Add Native Mac Installer

This commit adds a new native installer for OSARA on Mac (#1291).

The generated app bundle contains the installerexecutable, OSARA shared library, localization resources, and OSARA keymap. When built locally, the app bundle is ad-hoc (self) signed. When built via CI (Github Actions), official signing and notarization is supported. See `doc/installer/mac/README.md` for more details.

Author: mulcahy1000

.github/workflows/build.yml

@@ -67,8 +67,15 @@ jobs:
         # We need php for swell_resgen.
         run: brew install php
       - name: build
-        run: scons "publisher=${{ env.publisher }}" version=${{ env.version }}
-      - name: sign Windows
+        run: |
+          if [ ${{ matrix.os }} == macos-latest ]; then
+            echo "Building native Mac installer..."
+            scons mac_signing_mode=none "publisher=${{ env.publisher }}" version=${{ env.version }}
+          else
+            echo "Building Windows installer..."
+            scons "publisher=${{ env.publisher }}" version=${{ env.version }}
+          fi
+      - name: sign
         if: ${{ github.event_name == 'push' && matrix.os == 'windows-latest' }}
         uses: azure/trusted-signing-action@v0
         with:
@@ -114,24 +121,25 @@ jobs:
             exit 1
           fi
 
-          cd installer/mac
+          cd build/installer
 
           # Set up app bundle and entitlements
           APP_BUNDLE="OSARAInstaller.app"
           
           # Create a temporary entitlements file for runtime (consistent with local build.sh)
+          entitlements=../../installer/OSARAInstaller/OSARAInstaller.entitlements
           runtime_entitlements="$APP_BUNDLE/Contents/Resources/runtime.entitlements"
-          cp OSARAInstaller.entitlements "$runtime_entitlements"
+          cp $entitlements "$runtime_entitlements"
           
           # Deep sign all components in the app bundle with entitlements
           echo "=== Deep signing app bundle with entitlements ==="
-          find $APP_BUNDLE -type f \( -name "*.dylib" -o -name "*.so" -o -name "*.framework" \) -exec codesign --force --options runtime --entitlements OSARAInstaller.entitlements --sign "$IDENTITY" {} \; || echo "No additional libraries found to sign"
+          find $APP_BUNDLE -type f \( -name "*.dylib" -o -name "*.so" -o -name "*.framework" \) -exec codesign --force --options runtime --entitlements $entitlements --sign "$IDENTITY" {} \; || echo "No additional libraries found to sign"
 
           # Sign the main executable with timestamp and entitlements
-          codesign --force --options runtime --timestamp --entitlements OSARAInstaller.entitlements --sign "$IDENTITY" "$APP_BUNDLE/Contents/MacOS/applet"
+          codesign --force --options runtime --timestamp --entitlements $entitlements --sign "$IDENTITY" "$APP_BUNDLE/Contents/MacOS/OSARAInstaller"
           
           # Sign the app bundle with timestamp and entitlements
-          codesign --force --options runtime --timestamp --entitlements OSARAInstaller.entitlements --sign "$IDENTITY" $APP_BUNDLE
+          codesign --force --options runtime --timestamp --entitlements $entitlements --sign "$IDENTITY" $APP_BUNDLE
 
           # Verify signing with detailed output
           echo "=== Verifying code signature ==="
@@ -148,7 +156,7 @@ jobs:
             echo "ERROR: Missing Info.plist"
             exit 1
           fi
-          if [[ ! -f "$APP_BUNDLE/Contents/MacOS/applet" ]]; then
+          if [[ ! -f "$APP_BUNDLE/Contents/MacOS/OSARAInstaller" ]]; then
             echo "ERROR: Missing main executable"
             exit 1
           fi
@@ -232,13 +240,13 @@ jobs:
             echo "⚠️ Final spctl validation failed"
           fi
 
-          # Create final signed and notarized zip with app bundle and license
-          rm -f ../osara_${{ env.version }}.zip
-          zip -r ../osara_${{ env.version }}.zip $APP_BUNDLE
+          # Create final signed and notarized zip with app bundle
+          rm -f ../../installer/osara_${{ env.version }}.zip
+          zip -r ../../installer/osara_${{ env.version }}.zip $APP_BUNDLE
           cd ../..
 
           # Cleanup
-          rm installer/mac/osara_temp.zip certificate.p12
+          rm build/installer/osara_temp.zip certificate.p12
           security delete-keychain build.keychain
 
           echo "Mac app signed and notarized successfully!"

.gitignore

@@ -8,6 +8,7 @@ build
 *.exe
 .DS_Store
 *.dmg
+*.zip
 *.rc_mac_*
 __pycache__
 locale/*.pot

doc/installer/mac/APPLE_DEVELOPER_SETUP.md

@@ -0,0 +1,118 @@
+# Apple Developer Certificate Setup for OSARA
+
+This guide covers obtaining and configuring Apple Developer certificates for signing and notarizing OSARA builds.
+
+## Prerequisites
+
+- Apple Developer Program membership ($99/year)
+- macOS development machine with Xcode installed
+
+## Step 1: Obtain Developer ID Application Certificate
+
+1. **Log into Apple Developer Portal**
+   - Go to https://developer.apple.com/account
+   - Sign in with your Apple ID
+
+2. **Create Certificate Signing Request (CSR)**
+   - Open Keychain Access on your Mac
+   - Go to Keychain Access → Certificate Assistant → Request a Certificate from a Certificate Authority
+   - Enter your email address and name
+   - Select "Saved to disk" and "Let me specify key pair information"
+   - Click Continue and save the CSR file
+
+3. **Generate Certificate**
+   - In Apple Developer Portal, go to Certificates, Identifiers & Profiles
+   - Click the "+" button to create a new certificate
+   - Select "Developer ID Application" under "Production"
+   - Upload your CSR file
+   - Download the generated certificate (.cer file)
+
+4. **Install Certificate**
+   - Double-click the downloaded .cer file to install it in Keychain Access
+   - The certificate should appear in your "login" keychain
+
+## Step 2: Export Certificate for CI
+
+1. **Export as P12**
+   - In Keychain Access, find your "Developer ID Application" certificate
+   - Right-click and select "Export"
+   - Choose "Personal Information Exchange (.p12)" format
+   - Set a strong password and save the file
+
+2. **Convert to Base64**
+   ```bash
+   base64 -i your_certificate.p12 | pbcopy
+   ```
+   This copies the base64-encoded certificate to your clipboard
+
+## Step 3: Set Up App-Specific Password
+
+1. **Generate App-Specific Password**
+   - Go to https://appleid.apple.com
+   - Sign in and go to Security section
+   - Under "App-Specific Passwords", click "Generate Password"
+   - Enter a label like "OSARA CI Notarization"
+   - Save the generated password securely
+
+## Step 4: Configure GitHub Secrets
+
+Add these secrets to your GitHub repository:
+
+- `APPLE_ID`: Your Apple ID email address
+- `APPLE_ID_PASSWORD`: The app-specific password from Step 3
+- `TEAM_ID`: Your Apple Developer Team ID (found in Apple Developer Portal)
+- `APPLE_CERTIFICATE_P12`: The base64-encoded certificate from Step 2
+- `APPLE_CERTIFICATE_PASSWORD`: The password you set when exporting the P12
+
+## Step 5: Find Your Team ID
+
+1. Go to https://developer.apple.com/account
+2. Look for "Team ID" in the membership section
+3. It's a 10-character alphanumeric string (e.g., "ABCD123456")
+
+## Security Notes
+
+- Never commit certificates or passwords to version control
+- Use app-specific passwords, not your main Apple ID password
+- Store the P12 certificate securely as a backup
+- Rotate app-specific passwords periodically
+
+## Troubleshooting
+
+**Certificate not found during signing:**
+- Verify the certificate is properly imported in Keychain Access
+- Check that it's a "Developer ID Application" certificate, not "Mac Developer"
+
+**Notarization fails:**
+- Ensure you're using an app-specific password, not your regular Apple ID password
+- Verify your Team ID is correct
+- Check that the app is signed with a Developer ID certificate
+
+**"Developer ID Application" not available:**
+- Ensure you have a paid Apple Developer Program membership
+- Individual accounts can create Developer ID certificates
+- Organization accounts may need admin approval
+
+## Local vs CI Builds
+
+**Local Development:**
+- Local builds now use ad-hoc signing only
+- No production certificates needed for local testing
+- Apps will show security warnings but can be opened with right-click → Open
+
+**CI/Production Builds:**
+- CI automatically signs with Developer ID Application certificate
+- Apps are notarized and ready for distribution
+- No security warnings for end users
+
+## Testing the Setup
+
+After configuring the GitHub secrets, push a commit to the master branch and check the GitHub Actions workflow. The Mac signing step should:
+
+1. Import the certificate successfully
+2. Sign the app bundle with your Developer ID
+3. Submit for notarization
+4. Staple the notarization ticket
+5. Create the final signed ZIP file
+
+If any step fails, check the GitHub Actions logs for specific error messages and verify your secrets are configured correctly.

doc/installer/mac/README.md

@@ -0,0 +1,43 @@
+# Native Mac Installer
+
+OSARA uses a native Mac installer built as an app bundle that can be signed and notarized for distribution.
+
+## SCons Build Options
+
+### Local Development
+```bash
+# Build with ad-hoc signing (default - for local testing)
+scons
+
+# Build without signing (for CI or when codesign is not available)
+scons mac_signing_mode=none
+```
+
+### Signing Modes
+
+The `mac_signing_mode` variable controls code signing behavior:
+
+- `mac_signing_mode=ad-hoc` (default) → Ad-hoc signs for local testing
+- `mac_signing_mode=none` → No signing (used by CI)
+
+## CI/CD Pipeline
+
+The GitHub Actions workflow automatically:
+
+1. **PR Builds**: Build with `mac_signing_mode=none` (no signing)
+2. **Push Builds**: Build with `mac_signing_mode=none`, then CI handles proper Developer ID signing and notarization
+
+## Apple Developer Requirements
+
+For production releases, the CI pipeline requires:
+- Apple Developer Program membership
+- Developer ID Application certificate
+- App-specific password for notarization
+- Team ID
+
+### Required Secrets (for CI)
+- `APPLE_ID`: Apple ID email
+- `APPLE_ID_PASSWORD`: App-specific password
+- `APPLE_TEAM_ID`: Apple Developer Team ID
+- `APPLE_CERTIFICATE_P12`: Base64-encoded certificate
+- `APPLE_CERTIFICATE_PASSWORD`: Certificate password

installer/OSARAInstaller/Info.plist

@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>en</string>
+	<key>CFBundleExecutable</key>
+	<string>OSARAInstaller</string>
+	<key>CFBundleIconFile</key>
+	<string>osara_icon</string>
+	<key>CFBundleIdentifier</key>
+	<string>co.osara.installer</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>OSARA Installer</string>
+	<key>CFBundlePackageType</key>
+	<string>APPL</string>
+	<key>CFBundleShortVersionString</key>
+	<string>1.0</string>
+	<key>CFBundleVersion</key>
+	<string>1</string>
+	<key>LSApplicationCategoryType</key>
+	<string>public.app-category.developer-tools</string>
+	<key>LSMinimumSystemVersion</key>
+	<string>10.13</string>
+	<key>NSHumanReadableCopyright</key>
+	<string>Copyright 2014-2025 NV Access Limited, James Teh &amp; other contributors.</string>
+	<key>NSMainNibFile</key>
+	<string>MainMenu</string>
+	<key>NSPrincipalClass</key>
+	<string>SWELLApplication</string>
+	<key>NSHighResolutionCapable</key>
+	<true/>
+	<key>LSUIElement</key>
+	<false/>
+	<key>NSSupportsAutomaticGraphicsSwitching</key>
+	<true/>
+</dict>
+</plist>

installer/OSARAInstaller/OSARAInstaller.entitlements

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<!-- Security hardening - disable dangerous capabilities -->
+	<key>com.apple.security.cs.allow-jit</key>
+	<false/>
+	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+	<false/>
+	<key>com.apple.security.cs.disable-executable-page-protection</key>
+	<false/>
+	<key>com.apple.security.cs.disable-library-validation</key>
+	<false/>
+	
+	<!-- File access permissions for installer functionality -->
+	<key>com.apple.security.files.user-selected.read-write</key>
+	<true/>
+	<key>com.apple.security.files.downloads.read-write</key>
+	<true/>
+	<key>com.apple.security.files.bookmarks.app-scope</key>
+	<true/>
+	
+	<!-- Network access for potential update checks or validation -->
+	<key>com.apple.security.network.client</key>
+	<true/>
+</dict>
+</plist>