wails-release/internal/codesign/sign.go

package codesign

import (
	"context"
	"fmt"

	"lmika.dev/actions/wails-release/internal/runner"
)

// SignOpts configures a codesign invocation.
type SignOpts struct {
	AppPath      string
	Identity     string
	KeychainPath string
}

// Sign runs `codesign` against a .app bundle, signing recursively with
// the hardened runtime and a secure timestamp.
func Sign(ctx context.Context, r runner.Runner, opts SignOpts) error {
	args := []string{
		"--deep", "--force", "--options", "runtime", "--timestamp",
		"--sign", opts.Identity,
		"--keychain", opts.KeychainPath,
		opts.AppPath,
	}
	if _, err := r.Run(ctx, runner.Spec{Name: "codesign", Args: args}); err != nil {
		return fmt.Errorf("codesign sign: %w", err)
	}
	return nil
}

// Verify runs `codesign --verify --deep --strict` against the bundle.
func Verify(ctx context.Context, r runner.Runner, appPath string) error {
	if _, err := r.Run(ctx, runner.Spec{
		Name: "codesign",
		Args: []string{"--verify", "--deep", "--strict", appPath},
	}); err != nil {
		return fmt.Errorf("codesign verify: %w", err)
	}
	return nil
}
Add codesign sign + verify Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-02 00:16:30 +00:00			`package codesign`

			`import (`
			`"context"`
			`"fmt"`

Fixed action package 2026-05-02 01:47:13 +00:00			`"lmika.dev/actions/wails-release/internal/runner"`
Add codesign sign + verify Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-02 00:16:30 +00:00			`)`

			`// SignOpts configures a codesign invocation.`
			`type SignOpts struct {`
			`AppPath string`
			`Identity string`
			`KeychainPath string`
			`}`

			// Sign runs `codesign` against a .app bundle, signing recursively with
			`// the hardened runtime and a secure timestamp.`
			`func Sign(ctx context.Context, r runner.Runner, opts SignOpts) error {`
			`args := []string{`
			`"--deep", "--force", "--options", "runtime", "--timestamp",`
			`"--sign", opts.Identity,`
			`"--keychain", opts.KeychainPath,`
			`opts.AppPath,`
			`}`
			`if _, err := r.Run(ctx, runner.Spec{Name: "codesign", Args: args}); err != nil {`
			`return fmt.Errorf("codesign sign: %w", err)`
			`}`
			`return nil`
			`}`

			// Verify runs `codesign --verify --deep --strict` against the bundle.
			`func Verify(ctx context.Context, r runner.Runner, appPath string) error {`
			`if _, err := r.Run(ctx, runner.Spec{`
			`Name: "codesign",`
			`Args: []string{"--verify", "--deep", "--strict", appPath},`
			`}); err != nil {`
			`return fmt.Errorf("codesign verify: %w", err)`
			`}`
			`return nil`
			`}`