PWD/build
+
+    - name: Extract version from tag
+      id: version
+      run: echo "VERSION=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
 
-    - name: Zip Application
+    - name: Store notarization credentials
+      env:
+        APPLE_ID: ${{ secrets.APPLE_ID }}
+        APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
       run: |
-        cd build
-        zip -r abledex.zip abledex.app
+        xcrun notarytool store-credentials "notary-profile" \
+          --apple-id "$APPLE_ID" \
+          --password "$APPLE_ID_PASSWORD" \
+          --team-id "94XUGF9CU7" \
+          --keychain "$KEYCHAIN_PATH"
+
+    - name: Build, sign, notarize, and staple pkg
+      run: |
+        VERSION="${{ steps.version.outputs.VERSION }}"
+
+        # Build unsigned pkg
+        pkgbuild \
+          --component build/abledex.app \
+          --install-location /Applications \
+          --identifier computerdata.abledex \
+          --version "$VERSION" \
+          build/abledex-unsigned.pkg
+
+        # Sign pkg with Developer ID Installer certificate
+        productsign \
+          --sign "Developer ID Installer: Brett Henderson (94XUGF9CU7)" \
+          --keychain "$KEYCHAIN_PATH" \
+          build/abledex-unsigned.pkg \
+          build/abledex.pkg
+
+        rm build/abledex-unsigned.pkg
+
+        # Notarize using stored credentials (avoids secrets in process args)
+        xcrun notarytool submit build/abledex.pkg \
+          --keychain-profile "notary-profile" \
+          --keychain "$KEYCHAIN_PATH" \
+          --wait
+
+        # Staple the notarization ticket
+        xcrun stapler staple build/abledex.pkg
 
     - name: Release
       uses: softprops/action-gh-release@v1
       with:
-        files: build/abledex.zip
+        files: build/abledex.pkg
         generate_release_notes: true
+
+    - name: Cleanup keychain
+      if: always()
+      run: security delete-keychain "$KEYCHAIN_PATH"
diff --git a/abledex.xcodeproj/project.pbxproj b/abledex.xcodeproj/project.pbxproj
@@ -130,7 +130,7 @@
 			attributes = {
 				BuildIndependentTargetsInParallel = 1;
 				LastSwiftUpdateCheck = 2600;
-				LastUpgradeCheck = 2600;
+				LastUpgradeCheck = 2620;
 				TargetAttributes = {
 					A60284F72EEE2E9D00893D52 = {
 						CreatedOnToolsVersion = 26.0.1;
@@ -241,6 +241,7 @@
 				CLANG_WARN_UNREACHABLE_CODE = YES;
 				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
 				COPY_PHASE_STRIP = NO;
+				DEAD_CODE_STRIPPING = YES;
 				DEBUG_INFORMATION_FORMAT = dwarf;
 				DEVELOPMENT_TEAM = 94XUGF9CU7;
 				ENABLE_STRICT_OBJC_MSGSEND = YES;
@@ -266,6 +267,7 @@
 				MTL_FAST_MATH = YES;
 				ONLY_ACTIVE_ARCH = YES;
 				SDKROOT = macosx;
+				STRING_CATALOG_GENERATE_SYMBOLS = YES;
 				SWIFT_ACTIVE_COMPILATION_CONDITIONS = "DEBUG $(inherited)";
 				SWIFT_OPTIMIZATION_LEVEL = "-Onone";
 			};
@@ -305,6 +307,7 @@
 				CLANG_WARN_UNREACHABLE_CODE = YES;
 				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
 				COPY_PHASE_STRIP = NO;
+				DEAD_CODE_STRIPPING = YES;
 				DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
 				DEVELOPMENT_TEAM = 94XUGF9CU7;
 				ENABLE_NS_ASSERTIONS = NO;
@@ -323,6 +326,7 @@
 				MTL_ENABLE_DEBUG_INFO = NO;
 				MTL_FAST_MATH = YES;
 				SDKROOT = macosx;
+				STRING_CATALOG_GENERATE_SYMBOLS = YES;
 				SWIFT_COMPILATION_MODE = wholemodule;
 			};
 			name = Release;
@@ -335,7 +339,8 @@
 				CODE_SIGN_ENTITLEMENTS = abledex/abledex.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 2;
+				CURRENT_PROJECT_VERSION = 3;
+				DEAD_CODE_STRIPPING = YES;
 				DEVELOPMENT_TEAM = 94XUGF9CU7;
 				ENABLE_APP_SANDBOX = NO;
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -370,7 +375,8 @@
 				CODE_SIGN_ENTITLEMENTS = abledex/abledex.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 2;
+				CURRENT_PROJECT_VERSION = 3;
+				DEAD_CODE_STRIPPING = YES;
 				DEVELOPMENT_TEAM = 94XUGF9CU7;
 				ENABLE_APP_SANDBOX = NO;
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -403,6 +409,7 @@
 				BUNDLE_LOADER = "$(TEST_HOST)";
 				CODE_SIGN_STYLE = Automatic;
 				CURRENT_PROJECT_VERSION = 1;
+				DEAD_CODE_STRIPPING = YES;
 				DEVELOPMENT_TEAM = 94XUGF9CU7;
 				GENERATE_INFOPLIST_FILE = YES;
 				MACOSX_DEPLOYMENT_TARGET = 15.6;
@@ -424,6 +431,7 @@
 				BUNDLE_LOADER = "$(TEST_HOST)";
 				CODE_SIGN_STYLE = Automatic;
 				CURRENT_PROJECT_VERSION = 1;
+				DEAD_CODE_STRIPPING = YES;
 				DEVELOPMENT_TEAM = 94XUGF9CU7;
 				GENERATE_INFOPLIST_FILE = YES;
 				MACOSX_DEPLOYMENT_TARGET = 15.6;