signing app bundles

[caarlos0]

What would you like to be added:

Hey, first of all, thanks for this great tool!

I recently integrated it into GoReleaser, and it works quite well :)

My suggestion is probably kinda big: the ability to sign and notarize .apps.

Why is this needed:

If you want to ship a macos .app file, signing and notarizing the binary is not enough. It actually seems to be worse than doing nothing for some reason - macos thinks the app is corrupted and wants to trash it.

as far as I've played with, it seems that

xcrun notarytool submit my-app-$(version).zip --keychain-profile "foobar" --wait

creates a Contents/_CodeSignature/CodeResources XML file - not sure if it signs the binary as well or not.

This file seems to contain the hashes of every file inside the app, plus some rules I don't really understand.

Not sure how hard it is to replicate this without relying on macOS - but it would be awesome to have this, and I'm willing to help building/testing it if you're up to!

Additional context:

Thanks again for this great project!

[vedantmgoyal9]

https://github.com/indygreg/apple-platform-rs/tree/main/apple-codesign supports signing app bundles and dmgs without relying on macos. we can refer to its implementation to get an idea.