input-output-hk
diff --git a/‎installers/Installer.hs
-3 b/‎installers/Installer.hs
-3
diff --git a/‎installers/Spec.hs
-32 b/‎installers/Spec.hs
-32
diff --git a/‎installers/codesign.sh
+45 b/‎installers/codesign.sh
+45
diff --git a/‎installers/common/Config.hs
+1-3 b/‎installers/common/Config.hs
+1-3
@@ -7,7 +7,6 @@ import qualified System.Info                      as Sys
 import           Turtle                              (export)
 import qualified System.IO as IO
 
-import qualified MacInstaller
 import qualified WindowsInstaller
 import           Data.Yaml                 (decodeFileThrow)
 
@@ -20,7 +19,6 @@ main = do
   IO.hSetEncoding IO.stdout IO.utf8
   let os = case Sys.os of
              "linux"   -> Linux64
-             "darwin"  -> Macos64
              "mingw32" -> Win64
              _         -> error ("Unsupported OS: " <> pack Sys.os)
 
@@ -43,5 +41,4 @@ genSignedInstaller os options'= do
     export "NETWORK" (clusterNetwork $ oCluster options')
     case os of
         Linux64 -> putStrLn ("Use default.nix, please." :: String)
-        Macos64 -> MacInstaller.main options'
         Win64   -> WindowsInstaller.main options'
@@ -19,45 +19,13 @@ import Data.Aeson (decode)
 
 import Config
 import Types
-import qualified MacInstaller as Mac
 import Util
 
 main :: IO ()
 main = hspec $ do
   describe "Utility functions" utilSpec
-  describe "MacInstaller build" macBuildSpec
   describe "recursive directory deletion" deleteSpec
 
-macBuildSpec :: Spec
-macBuildSpec = do
-  describe "The whole thing" $ do
-    it "Runs through the whole installer build" $ runManaged $ do
-      out <- getTempDir "test-build"
-      installersDir <- makeTestInstallersDir
-      daedalusBridge <- liftIO getDaedalusBridge
-
-      let opts = Options
-                 { oOS = Win64
-                 , oBackend = Cardano daedalusBridge
-                 , oBuildJob = Just (BuildJob "test")
-                 , oCluster = Testnet
-                 , oAppName = "Daedalus"
-                 , oOutputDir = out
-                 , oTestInstaller = testInstaller False
-                 , oSigningConfigPath = Nothing
-                 }
-
-      liftIO $ do
-        withDir installersDir $ do
-          mktree "../release/darwin-x64/Daedalus-darwin-x64/Daedalus.app/Contents/Resources/app"
-          mktree "../release/darwin-arm64/Daedalus-darwin-arm64/Daedalus.app/Contents/Resources/app"
-          writeFile "../release/darwin-x64/Daedalus-darwin-x64/Daedalus.app/Contents/Resources/app/package.json" "{}"
-          writeFile "../release/darwin-arm64/Daedalus-darwin-arm64/Daedalus.app/Contents/Resources/app/package.json" "{}"
-          Mac.main opts
-
-        -- there should be an installer file at the end
-        fold (ls out) Fold.length `shouldReturn` 1
-
 -- | Set up a temporary source/installers directory with everything
 -- required for the installer builder. This is so that the installer
 -- builder can be tested in a pure environment without any
 
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+set -x
+SIGN_ID="$1"
+KEYCHAIN="$2"
+REL_PATH="$3"
+XML_PATH="$4"
+ABS_PATH="$(pwd)/$REL_PATH"
+TS="$(date +%Y-%m-%d_%H-%M-%S)"
+function sign_cmd() {
+  for targetFile in "$@" ; do
+    codesign --force --verbose=4 --deep --strict --timestamp --options=runtime --entitlements $XML_PATH --sign "$SIGN_ID" "$targetFile" 2>&1 | tee -a /tmp/codesign-output-${TS}.txt
+  done
+}
+VERIFY_CMD="codesign --verbose=4 --verify --deep --strict"
+ENTITLEMENT_CMD="codesign -d --entitlements :-"
+LOG="2>&1 | tee -a /tmp/codesign-output-${TS}.txt"
+
+# Remove symlinks pointing outside of the project build folder:
+rm -f "$ABS_PATH/Contents/Resources/app/result"
+
+# Ensure the code signing identity is found and set the keychain search path:
+eval "security show-keychain-info \"$KEYCHAIN\" $LOG"
+eval "security find-identity -v -p codesigning \"$KEYCHAIN\" $LOG"
+eval "security list-keychains -d user -s \"$KEYCHAIN\" $LOG"
+
+# Sign framework executables not signed by the deep sign command:
+sign_cmd "$ABS_PATH/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt"
+sign_cmd "$ABS_PATH/Contents/Frameworks/Electron Framework.framework/Versions/Current/Resources/crashpad_handler"
+sign_cmd "$ABS_PATH/Contents/Frameworks/Electron Framework.framework/Versions/Current/Libraries/libnode.dylib"
+sign_cmd "$ABS_PATH/Contents/Frameworks/Electron Framework.framework/Versions/Current/Libraries/libffmpeg.dylib"
+
+sign_cmd "$ABS_PATH/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libEGL.dylib"
+sign_cmd "$ABS_PATH/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libGLESv2.dylib"
+sign_cmd "$ABS_PATH/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libEGL.dylib"
+sign_cmd "$ABS_PATH/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libGLESv2.dylib"
+sign_cmd "$ABS_PATH/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libvk_swiftshader.dylib"
+
+# Sign the whole component deeply
+sign_cmd "$ABS_PATH"
+
+# Verify the signing
+eval "$VERIFY_CMD \"$ABS_PATH\" $LOG"
+eval "$VERIFY_CMD --display -r- \"$ABS_PATH\"" "$LOG"
+eval "$ENTITLEMENT_CMD \"$ABS_PATH\"" "$LOG"
+set +x
@@ -63,7 +63,6 @@ data Options = Options
   , oOS                    :: OS
   , oCluster               :: Cluster
   , oAppName               :: AppName
-  , oAppRootOverride       :: Maybe FilePath
   , oDontPkgbuild          :: Bool
   , oOutputDir             :: FilePath
   , oTestInstaller         :: TestInstaller
@@ -87,12 +86,11 @@ optionsParser detectedOS = Options
   <*> (optional      $
       (BuildJob     <$> optText "build-counter"     'v' "‘inputs.self.sourceInfo.revCount’"))
   <*> (fromMaybe detectedOS <$> (optional $
-                   optReadLower "os"                  's' "OS, defaults to host OS.  One of:  linux64 macos64 win64"))
+                   optReadLower "os"                  's' "OS, defaults to host OS.  One of:  linux64 win64"))
   <*> (fromMaybe Selfnode   <$> (optional $
                    optReadLower "cluster"             'c' "Cluster the resulting installer will target:  mainnet, staging, or testnet"))
   <*> (fromMaybe "daedalus" <$> (optional $
       (AppName      <$> optText "appname"             'n' "Application name:  daedalus or..")))
-  <*> (optional (optPath        "app-root-override"   'r' "If you built the Electron app outside of MacInstaller.hs"))
   <*> (switch                   "dont-pkgbuild"       'd' "Stop after preparing the package (content root), don’t create the final *.pkg file")
   <*>                   optPath "out-dir"             'o' "Installer output directory"
   <*> (testInstaller