From 06fc10e632613fabe617cebcb8c6fcfe6f91d66b Mon Sep 17 00:00:00 2001
From: Umberto Baldi <u.baldi@arduino.cc>
Date: Mon, 6 Nov 2023 13:22:34 +0100
Subject: [PATCH 1/4] switch to gon fork, apple is deprecating altool to
 notarize.

I split the singing/notarization because Bearer fork does not implement `--deep` for signing
---
 .github/workflows/release.yml | 48 +++++++++++++++++++++++++----------
 1 file changed, 35 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 84c02969d..cd49eea23 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,6 +20,7 @@ env:
   INSTALLER_CERT_MAC_PATH: "/tmp/ArduinoCerts2020.p12"
   AC_USERNAME: ${{ secrets.AC_USERNAME }} # used by gon
   AC_PASSWORD: ${{ secrets.AC_PASSWORD }} # used by gon
+  AC_PROVIDER: ${{ secrets.AC_PROVIDER }} # used by gon
   # See: https://github.com/actions/setup-go/tree/v3#readme
   GO_VERSION: "1.20"
 
@@ -261,7 +262,7 @@ jobs:
             -k "${{ env.KEYCHAIN_PASSWORD }}" \
             "${{ env.KEYCHAIN }}"
 
-      - name: Install gon for code signing and app notarization
+      - name: Install gon for code signing
         uses: actions/checkout@v4
         with:
           repository: darkvertex/gon #this fork has support for --deep notarization
@@ -288,16 +289,41 @@ jobs:
             deep = true
           }
 
-          # Ask Gon for zip output to force notarization process to take place.
-          # The CI will upload the zip output
-          zip {
-            output_path = "ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip"
-          }
           EOF
 
-      - name: Sign and notarize binary
+      - name: Sign app bundle
         run: gon -log-level=debug -log-json "${{ env.GON_CONFIG_PATH }}"
 
+      - name: Zip output app bundle
+        run: zip ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip ArduinoCreateAgent.app
+
+      - name: Remove gon used for code signing
+        run: |
+          rm /usr/local/bin/gon
+          rm ${{ env.GON_CONFIG_PATH }}
+
+      - name: Install gon for app notarization
+        run: |
+          wget -q https://github.com/Bearer/gon/releases/download/v0.0.27/gon_macos.zip
+          unzip gon_macos.zip -d /usr/local/bin
+  
+      - name: Write gon config to file
+        run: |
+          cat > "${{ env.GON_CONFIG_PATH }}" <<EOF
+          # See: https://github.com/Bearer/gon#configuration-file
+
+          notarize {
+            path = "ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip"
+            bundle_id = "cc.arduino.${{ env.PROJECT_NAME }}"
+            staple = true
+          }
+
+          EOF
+  
+      - name: Notarize app bundle
+        run: |
+          gon -log-level=debug -log-json "${{ env.GON_CONFIG_PATH }}"
+
       - name: Upload autoupdate bundle to Arduino downloads servers
         run: aws s3 cp ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.TARGET }}${GITHUB_REF/refs\/tags\//}/ # the version should be created in th the build job
         if: ${{ needs.build.outputs.prerelease != 'true' }}
@@ -475,7 +501,7 @@ jobs:
 
       - name: Install gon for code signing and app notarization
         run: |
-          wget -q https://github.com/mitchellh/gon/releases/download/v0.2.5/gon_macos.zip
+          wget -q https://github.com/Bearer/gon/releases/download/v0.0.27/gon_macos.zip
           unzip gon_macos.zip -d /usr/local/bin
 
       - name: Write gon config to file
@@ -490,17 +516,13 @@ jobs:
           }
 
           # Ask Gon for zip output to force notarization process to take place.
-          # The CI will not upload the zip output
           zip {
             output_path = "ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip"
           }
           EOF
 
       - name: Code sign and notarize app
-        run: |
-          echo "gon will notarize executable in ArduinoCreateAgent-osx/ArduinoCreateAgent-${GITHUB_REF##*/}-osx-${{ matrix.arch }}-installer.dmg"
-          gon -log-level=debug -log-json gon.config_installer.hcl
-        timeout-minutes: 30
+        run: gon -log-level=debug -log-json gon.config_installer.hcl
 
       #  tar dmg file to keep executable permission
       - name: Tar files to keep permissions

From 7059a5026f4ef25f08a65d47442e98822f273d82 Mon Sep 17 00:00:00 2001
From: Umberto Baldi <u.baldi@arduino.cc>
Date: Mon, 6 Nov 2023 17:47:53 +0100
Subject: [PATCH 2/4] use `ditto` to create archive:

https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index cd49eea23..8f819e689 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -295,7 +295,7 @@ jobs:
         run: gon -log-level=debug -log-json "${{ env.GON_CONFIG_PATH }}"
 
       - name: Zip output app bundle
-        run: zip ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip ArduinoCreateAgent.app
+        run: ditto -c -k --keepParent ArduinoCreateAgent.app/ ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip
 
       - name: Remove gon used for code signing
         run: |

From 308243bce6298e58d5557d2c786eab1889643a76 Mon Sep 17 00:00:00 2001
From: Umberto Baldi <u.baldi@arduino.cc>
Date: Mon, 6 Nov 2023 18:02:31 +0100
Subject: [PATCH 3/4] remove stapling, we cannot staple a zip apparently

---
 .github/workflows/release.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8f819e689..66f7e8341 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -315,7 +315,6 @@ jobs:
           notarize {
             path = "ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip"
             bundle_id = "cc.arduino.${{ env.PROJECT_NAME }}"
-            staple = true
           }
 
           EOF

From 134d25068c8e8fb980e163761466cc29fe8ec904 Mon Sep 17 00:00:00 2001
From: Umberto Baldi <u.baldi@arduino.cc>
Date: Tue, 7 Nov 2023 10:45:55 +0100
Subject: [PATCH 4/4] remove top level dir it's already there thanks to `ditto
 --keepParent

---
 .github/workflows/release.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 66f7e8341..1c3c282b8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -455,13 +455,10 @@ jobs:
         uses: actions/download-artifact@v3
         with:
           name: ArduinoCreateAgent.app_${{ matrix.arch }}_notarized
-          path: ArduinoCreateAgent.app
 
       - name: unzip artifact
-        working-directory: ArduinoCreateAgent.app
         run: |
           unzip ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip
-          rm ArduinoCreateAgent.app_${{ matrix.arch }}_notarized.zip
 
       - name: Install create-dmg
         run: brew install create-dmg