From 139a7adec8b1b8b2232e42f12da26d900b8467ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20L=C3=B6ffler?= Date: Mon, 26 Jan 2026 06:28:22 +0100 Subject: [PATCH 1/8] Use adhoc codesigning on macos --- CMake/packaging/mac/MacPackagingTasks.in.cmake | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CMake/packaging/mac/MacPackagingTasks.in.cmake b/CMake/packaging/mac/MacPackagingTasks.in.cmake index 9fad6619..02dbcd3a 100644 --- a/CMake/packaging/mac/MacPackagingTasks.in.cmake +++ b/CMake/packaging/mac/MacPackagingTasks.in.cmake @@ -150,3 +150,7 @@ IF ( ${CMAKE_INSTALL_PREFIX} MATCHES .*/_CPack_Packages/.* ) ENDIF () +# Do adhoc code signing (required on arm platforms) +# FIXME: use a proper DeveloperID instead of adhoc signing if this ever becomes +# feasible +execute_process(COMMAND codesign --sign - ${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}.app) From aa9a7c69c67fb6e4709c446a01c1456ccb263bf4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20L=C3=B6ffler?= Date: Mon, 26 Jan 2026 22:26:09 +0100 Subject: [PATCH 2/8] Don't build png framework on macos --- .github/actions/setup-macos/CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/setup-macos/CMakeLists.txt b/.github/actions/setup-macos/CMakeLists.txt index e4613ee5..a9d8d3e2 100755 --- a/.github/actions/setup-macos/CMakeLists.txt +++ b/.github/actions/setup-macos/CMakeLists.txt @@ -43,7 +43,7 @@ endmacro(ADD_GH_GROUP) ExternalProject_Add(libpng URL "https://github.com/glennrp/libpng/archive/refs/tags/v1.6.54.tar.gz" URL_HASH SHA256=ba7efce137409079989df4667706c339bebfbb10e9f413474718012a13c8cd4c - CMAKE_ARGS ${CMAKE_ARGS} + CMAKE_ARGS ${CMAKE_ARGS} -DPNG_FRAMEWORK=OFF ) ADD_GH_GROUP(libpng) From 9545fcf4d9c87a305ecd440f69a1cbb053334704 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20L=C3=B6ffler?= Date: Mon, 26 Jan 2026 23:11:10 +0100 Subject: [PATCH 3/8] Check codesign signature on macos --- .github/workflows/cd.yml | 7 +++++++ CMake/packaging/mac/MacPackagingTasks.in.cmake | 1 + 2 files changed, 8 insertions(+) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 038538e7..954318e0 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -255,6 +255,13 @@ jobs: id: package uses: ./.github/actions/package-macos + - name: Check signature + run: | + mkdir -p ${{ runner.temp }}/pkg + hdiutil attach -mountpoint ${{ runner.temp }}/pkg ${{ steps.package.outputs.file }} + codesign --verify --verbose=4 ${{ runner.temp }}/pkg/TeXworks.app + hdiutil detach ${{ runner.temp }}/pkg + - name: Upload artifact uses: actions/upload-artifact@v4 with: diff --git a/CMake/packaging/mac/MacPackagingTasks.in.cmake b/CMake/packaging/mac/MacPackagingTasks.in.cmake index 02dbcd3a..64660474 100644 --- a/CMake/packaging/mac/MacPackagingTasks.in.cmake +++ b/CMake/packaging/mac/MacPackagingTasks.in.cmake @@ -153,4 +153,5 @@ ENDIF () # Do adhoc code signing (required on arm platforms) # FIXME: use a proper DeveloperID instead of adhoc signing if this ever becomes # feasible +message(STATUS "Signing ${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}.app (ad hoc)") execute_process(COMMAND codesign --sign - ${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}.app) From ac0f4cb03d40ec0931820857dfd9a0da463a2877 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20L=C3=B6ffler?= Date: Mon, 26 Jan 2026 23:31:04 +0100 Subject: [PATCH 4/8] Explicitly sign .so and .dylib files on macos as just signing the TeXworks.app bundle fails on x86 due to unsigned subcomponents --- CMake/packaging/mac/MacPackagingTasks.in.cmake | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CMake/packaging/mac/MacPackagingTasks.in.cmake b/CMake/packaging/mac/MacPackagingTasks.in.cmake index 64660474..f7e94596 100644 --- a/CMake/packaging/mac/MacPackagingTasks.in.cmake +++ b/CMake/packaging/mac/MacPackagingTasks.in.cmake @@ -153,5 +153,12 @@ ENDIF () # Do adhoc code signing (required on arm platforms) # FIXME: use a proper DeveloperID instead of adhoc signing if this ever becomes # feasible +file(GLOB TeXworks_PLUGINS ${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}.app/Contents/PlugIns/*${CMAKE_SHARED_MODULE_SUFFIX}) +file(GLOB BUNDLED_DYLIBS ${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}.app/Contents/MacOS/*${CMAKE_SHARED_LIBRARY_SUFFIX}) +foreach(LIB IN LISTS TeXworks_PLUGINS BUNDLED_DYLIBS) + message(STATUS "Signing ${LIB}") + execute_process(COMMAND codesign --sign - ${LIB}) +endforeach() + message(STATUS "Signing ${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}.app (ad hoc)") execute_process(COMMAND codesign --sign - ${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}.app) From 0015102f8c442d78c53d8f9cc1f4a6fe6374f56e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20L=C3=B6ffler?= Date: Mon, 26 Jan 2026 23:49:53 +0100 Subject: [PATCH 5/8] Recursively find .so and .dylib files to sign --- CMake/packaging/mac/MacPackagingTasks.in.cmake | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/CMake/packaging/mac/MacPackagingTasks.in.cmake b/CMake/packaging/mac/MacPackagingTasks.in.cmake index f7e94596..0f114725 100644 --- a/CMake/packaging/mac/MacPackagingTasks.in.cmake +++ b/CMake/packaging/mac/MacPackagingTasks.in.cmake @@ -153,10 +153,10 @@ ENDIF () # Do adhoc code signing (required on arm platforms) # FIXME: use a proper DeveloperID instead of adhoc signing if this ever becomes # feasible -file(GLOB TeXworks_PLUGINS ${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}.app/Contents/PlugIns/*${CMAKE_SHARED_MODULE_SUFFIX}) -file(GLOB BUNDLED_DYLIBS ${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}.app/Contents/MacOS/*${CMAKE_SHARED_LIBRARY_SUFFIX}) -foreach(LIB IN LISTS TeXworks_PLUGINS BUNDLED_DYLIBS) - message(STATUS "Signing ${LIB}") +file(GLOB_RECURSE SharedModules "${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}.app/Contents/*${CMAKE_SHARED_MODULE_SUFFIX}") # .so +file(GLOB_RECURSE SharedLibraries "${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}.app/Contents/*${CMAKE_SHARED_LIBRARY_SUFFIX}") # .dylib +foreach(LIB IN LISTS SharedModules SharedLibraries) + message(STATUS "Signing ${LIB} (ad hoc)") execute_process(COMMAND codesign --sign - ${LIB}) endforeach() From ce7d63117e77952d4d20838d4bfd3710efc6f07e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20L=C3=B6ffler?= Date: Tue, 27 Jan 2026 06:43:30 +0100 Subject: [PATCH 6/8] Explicitly sign .so and .dylib files on macos rather than relying on CMAKE suffix variables, which may be empty, triggering a codesign of everything (including the manual files, etc.) --- CMake/packaging/mac/MacPackagingTasks.in.cmake | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CMake/packaging/mac/MacPackagingTasks.in.cmake b/CMake/packaging/mac/MacPackagingTasks.in.cmake index 0f114725..15604f11 100644 --- a/CMake/packaging/mac/MacPackagingTasks.in.cmake +++ b/CMake/packaging/mac/MacPackagingTasks.in.cmake @@ -153,9 +153,9 @@ ENDIF () # Do adhoc code signing (required on arm platforms) # FIXME: use a proper DeveloperID instead of adhoc signing if this ever becomes # feasible -file(GLOB_RECURSE SharedModules "${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}.app/Contents/*${CMAKE_SHARED_MODULE_SUFFIX}") # .so -file(GLOB_RECURSE SharedLibraries "${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}.app/Contents/*${CMAKE_SHARED_LIBRARY_SUFFIX}") # .dylib -foreach(LIB IN LISTS SharedModules SharedLibraries) +file(GLOB_RECURSE SharedModules "${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}.app/Contents/*.so") +file(GLOB_RECURSE SharedLibraries "${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}.app/Contents/*.dylib") +foreach(LIB IN LISTS SharedLibraries SharedModules) message(STATUS "Signing ${LIB} (ad hoc)") execute_process(COMMAND codesign --sign - ${LIB}) endforeach() From 4281a19f1edc7e541074e20cf95ebde3a1074d30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20L=C3=B6ffler?= Date: Tue, 27 Jan 2026 06:55:47 +0100 Subject: [PATCH 7/8] Explicitly sign frameworks on macos --- CMake/packaging/mac/MacPackagingTasks.in.cmake | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CMake/packaging/mac/MacPackagingTasks.in.cmake b/CMake/packaging/mac/MacPackagingTasks.in.cmake index 15604f11..42e24548 100644 --- a/CMake/packaging/mac/MacPackagingTasks.in.cmake +++ b/CMake/packaging/mac/MacPackagingTasks.in.cmake @@ -155,7 +155,8 @@ ENDIF () # feasible file(GLOB_RECURSE SharedModules "${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}.app/Contents/*.so") file(GLOB_RECURSE SharedLibraries "${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}.app/Contents/*.dylib") -foreach(LIB IN LISTS SharedLibraries SharedModules) +file(GLOB_RECURSE Frameworks "${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}.app/Contents/*.framework") +foreach(LIB IN LISTS SharedLibraries Frameworks SharedModules) message(STATUS "Signing ${LIB} (ad hoc)") execute_process(COMMAND codesign --sign - ${LIB}) endforeach() From 706b937208ae4c6716c4f5e3100757770918861a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20L=C3=B6ffler?= Date: Tue, 27 Jan 2026 07:15:53 +0100 Subject: [PATCH 8/8] Include framework directories in codesigning on macos --- CMake/packaging/mac/MacPackagingTasks.in.cmake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMake/packaging/mac/MacPackagingTasks.in.cmake b/CMake/packaging/mac/MacPackagingTasks.in.cmake index 42e24548..4ff573e8 100644 --- a/CMake/packaging/mac/MacPackagingTasks.in.cmake +++ b/CMake/packaging/mac/MacPackagingTasks.in.cmake @@ -155,7 +155,7 @@ ENDIF () # feasible file(GLOB_RECURSE SharedModules "${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}.app/Contents/*.so") file(GLOB_RECURSE SharedLibraries "${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}.app/Contents/*.dylib") -file(GLOB_RECURSE Frameworks "${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}.app/Contents/*.framework") +file(GLOB_RECURSE Frameworks LIST_DIRECTORIES TRUE "${CMAKE_INSTALL_PREFIX}/${PROJECT_NAME}.app/Contents/*.framework") foreach(LIB IN LISTS SharedLibraries Frameworks SharedModules) message(STATUS "Signing ${LIB} (ad hoc)") execute_process(COMMAND codesign --sign - ${LIB})