Mac: Enable signing with self signed cert

[ann0see]

Short description of changes
Enables the CI to use a code signing certificate signed by a non Apple CA to sign development builds.

CHANGELOG: Build: Enabled signing of macOS binary if a self signed certificate is given.

Context: Fixes an issue?

Fixes: #2924

Does this change need documentation? What needs to be documented and how?

Probably not.

Status of this Pull Request

Ready for review (and test on Apple Silicon, a repo without the respective secrets set and a repo with the real apple secrets set (@emlynmac 's repo))

What is missing until this pull request can be merged?

Still needs some (external testing). Artifacts are building on my repo: https://github.com/ann0see/jamulus/actions/runs/3352547263/jobs/5554760442

Checklist

• I've verified that this Pull Request follows the general code principles
• I tested my code and it does what I want (on my repo)
• My code follows the style guide
• I waited some time after this Pull Request was opened and all GitHub checks completed without errors.
• I've filled all the content above

AUTOBUILD: Please build all targets

[hoffie]

Minor nit wrt [usage. Other than that, looks good. Thanks!

As you say, it should receive proper testing, especially of release builds. I think you still have access to @emlynmac's repo as well and could build a fake 0.something version for testing?

[ann0see]

I've pushed to emlyns repo, but my macOS VM is currently unavailable, so I can't test. But it builds and seems to be signed.

[ann0see]

Ok. Tested yesterday, and it seems to be signed.

[ann0see]

@hoffie I probably did some mistake during the rebase (again...). However, I think it's ok now. Please review again, nevertheless.

[ann0see]

@pljones @hoffie could you please review this?

[pljones]

I've no idea what any of the changes mean. It's not affecting anything other than MacOS and none of the builds broke, so I'm happy with it.

[emlynmac]

Can we make sure this actually does what is expected?
All of the artifacts have expired, so not possible to test.
I'd be surprised if a self signed binary works on a macOS platform TBH.

[ann0see]

I'd be surprised if a self signed binary works on a macOS platform TBH.

They do still show a warning but the point is that cert signing problems would show up in production already.

[emlynmac]

I'd be surprised if a self signed binary works on a macOS platform TBH.

They do still show a warning but the point is that cert signing problems would show up in production already.

If this is purely to validate the process, then the signed artifact should not be published.

[ann0see]

I’d there any downside of a self signed test version?

[emlynmac]

I’d there any downside of a self signed test version?

If it's published and people try to use it, then issues might be raised in confusion.

[ann0see]

Yes, but the same would be true for unsigned builds. This would just affect PR builds and maybe the legacy build. Release builds would be built on your repo.

[pljones]

Hi @ann0see, is there any progress here?

[ann0see]

There's still a Test and OK by Emlyn outstanding.

[pljones]

Looks syntactically correct.

[ann0see]

Ok. Now we need to add a certificate.