From 202a0d159b999f9c1a1d3b5d5064d2067e46f8c7 Mon Sep 17 00:00:00 2001
From: Karl Tauber <karl@jformdesigner.com>
Date: Tue, 18 Mar 2025 18:46:53 +0100
Subject: [PATCH] GitHub Actions: natives.yml: sign Windows and macOS native
 libraries

---
 .github/workflows/natives.yml | 38 +++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/.github/workflows/natives.yml b/.github/workflows/natives.yml
index 7bbe9654..0b856b3a 100644
--- a/.github/workflows/natives.yml
+++ b/.github/workflows/natives.yml
@@ -66,6 +66,44 @@ jobs:
               #   tar.exe: Couldn't open ~/.gradle/caches/modules-2/modules-2.lock: Permission denied
               run: ./gradlew build-natives --no-daemon
 
+            - name: Sign Windows DLLs
+              if: matrix.os == 'windows-latest'
+              uses: skymatic/code-sign-action@v3
+              with:
+                certificate: '${{ secrets.CODE_SIGN_CERT_BASE64 }}'
+                password: '${{ secrets.CODE_SIGN_CERT_PASSWORD }}'
+                certificatesha1: '${{ secrets.CODE_SIGN_CERT_SHA1 }}'
+                folder: 'flatlaf-core/src/main/resources/com/formdev/flatlaf/natives'
+
+            - name: Sign macOS natives
+              if: matrix.os == 'macos-latest'
+              env:
+                CERT_BASE64: ${{ secrets.CODE_SIGN_CERT_BASE64 }}
+                CERT_PASSWORD: ${{ secrets.CODE_SIGN_CERT_PASSWORD }}
+                CERT_IDENTITY: ${{ secrets.CODE_SIGN_CERT_IDENTITY }}
+              run: |
+                # https://docs.github.com/en/actions/use-cases-and-examples/deploying/installing-an-apple-certificate-on-macos-runners-for-xcode-development
+                # create variables
+                CERTIFICATE_PATH=$RUNNER_TEMP/cert.p12
+                KEYCHAIN_PATH=$RUNNER_TEMP/signing.keychain-db
+                KEYCHAIN_PASSWORD=$CERT_PASSWORD
+                # decode certificate
+                printenv CERT_BASE64 | base64 --decode > $CERTIFICATE_PATH
+                # create temporary keychain
+                security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+                security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+                security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+                # import certificate to keychain
+                security import $CERTIFICATE_PATH -P "$CERT_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+                security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+                security list-keychains -d user -s $KEYCHAIN_PATH
+                # sign code
+                codesign -s "$CERT_IDENTITY" -fv --timestamp \
+                  flatlaf-core/src/main/resources/com/formdev/flatlaf/natives/libflatlaf-macos-*.dylib
+                codesign -d --verbose=4 flatlaf-core/src/main/resources/com/formdev/flatlaf/natives/libflatlaf-macos-*.dylib
+                # cleanup
+                security delete-keychain $KEYCHAIN_PATH
+
             - name: Set artifacts pattern
               shell: bash
               run: |