Add code signing, notarization, and CI/CD automation

[qaid]

Summary

• Add production code signing with Developer ID Application certificate and Hardened Runtime entitlements
• Implement GitHub Actions workflows for automated building (on every push/PR) and releasing (on version tags)
• Create sign-and-package.sh script for local DMG creation with notarization
• Update deploy.sh to use proper signing instead of ad-hoc

Setup Required

To use the GitHub Actions workflows, add these repository secrets:

• DEVELOPER_ID_CERTIFICATE_P12 (base64-encoded .p12 certificate)
• DEVELOPER_ID_CERTIFICATE_PASSWORD (certificate export password)
• SIGNING_IDENTITY (your signing identity string)
• APPLE_ID (your Apple ID email)
• APPLE_TEAM_ID (your team ID)
• APPLE_APP_PASSWORD (app-specific notarization password)

For local builds, store notarization credentials:

xcrun notarytool store-credentials spook-notary

Release process: git tag v1.0.0 && git push origin v1.0.0

🤖 Generated with Claude Code

[qaid]

Code review

Found 3 issues:

1. deploy.sh now fails for any developer without a specific Developer ID certificate. The previous ad-hoc signing (--sign -) worked universally; the hardcoded identity breaks the documented deploy workflow (CLAUDE.md says "Deploy (build + bundle .app): ./deploy.sh").

spook/deploy.sh

Lines 36 to 44 in 8929f5a

	echo "Code signing..."
	SIGNING_IDENTITY="Developer ID Application: Qaid Jacobs (NC9DMTN36B)"
	ENTITLEMENTS="Resources/Spook.entitlements"
	codesign --force --deep --sign "$SIGNING_IDENTITY" \
	--options runtime \
	--entitlements "$ENTITLEMENTS" \
	--timestamp \
	"$APP_PATH"

2. com.apple.security.cs.allow-unsigned-executable-memory entitlement is unjustified for a pure Swift app. Spook uses system commands (netstat, nettop, lsof) and SQLite -- none of which require writable+executable memory. This weakens Hardened Runtime and may cause notarization issues. Consider removing it unless there is a specific need.

spook/Resources/Spook.entitlements

Lines 4 to 7 in 8929f5a

	<dict>
	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
	<true/>
	</dict>

3. The "Notarize DMG" step in release.yml does not use set -e. If xcrun notarytool submit fails (bad credentials, network error), the workflow continues to xcrun stapler staple on an un-notarized DMG, then uploads a broken artifact that Gatekeeper will reject. Note that scripts/sign-and-package.sh correctly uses set -e.

spook/.github/workflows/release.yml

Lines 88 to 101 in 8929f5a

	- name: Notarize DMG
	env:
	APPLE_ID: ${{ secrets.APPLE_ID }}
	APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
	APPLE_APP_PASSWORD: ${{ secrets.APPLE_APP_PASSWORD }}
	run: |
	xcrun notarytool submit "$DMG_PATH" \
	--apple-id "$APPLE_ID" \
	--team-id "$APPLE_TEAM_ID" \
	--password "$APPLE_APP_PASSWORD" \
	--wait
	xcrun stapler staple "$DMG_PATH"

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}