feat: Add proper code signing and Info.plist embedding for macOS permissions

steipete · steipete · commit d0676c49901a · 2025-07-03T22:02:10.000+01:00
- Add Info.plist with bundle identifier and usage descriptions
- Embed Info.plist into binary using linker flags in Package.swift
- Add Developer ID code signing to build script (with ad-hoc fallback)
- Update version to 2.0.0 in Info.plist
- Enable runtime hardening for notarization readiness

This ensures Peekaboo works properly with macOS permissions system and can be distributed via Homebrew with proper code signing.
diff --git a/peekaboo-cli/Package.swift b/peekaboo-cli/Package.swift
@@ -24,6 +24,14 @@ let package = Package(
             swiftSettings: [
                 .enableExperimentalFeature("StrictConcurrency"),
                 .unsafeFlags(["-parse-as-library"])
+            ],
+            linkerSettings: [
+                .unsafeFlags([
+                    "-Xlinker", "-sectcreate",
+                    "-Xlinker", "__TEXT",
+                    "-Xlinker", "__info_plist",
+                    "-Xlinker", "Sources/Resources/Info.plist"
+                ])
             ]
         ),
         .testTarget(
diff --git a/peekaboo-cli/Sources/Resources/Info.plist b/peekaboo-cli/Sources/Resources/Info.plist
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>CFBundleIdentifier</key>
+    <string>com.steipete.peekaboo</string>
+    <key>CFBundleName</key>
+    <string>Peekaboo</string>
+    <key>CFBundleVersion</key>
+    <string>2.0.0</string>
+    <key>CFBundleShortVersionString</key>
+    <string>2.0.0</string>
+    <key>NSScreenCaptureUsageDescription</key>
+    <string>Peekaboo needs screen recording permission to capture screenshots and analyze window content.</string>
+</dict>
+</plist>
diff --git a/scripts/build-swift-universal.sh b/scripts/build-swift-universal.sh
@@ -52,6 +52,28 @@ echo "🤏 Stripping symbols for further size reduction..."
 # -x: Remove non-global symbols
 strip -Sx "$FINAL_BINARY_PATH.tmp"
 
+echo "🔏 Code signing the universal binary..."
+if security find-identity -p codesigning -v | grep -q "Developer ID Application"; then
+    # Sign with Developer ID if available
+    SIGNING_IDENTITY=$(security find-identity -p codesigning -v | grep "Developer ID Application" | head -1 | awk '{print $2}')
+    codesign --force --sign "$SIGNING_IDENTITY" \
+        --options runtime \
+        --identifier "com.steipete.peekaboo" \
+        --timestamp \
+        "$FINAL_BINARY_PATH.tmp"
+    echo "✅ Signed with Developer ID: $SIGNING_IDENTITY"
+else
+    # Fall back to ad-hoc signing for local builds
+    codesign --force --sign - \
+        --identifier "com.steipete.peekaboo" \
+        "$FINAL_BINARY_PATH.tmp"
+    echo "⚠️  Ad-hoc signed (no Developer ID found)"
+fi
+
+# Verify the signature and embedded info
+echo "🔍 Verifying code signature..."
+codesign -dv "$FINAL_BINARY_PATH.tmp" 2>&1 | grep -E "Identifier=|Signature"
+
 # Replace the old binary with the new one
 mv "$FINAL_BINARY_PATH.tmp" "$FINAL_BINARY_PATH"
 
