From d38b6d0b9c04eafcc1ab6c9c47af989566f265f4 Mon Sep 17 00:00:00 2001
From: tooomm <tooomm@users.noreply.github.com>
Date: Sun, 15 Mar 2026 15:11:37 +0100
Subject: [PATCH 1/7] macos sign

---
 .github/workflows/desktop-build.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/desktop-build.yml b/.github/workflows/desktop-build.yml
index f99c91abb..4313ac5d4 100644
--- a/.github/workflows/desktop-build.yml
+++ b/.github/workflows/desktop-build.yml
@@ -462,7 +462,7 @@ jobs:
           key: ccache-${{matrix.runner}}-${{matrix.soc}}-${{matrix.type}}-${{env.BRANCH_NAME}}
 
       - name: Sign app bundle
-        if: matrix.os == 'macOS' && matrix.make_package && needs.configure.outputs.tag != null
+        if: matrix.os == 'macOS' && matrix.make_package
         id: sign_macos
         env:
           MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
@@ -475,7 +475,7 @@ jobs:
           fi
 
       - name: Notarize app bundle
-        if: steps.sign_macos.outcome == 'success'
+        if: steps.sign_macos.outcome == 'success' && needs.configure.outputs.tag != null
         env:
           MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
           MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}

From 1d4b757e00fb56b42a32c08ce1de59e18893d837 Mon Sep 17 00:00:00 2001
From: tooomm <tooomm@users.noreply.github.com>
Date: Sun, 15 Mar 2026 18:21:26 +0100
Subject: [PATCH 2/7] Update desktop-build.yml

---
 .github/workflows/desktop-build.yml | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/desktop-build.yml b/.github/workflows/desktop-build.yml
index 4313ac5d4..753d4e834 100644
--- a/.github/workflows/desktop-build.yml
+++ b/.github/workflows/desktop-build.yml
@@ -464,25 +464,27 @@ jobs:
       - name: Sign app bundle
         if: matrix.os == 'macOS' && matrix.make_package
         id: sign_macos
+        shell: bash
         env:
           MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
           MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
         run: |
-          if [[ -n "$MACOS_CERTIFICATE_NAME" ]]
-          then
+          if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then
             security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
             /usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose ${{steps.build.outputs.path}}
+            echo ""
+            codesign -dv --verbose=4 ${{steps.build.outputs.path}}
           fi
 
       - name: Notarize app bundle
         if: steps.sign_macos.outcome == 'success' && needs.configure.outputs.tag != null
+        shell: bash
         env:
           MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
           MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
           MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
         run: |
-          if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]
-          then
+          if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]; then
             # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
             echo "Create keychain profile"
             xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
@@ -504,6 +506,15 @@ jobs:
             # validated by macOS even when an internet connection is not available.
             echo "Attach staple"
             xcrun stapler staple ${{steps.build.outputs.path}}
+
+            echo "Verify notarization status"
+            spctl -a -v ${{steps.build.outputs.path}}
+
+            echo "Check Gatekeeper assessment"
+            spctl --assess --type execute --verbose ${{steps.build.outputs.path}}
+
+            echo "Validate notarization ticket"
+            xcrun stapler validate ${{steps.build.outputs.path}}
           fi
 
       - name: Upload artifact

From 6f8a1730f5b8d1c5165c130f5dbbc0aead2412fc Mon Sep 17 00:00:00 2001
From: tooomm <tooomm@users.noreply.github.com>
Date: Sun, 15 Mar 2026 19:28:48 +0100
Subject: [PATCH 3/7] Update desktop-build.yml

---
 .github/workflows/desktop-build.yml | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/desktop-build.yml b/.github/workflows/desktop-build.yml
index 753d4e834..f2c149c57 100644
--- a/.github/workflows/desktop-build.yml
+++ b/.github/workflows/desktop-build.yml
@@ -471,9 +471,33 @@ jobs:
         run: |
           if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then
             security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
-            /usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose ${{steps.build.outputs.path}}
-            echo ""
+            codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose ${{steps.build.outputs.path}}
+            
+            echo "Inspect/Verify app signature"
             codesign -dv --verbose=4 ${{steps.build.outputs.path}}
+
+            codesign -dv --verbose=3 ${{steps.build.outputs.path}}
+
+            codesign -dv --verbose=2 ${{steps.build.outputs.path}}
+
+            codesign -dv --verbose=1 ${{steps.build.outputs.path}}
+
+            codesign -dv --verbose ${{steps.build.outputs.path}}
+
+            codesign --verify ${{steps.build.outputs.path}}
+
+            codesign --verify --deep ${{steps.build.outputs.path}}
+
+            codesign --verify --deep --verbose ${{steps.build.outputs.path}}
+
+            echo "Assess the application"
+            spctl --assess --type execute --verbose ${{steps.build.outputs.path}}
+
+            echo "Checking Gatekeepr conformance of the app"
+            codesign --verify --deep --strict --verbose=2 ${{steps.build.outputs.path}}
+
+            echo "Checking Gatekeepr conformance of the app 2"
+            spctl -a -t exec -vv ${{steps.build.outputs.path}}
           fi
 
       - name: Notarize app bundle

From bf58d056457dc26a98a811fe469650dd9860b39a Mon Sep 17 00:00:00 2001
From: tooomm <tooomm@users.noreply.github.com>
Date: Tue, 17 Mar 2026 22:14:51 +0100
Subject: [PATCH 4/7] cleanup

---
 .github/workflows/desktop-build.yml | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/desktop-build.yml b/.github/workflows/desktop-build.yml
index f2c149c57..80d518fb2 100644
--- a/.github/workflows/desktop-build.yml
+++ b/.github/workflows/desktop-build.yml
@@ -475,19 +475,16 @@ jobs:
             
             echo "Inspect/Verify app signature"
             codesign -dv --verbose=4 ${{steps.build.outputs.path}}
-
-            codesign -dv --verbose=3 ${{steps.build.outputs.path}}
-
-            codesign -dv --verbose=2 ${{steps.build.outputs.path}}
-
+            echo "."
             codesign -dv --verbose=1 ${{steps.build.outputs.path}}
-
+            echo "."
             codesign -dv --verbose ${{steps.build.outputs.path}}
 
+            echo "..."
             codesign --verify ${{steps.build.outputs.path}}
-
+            echo "."
             codesign --verify --deep ${{steps.build.outputs.path}}
-
+            echo "."
             codesign --verify --deep --verbose ${{steps.build.outputs.path}}
 
             echo "Assess the application"

From a2200040541c72f673d40b25892d7fb7e54bb7e4 Mon Sep 17 00:00:00 2001
From: tooomm <tooomm@users.noreply.github.com>
Date: Tue, 17 Mar 2026 22:32:38 +0100
Subject: [PATCH 5/7] cleanup

---
 .github/workflows/desktop-build.yml | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/desktop-build.yml b/.github/workflows/desktop-build.yml
index 80d518fb2..549634f69 100644
--- a/.github/workflows/desktop-build.yml
+++ b/.github/workflows/desktop-build.yml
@@ -474,27 +474,25 @@ jobs:
             codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose ${{steps.build.outputs.path}}
             
             echo "Inspect/Verify app signature"
-            codesign -dv --verbose=4 ${{steps.build.outputs.path}}
-            echo "."
-            codesign -dv --verbose=1 ${{steps.build.outputs.path}}
-            echo "."
             codesign -dv --verbose ${{steps.build.outputs.path}}
 
             echo "..."
-            codesign --verify ${{steps.build.outputs.path}}
-            echo "."
-            codesign --verify --deep ${{steps.build.outputs.path}}
+            codesign --verify --verbose ${{steps.build.outputs.path}}
             echo "."
             codesign --verify --deep --verbose ${{steps.build.outputs.path}}
 
-            echo "Assess the application"
-            spctl --assess --type execute --verbose ${{steps.build.outputs.path}}
-
+            echo "... ..."
             echo "Checking Gatekeepr conformance of the app"
             codesign --verify --deep --strict --verbose=2 ${{steps.build.outputs.path}}
 
             echo "Checking Gatekeepr conformance of the app 2"
             spctl -a -t exec -vv ${{steps.build.outputs.path}}
+
+            echo "Assess the application"
+            spctl -a -t exec -vv ${{steps.build.outputs.path}}
+            echo "."
+            spctl --assess --type execute --verbose ${{steps.build.outputs.path}}
+            
           fi
 
       - name: Notarize app bundle

From d8a0c929de9c2d08bbc8560e33bf8a1fed731901 Mon Sep 17 00:00:00 2001
From: tooomm <tooomm@users.noreply.github.com>
Date: Tue, 17 Mar 2026 22:47:37 +0100
Subject: [PATCH 6/7] cleanup

---
 .github/workflows/desktop-build.yml | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/desktop-build.yml b/.github/workflows/desktop-build.yml
index 549634f69..55cf386d7 100644
--- a/.github/workflows/desktop-build.yml
+++ b/.github/workflows/desktop-build.yml
@@ -472,27 +472,22 @@ jobs:
           if [[ -n "$MACOS_CERTIFICATE_NAME" ]]; then
             security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
             codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose ${{steps.build.outputs.path}}
-            
-            echo "Inspect/Verify app signature"
+
+            echo "Inspect app signature"
             codesign -dv --verbose ${{steps.build.outputs.path}}
 
-            echo "..."
-            codesign --verify --verbose ${{steps.build.outputs.path}}
-            echo "."
+            echo "Verify app signature"
             codesign --verify --deep --verbose ${{steps.build.outputs.path}}
 
-            echo "... ..."
             echo "Checking Gatekeepr conformance of the app"
             codesign --verify --deep --strict --verbose=2 ${{steps.build.outputs.path}}
 
+            echo "Assess the application"
+            spctl --assess --type execute --verbose ${{steps.build.outputs.path}}
+
             echo "Checking Gatekeepr conformance of the app 2"
             spctl -a -t exec -vv ${{steps.build.outputs.path}}
 
-            echo "Assess the application"
-            spctl -a -t exec -vv ${{steps.build.outputs.path}}
-            echo "."
-            spctl --assess --type execute --verbose ${{steps.build.outputs.path}}
-            
           fi
 
       - name: Notarize app bundle

From ab43ed6cade512c96e2441d625ae141762c2d3ad Mon Sep 17 00:00:00 2001
From: tooomm <tooomm@users.noreply.github.com>
Date: Sun, 22 Mar 2026 20:50:57 +0100
Subject: [PATCH 7/7] Update desktop-build.yml

---
 .github/workflows/desktop-build.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/desktop-build.yml b/.github/workflows/desktop-build.yml
index 55cf386d7..651694147 100644
--- a/.github/workflows/desktop-build.yml
+++ b/.github/workflows/desktop-build.yml
@@ -482,11 +482,11 @@ jobs:
             echo "Checking Gatekeepr conformance of the app"
             codesign --verify --deep --strict --verbose=2 ${{steps.build.outputs.path}}
 
-            echo "Assess the application"
-            spctl --assess --type execute --verbose ${{steps.build.outputs.path}}
+           # echo "Assess the application"
+           # spctl --assess --type execute --verbose ${{steps.build.outputs.path}}
 
-            echo "Checking Gatekeepr conformance of the app 2"
-            spctl -a -t exec -vv ${{steps.build.outputs.path}}
+           # echo "Checking Gatekeepr conformance of the app 2"
+           # spctl -a -t exec -vv ${{steps.build.outputs.path}}
 
           fi