(APPLE) Build a Universal Framework, and add code signing and notarization

.github/actions/install-apple-certs/action.yml

@@ -0,0 +1,42 @@
+name: 'Install Apple Certificates'
+description: 'Installs Apple signing and notarization certificates and sets up the keychain'
+inputs:
+  MACOS_CERTIFICATE_APP:
+    required: true
+  MACOS_CERTIFICATE_INST:
+    required: true
+  MACOS_CERTIFICATE_PWD:
+    required: true
+  MACOS_CI_KEYCHAIN_PWD:
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Install certificates and provisioning profiles
+      shell: bash
+      run: |
+        # Create temporary keychain
+        KEYCHAIN_PATH=$RUNNER_TEMP/build.keychain
+        security create-keychain -p "${{ inputs.MACOS_CI_KEYCHAIN_PWD }}" $KEYCHAIN_PATH
+        security default-keychain -s $KEYCHAIN_PATH
+        security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+        security unlock-keychain -p "${{ inputs.MACOS_CI_KEYCHAIN_PWD }}" $KEYCHAIN_PATH
+
+        # Import certificates from secrets ...
+        CERTIFICATE_PATH_APP=$RUNNER_TEMP/build_certificate_app.p12
+        CERTIFICATE_PATH_INST=$RUNNER_TEMP/build_certificate_inst.p12
+        echo -n "${{ inputs.MACOS_CERTIFICATE_APP }}" | base64 --decode -o $CERTIFICATE_PATH_APP
+        echo -n "${{ inputs.MACOS_CERTIFICATE_INST }}" | base64 --decode -o $CERTIFICATE_PATH_INST
+        # ... to keychain
+        security import $CERTIFICATE_PATH_APP -P "${{ inputs.MACOS_CERTIFICATE_PWD }}" -k $KEYCHAIN_PATH -A -t cert -f pkcs12
+        security import $CERTIFICATE_PATH_INST -P "${{ inputs.MACOS_CERTIFICATE_PWD }}" -k $KEYCHAIN_PATH -A -t cert -f pkcs12
+
+        # Set trusted partitions (groups of applications) that can access the keychain items
+        security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${{ inputs.MACOS_CI_KEYCHAIN_PWD }}" $KEYCHAIN_PATH
+        security list-keychain -d user -s $KEYCHAIN_PATH
+
+        # Get certificate identities into environment variables
+        CERT_IDENTITY_APP=$(security find-identity -v -p codesigning $KEYCHAIN_PATH | grep "Developer ID Application" | head -1 | awk -F'"' '{print $2}')
+        echo "APPLE_CODE_SIGN_IDENTITY_APP=$CERT_IDENTITY_APP" >> $GITHUB_ENV
+        CERT_IDENTITY_INST=$(security find-identity -v -p basic $KEYCHAIN_PATH | grep "Developer ID Installer" | head -1 | awk -F'"' '{print $2}')
+        echo "APPLE_CODE_SIGN_IDENTITY_INST=$CERT_IDENTITY_INST" >> $GITHUB_ENV

.github/workflows/apple.yml

@@ -0,0 +1,252 @@
+name: Apple CI
+
+on:
+  push:
+    branches:
+      - main
+      - dev
+    tags: ['*']
+    paths:
+      - '**'
+      - '!docs/**'
+      - '!.github/**'
+      - '.github/workflows/apple.yml'
+  pull_request:
+  release:
+    types: ['created']
+  workflow_dispatch:
+    inputs:
+      cmakeextra:
+        description: 'Extra CMake options'
+        required: false
+        default: ''
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  build:
+    name: ${{ matrix.config.name }}
+    runs-on: ${{ matrix.config.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        config:
+        - {name: "macOS-latest", os: "macOS-latest", cmake_extra: "-DCMAKE_OSX_DEPLOYMENT_TARGET=10.15 -DLSL_UNITTESTS=ON -DLSL_BENCHMARKS=ON -DCMAKE_OSX_ARCHITECTURES=\"x86_64;arm64\"" }
+        - {name: "iOS", os: "macOS-latest", cmake_extra: "-DCMAKE_TOOLCHAIN_FILE=cmake/ios.toolchain.cmake -DPLATFORM=OS64" }
+        - {name: "iOS Simulator", os: "macOS-latest", cmake_extra: "-DCMAKE_TOOLCHAIN_FILE=cmake/ios.toolchain.cmake -DPLATFORM=SIMULATOR64COMBINED -G Xcode" }
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Install certificates and provisioning profiles
+      uses: ./.github/actions/install-apple-certs
+      with:
+        MACOS_CERTIFICATE_APP: ${{ secrets.PROD_MACOS_CERTIFICATE }}
+        MACOS_CERTIFICATE_INST: ${{ secrets.PROD_MACOS_CERTIFICATE_INST }}
+        MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
+        MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
+
+    - name: Configure CMake
+      env:
+          APPLE_DEVELOPMENT_TEAM: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
+      run: |
+           cmake --version
+           cmake -S . -B build \
+                -DCMAKE_BUILD_TYPE=Release \
+                -DCMAKE_INSTALL_PREFIX=${PWD}/install \
+                -DCPACK_PACKAGE_DIRECTORY=${PWD}/package \
+                -DLSL_FRAMEWORK=ON \
+                -Dlslgitrevision=${{ github.sha }} \
+                -Dlslgitbranch=${{ github.ref }} \
+                ${{ matrix.config.cmake_extra }} \
+                ${{ github.event.inputs.cmakeextra }}
+           echo ${PWD}
+
+    - name: make
+      run: cmake --build build --config Release -j
+
+    - name: make install
+      run: cmake --build build --config Release --target install
+
+    - name: test install using examples
+      if: matrix.config.name == 'macOS-latest'
+      run: |
+          # Test that the in-tree install was successful by building the examples
+          cmake -S examples -B examples/build \
+            -DLSL_INSTALL_ROOT=${PWD}/install \
+            -DCMAKE_INSTALL_PREFIX=examples/build/install \
+            -DLSL_COMFY_DEFAULTS=ON \
+            ${{ matrix.config.cmake_extra }} \
+            ${{ github.event.inputs.cmakeextra }}
+          cmake --build examples/build --target install --config Release -j
+          ./examples/build/install/bin/HandleMetaData
+
+    - name: Codesign
+      run: |
+          if [[ "${{ matrix.config.name }}" == "macOS-latest" ]]; then
+            codesign -vvv --force --deep --sign "$APPLE_CODE_SIGN_IDENTITY_APP" \
+              --entitlements lsl.entitlements --options runtime \
+              install/Frameworks/lsl.framework/Versions/A/lsl
+            codesign -vvv --verify --deep --strict install/Frameworks/lsl.framework/Versions/A/lsl
+          elif [[ "${{ matrix.config.name }}" == "iOS" || "${{ matrix.config.name }}" == "iOS Simulator" ]]; then
+            codesign -vvv --force --deep --sign "$APPLE_CODE_SIGN_IDENTITY_APP" \
+              install/Frameworks/lsl.framework/lsl
+            codesign -vvv --verify --deep --strict install/Frameworks/lsl.framework/lsl
+          fi
+          codesign -vvv --force --deep --sign "$APPLE_CODE_SIGN_IDENTITY_APP" \
+            --entitlements lsl.entitlements --options runtime \
+            install/Frameworks/lsl.framework
+          codesign -vvv --verify --deep --strict install/Frameworks/lsl.framework
+
+    # run internal tests
+    - name: unit tests
+      if: matrix.config.name == 'macOS-latest'
+      run: |
+        mkdir -p dumps
+        install/bin/lsl_test_internal --order rand --wait-for-keypress never --durations yes
+        install/bin/lsl_test_exported --order rand --wait-for-keypress never --durations yes
+      timeout-minutes: 10
+
+    - name: Package and Notarize macOS Installer
+      if: matrix.config.name == 'macOS-latest'
+      env:
+          APPLE_DEVELOPMENT_TEAM: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
+          APPLE_NOTARIZE_USERNAME: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
+          APPLE_NOTARIZE_PASSWORD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
+      run: |
+          # Get the version number from the framework's Info.plist
+          LSL_VERSION=$(/usr/libexec/PlistBuddy -c "Print CFBundleShortVersionString" install/Frameworks/lsl.framework/Versions/A/Resources/Info.plist)
+          echo "LSL_VERSION=$LSL_VERSION" >> $GITHUB_ENV
+          echo "Debug: LSL_VERSION=$LSL_VERSION"
+
+          mkdir -p package
+          productbuild --sign "$APPLE_CODE_SIGN_IDENTITY_INST" \
+            --component install/Frameworks/lsl.framework \
+            /Library/Frameworks package/liblsl-${LSL_VERSION}-Darwin-universal.pkg
+          # Notarize the package
+          xcrun notarytool submit package/liblsl-${LSL_VERSION}-Darwin-universal.pkg \
+            --apple-id "$APPLE_NOTARIZE_USERNAME" \
+            --password "$APPLE_NOTARIZE_PASSWORD" \
+            --team-id "$APPLE_DEVELOPMENT_TEAM" \
+            --wait
+          # Staple the notarization ticket to the package
+          xcrun stapler staple package/liblsl-${LSL_VERSION}-Darwin-universal.pkg
+
+    - name: upload dump
+      if: failure()
+      uses: actions/upload-artifact@v4
+      with:
+        name: dumps-${{ matrix.config.name }}
+        path: dumps
+
+    - name: Zip LSL Framework
+      run: |
+        cd install/Frameworks
+        zip -ry lsl.framework.zip lsl.framework
+        cd ../..
+
+    - name: Upload macOS Package and Framework
+      if: matrix.config.name == 'macOS-latest'
+      uses: actions/upload-artifact@v4
+      with:
+        name: build-macOS-latest
+        path: |
+          package/*.pkg
+          install/Frameworks/lsl.framework.zip
+        # Note: the artifact will preserve the folder structure up to the common root, in this case all.
+
+    - name: Upload iOS Framework
+      if: matrix.config.name == 'iOS'
+      uses: actions/upload-artifact@v4
+      with:
+        name: build-iOS
+        path: install/Frameworks/lsl.framework.zip
+        # Note: the artifact drops the folder structure and only keeps the zip.
+
+    - name: Upload iOS Simulator Framework
+      if: matrix.config.name == 'iOS Simulator'
+      uses: actions/upload-artifact@v4
+      with:
+        name: build-iOS-Simulator
+        path: install/Frameworks/lsl.framework.zip
+
+  xcframework_and_deploy:
+    name: XCFramework and Deploy
+    needs: build
+    runs-on: macOS-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/download-artifact@v4
+        with:
+          name: build-macOS-latest
+          path: build-macOS-latest
+      - uses: actions/download-artifact@v4
+        with:
+          name: build-iOS
+          path: build-iOS
+      - uses: actions/download-artifact@v4
+        with:
+          name: build-iOS-Simulator
+          path: build-iOS-Simulator
+
+      - name: Unzip macOS Framework
+        run: |
+          unzip build-macOS-latest/install/Frameworks/lsl.framework.zip -d build-macOS-latest/Frameworks
+
+      - name: Unzip iOS Framework
+        run: |
+          unzip build-iOS/lsl.framework.zip -d build-iOS/Frameworks
+
+      - name: Unzip iOS Simulator Framework
+        run: |
+          unzip build-iOS-Simulator/lsl.framework.zip -d build-iOS-Simulator/Frameworks
+
+      - name: Install certificates and provisioning profiles
+        uses: ./.github/actions/install-apple-certs
+        with:
+            MACOS_CERTIFICATE_APP: ${{ secrets.PROD_MACOS_CERTIFICATE }}
+            MACOS_CERTIFICATE_INST: ${{ secrets.PROD_MACOS_CERTIFICATE_INST }}
+            MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
+            MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
+
+      - name: Create and Sign XCFramework
+        run: |
+          xcodebuild -create-xcframework \
+            -framework build-macOS-latest/Frameworks/lsl.framework \
+            -framework build-iOS/Frameworks/lsl.framework \
+            -framework build-iOS-Simulator/Frameworks/lsl.framework \
+            -output lsl.xcframework
+
+          codesign -vvv --force --deep --sign "$APPLE_CODE_SIGN_IDENTITY_APP" lsl.xcframework
+          echo "✅ Verifying binary signatures in XCFramework..."
+          codesign -vvv --verify --deep --strict lsl.xcframework
+
+          ditto -c -k --sequesterRsrc --keepParent lsl.xcframework lsl.xcframework.$LSL_VERSION.zip
+
+      - name: upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: mac-packages
+          path: |
+            lsl.xcframework.*.zip
+            package/
+
+      - name: upload to release page
+        if: github.event_name == 'release'
+        env:
+          TOKEN: "token ${{ secrets.GITHUB_TOKEN }}"
+          TAG: ${{ github.event.release.tag_name }}
+          UPLOAD_URL: ${{ github.event.release.upload_url }}
+        run: |
+              UPLOAD_URL=${UPLOAD_URL%\{*} # remove "{name,label}" suffix
+              for pkg in lsl.xcframework.zip package/*.*; do
+                NAME=$(basename $pkg)
+                MIME=$(file --mime-type $pkg|cut -d ' ' -f2)
+                curl -X POST -H "Accept: application/vnd.github.v3+json" -H "Authorization: $TOKEN" -H "Content-Type: $MIME" --data-binary @$pkg $UPLOAD_URL?name=$NAME
+              done

.github/workflows/cppcmake.yml

@@ -2,7 +2,9 @@ name: C/C++ CI
 
 on:
   push:
-    branches: ['*']
+    branches:
+      - main
+      - dev
     tags: ['*']
     paths:
       - '**'
@@ -39,18 +41,10 @@ jobs:
         - {name: "ubuntu-24.04", os: "ubuntu-24.04",   cmake_extra: "-DLSL_BUNDLED_PUGIXML=OFF" }
         - {name: "windows-x64",  os: "windows-latest", cmake_extra: "-T v142,host=x86"}
         - {name: "windows-32",   os: "windows-latest", cmake_extra: "-T v142,host=x86 -A Win32"}
-        - {name: "macOS-latest", os: "macOS-latest"}
-
-    # runs all steps in the container configured in config.docker or as subprocesses when empty
-    container: ${{ matrix.config.docker }}
+
     steps:
     - uses: actions/checkout@v4
-    - name: set up build environment in container
-      run: |
-         set -x
-         apt update
-         apt install -y --no-install-recommends g++ git ninja-build file dpkg-dev lsb-release sudo curl cmake libpugixml-dev
-      if: ${{ matrix.config.docker }}
+
     - name: Configure CMake
       run: |
            if [[ "${{ matrix.config.name }}" = ubuntu-2* ]]; then
@@ -67,9 +61,13 @@ jobs:
                 -Dlslgitbranch=${{ github.ref }} \
                 ${{ matrix.config.cmake_extra }} \
                 ${{ github.event.inputs.cmakeextra }}
-            echo ${PWD}
+           echo ${PWD}
+
     - name: make
-      run: cmake --build build --target install --config Release -j
+      run: cmake --build build --config Release -j
+
+    - name: make install
+      run: cmake --build build --config Release --target install
 
     - name: test install using examples
       run: |
@@ -82,7 +80,7 @@ jobs:
             ${{ github.event.inputs.cmakeextra }}
           cmake --build examples/build --target install --config Release -j
           ./examples/build/install/bin/HandleMetaData
-  
+
     - name: package
       run: |
            echo $GITHUB_REF
@@ -101,6 +99,7 @@ jobs:
            fi
            cmake -E remove_directory package/_CPack_Packages
            cp testing/lslcfgs/default.cfg .
+
     - name: upload install dir
       uses: actions/upload-artifact@master
       with:
@@ -112,6 +111,7 @@ jobs:
       with:
         name: pkg-${{ matrix.config.name }}
         path: package
+
     - name: print network config
       run: |
            which ifconfig && ifconfig
@@ -121,24 +121,26 @@ jobs:
               ip route
               ip -6 route
            fi
-    
-    # run internal tests, ignore test failures on docker (missing IPv6 connectivity)
+
+    # run internal tests
     - name: unit tests
       run: |
         if [[ "${{ matrix.config.name }}" = ubuntu-2* ]]; then
           ulimit -c unlimited
           echo "$PWD/dumps/corefile-%e-%p-%t" | sudo tee /proc/sys/kernel/core_pattern
         fi
         mkdir -p dumps
-        install/bin/lsl_test_internal --order rand --wait-for-keypress never --durations yes || test ! -z "${{ matrix.config.docker }}"
+        install/bin/lsl_test_internal --order rand --wait-for-keypress never --durations yes
         install/bin/lsl_test_exported --order rand --wait-for-keypress never --durations yes
       timeout-minutes: 10
+
     - name: upload dump
       if: failure()
       uses: actions/upload-artifact@master
       with:
         name: dumps-${{ matrix.config.name }}
         path: dumps
+
     - name: upload to release page
       if: github.event_name == 'release'
       env: