Simplify building on macOS

Simplify macOS building by signing macOS app bundle anonymously by
default.

Makefile

@@ -602,28 +602,11 @@ install:	install-bin install-data install-doc \
         echo "The App Bundle has been created as $(BUNDLE)!  Now you can:"; \
         echo; \
         echo "  * Double click $(BUNDLE) to run the application,"; \
-        echo "  * sign the App Bundle (see below),"; \
         echo "  * build the universal App Bundle (see below),"; \
         echo "  * and/or run 'make TuxPaint.dmg' to create the DMG file for distribution."; \
         echo; \
         echo "For usage, see $(DOC_PREFIX)/[locale]/README.txt"; \
         echo; \
-        echo "SIGNING THE APP BUNDLE"; \
-        echo "----------------------"; \
-        echo "Signing is optional for the Intel CPU build, or for the Apple Silicon build if"; \
-        echo "it is to be run only on the system on which it was built (e.g., for"; \
-        echo "development.)  The App Bundle must be signed if it is built to run natively on"; \
-        echo "the Apple Silicon and is distributed."; \
-        echo; \
-        echo "To sign the App Bundle, use the following commands, where IDENTITY is your Apple"; \
-        echo "Developer ID if you have one, or a hyphen (-) to sign it ad-hoc:"; \
-        echo; \
-        echo "  codesign --remove-signature $(BUNDLE)  # to remove any existing signature"; \
-        echo "  codesign -s IDENTITY $(BUNDLE)"; \
-        echo; \
-        echo "If you are building the universal Apple Bundle, sign the App Bundle *after*"; \
-        echo "building the universal App Bundle."; \
-        echo; \
         echo "BUILDING THE UNIVERSAL APP BUNDLE"; \
         echo "---------------------------------"; \
         echo "Building the universal App Bundle involves building Tux Paint on the x86 machine"; \

docs/CHANGES.txt

@@ -6,6 +6,13 @@ Copyright (c) 2002-2023
 Various contributors (see below, and AUTHORS.txt)
 https://tuxpaint.org/
 
+2023.July.22 (0.9.32)
+  * Other Improvements:
+    -------------------
+    * Simplify macOS building by signing macOS app bundle anonymously by
+      default.
+      Mark Kim <markuskimius@gmail.com>
+
 2023.July.20 (0.9.31)
   * New Magic Tools:
     ----------------

macos/build-app.sh

@@ -76,3 +76,21 @@ for i in "$CONF_FILES"; do
 	cp -p "$i" "$CONFDIR"
 done
 
+# Re-sign the bundle
+#
+# Apple Silicon requires all binaries that run natively to be signed.  For this
+# reason, Xcode automatically signs all binaries built for Apple Silicon,
+# anonymously if needed.  However, install_name_tool, which we use above,
+# breaks the signature, so we need to resign the combined bundle.  We sign it
+# anonymously using the identity named "-" (hyphen).  If the user has their own
+# identity, they will need to sign it manually (after building the universal
+# bundle, if one is being built).
+#
+# For more information on signature requirement on Apple Silicon, see:
+# https://developer.apple.com/documentation/macos-release-notes/macos-big-sur-11_0_1-universal-apps-release-notes#:~:text=New%20in%20macOS,pass%20through%20Gatekeeper.
+#
+echo "   * Sign the app bundle with default identity..."
+codesign --remove-signature "$BUNDLE"
+codesign -s - "$BUNDLE"
+echo "     -> Done!"
+

macos/build-universal.sh

@@ -17,6 +17,8 @@ Usage: ${SCRIPTNAME} [OPTIONS] TuxPaint-1.app TuxPaint-2.app ...
 
   -o OUTBUNDLE          Bundle to create.  [Default=${OUTBUNDLE}]
 
+  -s IDENTITY           Re-sign the bundle with IDENTITY.  [Default=${IDENTITY}]
+
 EOF
 }
 
@@ -27,6 +29,7 @@ EOF
 ARCHS=( arm64 x86_64 )
 BUNDLES=( $(printf "TuxPaint-%s.app\n" "${ARCHS[@]}") )
 OUTBUNDLE=TuxPaint.app
+IDENTITY="-"
 FORCE=0
 
 
@@ -39,10 +42,11 @@ function main() {
     local isok=1
 
     # Process arguments
-    while getopts "fo:h" opt; do
+    while getopts "fo:s:h" opt; do
         case "$opt" in
             f)  FORCE=1           ;;
             o)  OUTBUNDLE=$OPTARG ;;
+            s)  IDENTITY=$OPTARG  ;;
             h)  usage && exit 0   ;;
             *)  isok=0
         esac
@@ -83,6 +87,7 @@ function main() {
     (( isok )) || exit 1
 
     build-universal
+    resign-bundle
 }
 
 
@@ -136,6 +141,14 @@ function build-universal() {
 }
 
 
+function resign-bundle() {
+    echo "   * Sign $OUTBUNDLE..."
+    codesign --remove-signature "$OUTBUNDLE"
+    codesign -s "$IDENTITY" "$OUTBUNDLE"
+    echo "     -> Done!"
+}
+
+
 ##############################################################################
 # ENTRY POINT