GraphiteEditor
diff --git a/‎.github/workflows/build-mac-bundle-sign-test.yml‎
Lines changed: 0 additions & 96 deletions b/‎.github/workflows/build-mac-bundle-sign-test.yml‎
Lines changed: 0 additions & 96 deletions
diff --git a/‎.github/workflows/build-mac-bundle.yml‎
Lines changed: 73 additions & 2 deletions b/‎.github/workflows/build-mac-bundle.yml‎
Lines changed: 73 additions & 2 deletions
diff --git a/‎.github/workflows/build-win-bundle-sign-test.yml‎
Lines changed: 0 additions & 103 deletions b/‎.github/workflows/build-win-bundle-sign-test.yml‎
Lines changed: 0 additions & 103 deletions
diff --git a/‎.github/workflows/build-win-bundle.yml‎
Lines changed: 82 additions & 2 deletions b/‎.github/workflows/build-win-bundle.yml‎
Lines changed: 82 additions & 2 deletions
@@ -1,8 +1,9 @@
 name: Build Mac Bundle
 
 on:
-  workflow_dispatch: {}
-  # push:
+  push:
+    branches:
+      - desktop-builds-mac-and-windows-in-ci
 
 jobs:
   build:
@@ -79,3 +80,73 @@ jobs:
         with:
           name: graphite-mac-bundle
           path: target/artifacts
+
+      - name: Signing Preparation
+        env:
+          APPLE_CERT_BASE64: ${{ secrets.APPLE_CERT_BASE64 }}
+          APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }}
+        run: |
+          echo "$APPLE_CERT_BASE64" | base64 --decode > .sign/certificate.p12
+
+          security create-keychain -p "" .sign/main.keychain
+          security default-keychain -s .sign/main.keychain
+          security unlock-keychain -p "" .sign/main.keychain
+          security set-keychain-settings -t 3600 -u .sign/main.keychain
+
+          security import .sign/certificate.p12 -k .sign/main.keychain -P "$APPLE_CERT_PASSWORD" -T /usr/bin/codesign -T /usr/bin/productsign
+          security set-key-partition-list -S apple-tool:,apple: -s -k "" .sign/main.keychain
+
+      - name: Sign and Notarize Mac Bundle
+        env:
+          APPLE_EMAIL: ${{ secrets.APPLE_EMAIL }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+          APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
+          APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }}
+        run: |
+          cat > .sign/entitlements.plist <<'EOF'
+          <?xml version="1.0" encoding="UTF-8"?>
+          <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+          <plist version="1.0">
+          <dict>
+              <key>com.apple.security.cs.allow-jit</key>
+              <true/>
+              <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+              <true/>
+              <key>com.apple.security.cs.disable-executable-page-protection</key>
+              <true/>
+              <key>com.apple.security.cs.disable-library-validation</key>
+              <true/>
+          </dict>
+          </plist>
+          EOF
+
+          CERTIFICATE="$APPLE_CERT_NAME"
+          ENTITLEMENTS=".sign/entitlements.plist"
+          APP_PATH="target/artifacts/Graphite.app"
+          ZIP_PATH=".sign/Graphite.zip"
+
+          codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Graphite Helper.app"
+          codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Graphite Helper (GPU).app"
+          codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Graphite Helper (Renderer).app"
+          codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Chromium Embedded Framework.framework"
+          codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Chromium Embedded Framework.framework/Libraries/libcef_sandbox.dylib"
+          codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Chromium Embedded Framework.framework/Libraries/libEGL.dylib"
+          codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Chromium Embedded Framework.framework/Libraries/libGLESv2.dylib"
+          codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Chromium Embedded Framework.framework/Libraries/libvk_swiftshader.dylib"
+          codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH" --deep
+
+          codesign --verify --deep --strict --verbose=4 "$APP_PATH"
+
+          ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH"
+          xcrun notarytool submit "$ZIP_PATH" --wait --apple-id "$APPLE_EMAIL" --team-id "$APPLE_TEAM_ID" --password "$APPLE_PASSWORD"
+          rm "$ZIP_PATH"
+
+          xcrun stapler staple -v "$APP_PATH"
+
+          spctl -a -vv "$APP_PATH"
+
+      - name: Upload Mac Bundle Signed
+        uses: actions/upload-artifact@v4
+        with:
+          name: graphite-mac-bundle-signed
+          path: target/artifacts
@@ -1,8 +1,9 @@
 name: Build Windows Bundle
 
 on:
-  workflow_dispatch: {}
-  # push:
+  push:
+    branches:
+      - desktop-builds-mac-and-windows-in-ci
 
 jobs:
   build:
@@ -80,3 +81,82 @@ jobs:
         with:
           name: graphite-windows-bundle
           path: target/artifacts
+
+      - name: Azure login
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          enable-AzPSSession: true
+
+      - name: Sign
+        uses: azure/artifact-signing-action@v1
+        with:
+          endpoint: https://eus.codesigning.azure.net/
+          signing-account-name: Graphite
+          certificate-profile-name: Graphite
+          files: |
+            ${{ github.workspace }}\target\artifacts\Graphite\Graphite.exe
+            ${{ github.workspace }}\target\artifacts\Graphite\libcef.dll
+            ${{ github.workspace }}\target\artifacts\Graphite\chrome_elf.dll
+            ${{ github.workspace }}\target\artifacts\Graphite\vulkan-1.dll
+            ${{ github.workspace }}\target\artifacts\Graphite\dxcompiler.dll
+            ${{ github.workspace }}\target\artifacts\Graphite\libEGL.dll
+            ${{ github.workspace }}\target\artifacts\Graphite\libGLESv2.dll
+            ${{ github.workspace }}\target\artifacts\Graphite\vk_swiftshader.dll
+          file-digest: SHA256
+          timestamp-rfc3161: http://timestamp.acs.microsoft.com
+          timestamp-digest: SHA256
+          correlation-id: ${{ github.sha }}
+      - name: Verify Signatures
+        shell: pwsh
+        run: |
+          $ErrorActionPreference = "Stop"
+
+          $TargetDir = "target\artifacts\Graphite"
+
+          if (-not (Test-Path $TargetDir)) {
+              throw "TargetDir not found: $TargetDir"
+          }
+
+          $UnsignedOrBad = @()
+
+          Get-ChildItem -Path $TargetDir -Recurse -File -Include *.exe,*.dll | ForEach-Object {
+              $sig = Get-AuthenticodeSignature -FilePath $_.FullName
+
+              if ($sig.Status -ne 'Valid') {
+                  $UnsignedOrBad += "$($_.FullName) (Status=$($sig.Status))"
+              }
+          }
+
+          if ($UnsignedOrBad.Count -gt 0) {
+              Write-Host "Unsigned or invalid binaries detected:"
+              $UnsignedOrBad | ForEach-Object {
+                  Write-Host "::error::$_"
+              }
+
+              if ($env:GITHUB_STEP_SUMMARY) {
+                  "## ❌ Unsigned or invalid binaries detected" |
+                      Out-File $env:GITHUB_STEP_SUMMARY -Append -Encoding utf8
+                  "" | Out-File $env:GITHUB_STEP_SUMMARY -Append -Encoding utf8
+                  $UnsignedOrBad | ForEach-Object {
+                      "* `$_" | Out-File $env:GITHUB_STEP_SUMMARY -Append -Encoding utf8
+                  }
+              }
+
+              exit 1
+          }
+
+          Write-Host "All binaries are signed and valid."
+
+          if ($env:GITHUB_STEP_SUMMARY) {
+              "## ✅ All binaries are signed and valid" |
+                  Out-File $env:GITHUB_STEP_SUMMARY -Append -Encoding utf8
+          }
+
+      - name: Upload Windows Bundle Signed
+        uses: actions/upload-artifact@v4
+        with:
+          name: graphite-windows-bundle-signed
+          path: target/artifacts