From 5d38ed6bb309edea18e29b2a130b4231e1314436 Mon Sep 17 00:00:00 2001
From: Scriptbash <98601298+Scriptbash@users.noreply.github.com>
Date: Mon, 30 Mar 2026 07:55:24 -0400
Subject: [PATCH 1/3] Enable hardened runtime
---
macos/Runner.xcodeproj/project.pbxproj | 31 +++++++++++++++++++++++++-
macos/Runner/Release.entitlements | 6 ++---
2 files changed, 33 insertions(+), 4 deletions(-)
diff --git a/macos/Runner.xcodeproj/project.pbxproj b/macos/Runner.xcodeproj/project.pbxproj
index 7d372d80..e843585c 100644
--- a/macos/Runner.xcodeproj/project.pbxproj
+++ b/macos/Runner.xcodeproj/project.pbxproj
@@ -269,7 +269,6 @@
33CC10EC2044A3C60003C045 = {
CreatedOnToolsVersion = 9.2;
LastSwiftMigration = 1100;
- ProvisioningStyle = Automatic;
SystemCapabilities = {
com.apple.Sandbox = {
enabled = 1;
@@ -547,6 +546,7 @@
DEAD_CODE_STRIPPING = YES;
DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
DEVELOPMENT_TEAM = MAX4AK5MU7;
+ ENABLE_HARDENED_RUNTIME = YES;
ENABLE_NS_ASSERTIONS = NO;
ENABLE_STRICT_OBJC_MSGSEND = YES;
ENABLE_USER_SCRIPT_SANDBOXING = NO;
@@ -576,6 +576,19 @@
CODE_SIGN_STYLE = Automatic;
COMBINE_HIDPI_IMAGES = YES;
DEVELOPMENT_TEAM = MAX4AK5MU7;
+ ENABLE_APP_SANDBOX = YES;
+ ENABLE_HARDENED_RUNTIME = YES;
+ ENABLE_INCOMING_NETWORK_CONNECTIONS = NO;
+ ENABLE_OUTGOING_NETWORK_CONNECTIONS = NO;
+ ENABLE_RESOURCE_ACCESS_AUDIO_INPUT = NO;
+ ENABLE_RESOURCE_ACCESS_BLUETOOTH = NO;
+ ENABLE_RESOURCE_ACCESS_CALENDARS = NO;
+ ENABLE_RESOURCE_ACCESS_CAMERA = NO;
+ ENABLE_RESOURCE_ACCESS_CONTACTS = NO;
+ ENABLE_RESOURCE_ACCESS_LOCATION = NO;
+ ENABLE_RESOURCE_ACCESS_PRINTING = NO;
+ ENABLE_RESOURCE_ACCESS_USB = NO;
+ ENABLE_USER_SELECTED_FILES = readwrite;
INFOPLIST_FILE = Runner/Info.plist;
INFOPLIST_KEY_LSApplicationCategoryType = "public.app-category.education";
LD_RUNPATH_SEARCH_PATHS = (
@@ -627,6 +640,7 @@
DEAD_CODE_STRIPPING = YES;
DEBUG_INFORMATION_FORMAT = dwarf;
DEVELOPMENT_TEAM = MAX4AK5MU7;
+ ENABLE_HARDENED_RUNTIME = YES;
ENABLE_STRICT_OBJC_MSGSEND = YES;
ENABLE_TESTABILITY = YES;
ENABLE_USER_SCRIPT_SANDBOXING = NO;
@@ -684,6 +698,7 @@
DEAD_CODE_STRIPPING = YES;
DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
DEVELOPMENT_TEAM = MAX4AK5MU7;
+ ENABLE_HARDENED_RUNTIME = YES;
ENABLE_NS_ASSERTIONS = NO;
ENABLE_STRICT_OBJC_MSGSEND = YES;
ENABLE_USER_SCRIPT_SANDBOXING = NO;
@@ -713,6 +728,19 @@
CODE_SIGN_STYLE = Automatic;
COMBINE_HIDPI_IMAGES = YES;
DEVELOPMENT_TEAM = MAX4AK5MU7;
+ ENABLE_APP_SANDBOX = YES;
+ ENABLE_HARDENED_RUNTIME = YES;
+ ENABLE_INCOMING_NETWORK_CONNECTIONS = NO;
+ ENABLE_OUTGOING_NETWORK_CONNECTIONS = NO;
+ ENABLE_RESOURCE_ACCESS_AUDIO_INPUT = NO;
+ ENABLE_RESOURCE_ACCESS_BLUETOOTH = NO;
+ ENABLE_RESOURCE_ACCESS_CALENDARS = NO;
+ ENABLE_RESOURCE_ACCESS_CAMERA = NO;
+ ENABLE_RESOURCE_ACCESS_CONTACTS = NO;
+ ENABLE_RESOURCE_ACCESS_LOCATION = NO;
+ ENABLE_RESOURCE_ACCESS_PRINTING = NO;
+ ENABLE_RESOURCE_ACCESS_USB = NO;
+ ENABLE_USER_SELECTED_FILES = readwrite;
INFOPLIST_FILE = Runner/Info.plist;
INFOPLIST_KEY_LSApplicationCategoryType = "public.app-category.education";
LD_RUNPATH_SEARCH_PATHS = (
@@ -737,6 +765,7 @@
COMBINE_HIDPI_IMAGES = YES;
DEVELOPMENT_TEAM = MAX4AK5MU7;
ENABLE_APP_SANDBOX = YES;
+ ENABLE_HARDENED_RUNTIME = YES;
ENABLE_INCOMING_NETWORK_CONNECTIONS = NO;
ENABLE_OUTGOING_NETWORK_CONNECTIONS = NO;
ENABLE_RESOURCE_ACCESS_AUDIO_INPUT = NO;
diff --git a/macos/Runner/Release.entitlements b/macos/Runner/Release.entitlements
index f926b2d9..c8a9c1a7 100644
--- a/macos/Runner/Release.entitlements
+++ b/macos/Runner/Release.entitlements
@@ -8,11 +8,11 @@
com.apple.security.files.user-selected.read-write
+ com.apple.security.cs.allow-jit
+
com.apple.security.network.client
keychain-access-groups
-
- MAX4AK5MU7.app.wispar.wispar
-
+
From c73c22e012304f14d4de66fd79b3c93f1e71beef Mon Sep 17 00:00:00 2001
From: Scriptbash <98601298+Scriptbash@users.noreply.github.com>
Date: Mon, 30 Mar 2026 07:58:28 -0400
Subject: [PATCH 2/3] disable auto signing
---
macos/Runner.xcodeproj/project.pbxproj | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/macos/Runner.xcodeproj/project.pbxproj b/macos/Runner.xcodeproj/project.pbxproj
index e843585c..ad1fd32f 100644
--- a/macos/Runner.xcodeproj/project.pbxproj
+++ b/macos/Runner.xcodeproj/project.pbxproj
@@ -389,10 +389,14 @@
inputFileListPaths = (
"${PODS_ROOT}/Target Support Files/Pods-Runner/Pods-Runner-frameworks-${CONFIGURATION}-input-files.xcfilelist",
);
+ inputPaths = (
+ );
name = "[CP] Embed Pods Frameworks";
outputFileListPaths = (
"${PODS_ROOT}/Target Support Files/Pods-Runner/Pods-Runner-frameworks-${CONFIGURATION}-output-files.xcfilelist",
);
+ outputPaths = (
+ );
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
shellScript = "\"${PODS_ROOT}/Target Support Files/Pods-Runner/Pods-Runner-frameworks.sh\"\n";
@@ -573,9 +577,9 @@
CLANG_ENABLE_MODULES = YES;
CODE_SIGN_ENTITLEMENTS = Runner/DebugProfile.entitlements;
CODE_SIGN_IDENTITY = "Apple Development";
- CODE_SIGN_STYLE = Automatic;
+ CODE_SIGN_STYLE = Manual;
COMBINE_HIDPI_IMAGES = YES;
- DEVELOPMENT_TEAM = MAX4AK5MU7;
+ DEVELOPMENT_TEAM = "";
ENABLE_APP_SANDBOX = YES;
ENABLE_HARDENED_RUNTIME = YES;
ENABLE_INCOMING_NETWORK_CONNECTIONS = NO;
@@ -693,7 +697,7 @@
CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
CLANG_WARN_RANGE_LOOP_ANALYSIS = YES;
CLANG_WARN_SUSPICIOUS_MOVE = YES;
- CODE_SIGN_IDENTITY = "-";
+ CODE_SIGN_IDENTITY = "";
COPY_PHASE_STRIP = NO;
DEAD_CODE_STRIPPING = YES;
DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
@@ -725,9 +729,9 @@
CLANG_ENABLE_MODULES = YES;
CODE_SIGN_ENTITLEMENTS = Runner/DebugProfile.entitlements;
CODE_SIGN_IDENTITY = "Apple Development";
- CODE_SIGN_STYLE = Automatic;
+ CODE_SIGN_STYLE = Manual;
COMBINE_HIDPI_IMAGES = YES;
- DEVELOPMENT_TEAM = MAX4AK5MU7;
+ DEVELOPMENT_TEAM = "";
ENABLE_APP_SANDBOX = YES;
ENABLE_HARDENED_RUNTIME = YES;
ENABLE_INCOMING_NETWORK_CONNECTIONS = NO;
@@ -760,10 +764,10 @@
ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
CLANG_ENABLE_MODULES = YES;
CODE_SIGN_ENTITLEMENTS = Runner/Release.entitlements;
- CODE_SIGN_IDENTITY = "Apple Development";
- CODE_SIGN_STYLE = Automatic;
+ CODE_SIGN_IDENTITY = "";
+ CODE_SIGN_STYLE = Manual;
COMBINE_HIDPI_IMAGES = YES;
- DEVELOPMENT_TEAM = MAX4AK5MU7;
+ DEVELOPMENT_TEAM = "";
ENABLE_APP_SANDBOX = YES;
ENABLE_HARDENED_RUNTIME = YES;
ENABLE_INCOMING_NETWORK_CONNECTIONS = NO;
From f84061b9712a022f77e11856c79b49ce8f6858d6 Mon Sep 17 00:00:00 2001
From: Scriptbash <98601298+Scriptbash@users.noreply.github.com>
Date: Mon, 30 Mar 2026 08:15:54 -0400
Subject: [PATCH 3/3] disable macos build
---
.github/workflows/publish.yml | 131 ++++++++++++-------------
macos/Runner.xcodeproj/project.pbxproj | 16 +--
2 files changed, 73 insertions(+), 74 deletions(-)
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 8a055211..7940c07e 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -69,65 +69,65 @@ jobs:
lane: deploy
subdirectory: android
- build-macos:
- name: Build for macOS
- runs-on: macos-15
- steps:
- - uses: actions/checkout@v6
- - uses: maxim-lobanov/setup-xcode@v1
- with:
- xcode-version: latest-stable
- - uses: subosito/flutter-action@v2
- with:
- channel: 'stable'
- - run: flutter pub get
- - run: flutter build macos --release
- - name: Codesign executable
- env:
- MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
- MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
- KEYCHAIN_PASSWORD: ${{ secrets.MACOS_KEYCHAIN_PASSWORD }}
- MACOS_SIGN_IDENTITY: ${{ secrets.MACOS_SIGN_IDENTITY }}
- run: |
- echo "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12
- security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
- security default-keychain -s build.keychain
- security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain
- security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
- security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
- security find-identity
- /usr/bin/codesign --force --deep --options runtime --entitlements macos/Runner/Release.entitlements -s "$MACOS_SIGN_IDENTITY" build/macos/Build/Products/Release/Wispar.app
- /usr/bin/codesign --verify --deep --strict --verbose=2 build/macos/Build/Products/Release/Wispar.app
- - name: Notarize app
- env:
- APPLE_ID: ${{ secrets.APPLE_ID }}
- APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
- uses: lando/notarize-action@v2
- with:
- product-path: "build/macos/Build/Products/Release/Wispar.app"
- appstore-connect-username: ${{ secrets.APPLE_ID }}
- appstore-connect-password: ${{ secrets.APPLE_PASSWORD }}
- appstore-connect-team-id: ${{ secrets.APPLE_TEAM_ID }}
- - name: Staple notarization
- run: |
- xcrun stapler staple build/macos/Build/Products/Release/Wispar.app
- - name: Create dmg
- env:
- MACOS_SIGN_IDENTITY: ${{ secrets.MACOS_SIGN_IDENTITY }}
- run: |
- brew install create-dmg
- create-dmg \
- --volname "Wispar" \
- --window-size 800 529 \
- --icon-size 130 \
- --app-drop-link 540 250 \
- "Wispar.dmg" \
- build/macos/Build/Products/Release/Wispar.app
- /usr/bin/codesign --force -s "$MACOS_SIGN_IDENTITY" Wispar.dmg
- - uses: actions/upload-artifact@v7
- with:
- name: wispar-macos-dmg
- path: Wispar.dmg
+ # build-macos:
+ # name: Build for macOS
+ # runs-on: macos-15
+ # steps:
+ # - uses: actions/checkout@v6
+ # - uses: maxim-lobanov/setup-xcode@v1
+ # with:
+ # xcode-version: latest-stable
+ # - uses: subosito/flutter-action@v2
+ # with:
+ # channel: 'stable'
+ # - run: flutter pub get
+ # - run: flutter build macos --release
+ # - name: Codesign executable
+ # env:
+ # MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+ # MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+ # KEYCHAIN_PASSWORD: ${{ secrets.MACOS_KEYCHAIN_PASSWORD }}
+ # MACOS_SIGN_IDENTITY: ${{ secrets.MACOS_SIGN_IDENTITY }}
+ # run: |
+ # echo "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12
+ # security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
+ # security default-keychain -s build.keychain
+ # security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain
+ # security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
+ # security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
+ # security find-identity
+ # /usr/bin/codesign --force --deep --options runtime --entitlements macos/Runner/Release.entitlements -s "$MACOS_SIGN_IDENTITY" build/macos/Build/Products/Release/Wispar.app
+ # /usr/bin/codesign --verify --deep --strict --verbose=2 build/macos/Build/Products/Release/Wispar.app
+ # - name: Notarize app
+ # env:
+ # APPLE_ID: ${{ secrets.APPLE_ID }}
+ # APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
+ # uses: lando/notarize-action@v2
+ # with:
+ # product-path: "build/macos/Build/Products/Release/Wispar.app"
+ # appstore-connect-username: ${{ secrets.APPLE_ID }}
+ # appstore-connect-password: ${{ secrets.APPLE_PASSWORD }}
+ # appstore-connect-team-id: ${{ secrets.APPLE_TEAM_ID }}
+ # - name: Staple notarization
+ # run: |
+ # xcrun stapler staple build/macos/Build/Products/Release/Wispar.app
+ # - name: Create dmg
+ # env:
+ # MACOS_SIGN_IDENTITY: ${{ secrets.MACOS_SIGN_IDENTITY }}
+ # run: |
+ # brew install create-dmg
+ # create-dmg \
+ # --volname "Wispar" \
+ # --window-size 800 529 \
+ # --icon-size 130 \
+ # --app-drop-link 540 250 \
+ # "Wispar.dmg" \
+ # build/macos/Build/Products/Release/Wispar.app
+ # /usr/bin/codesign --force -s "$MACOS_SIGN_IDENTITY" Wispar.dmg
+ # - uses: actions/upload-artifact@v7
+ # with:
+ # name: wispar-macos-dmg
+ # path: Wispar.dmg
build-windows:
name: Build for Windows
@@ -188,7 +188,7 @@ jobs:
create-release:
name: Create GitHub Release
runs-on: ubuntu-latest
- needs: [build-android, build-macos, build-windows]
+ needs: [build-android, build-windows] #[build-android, build-macos, build-windows]
steps:
- uses: actions/checkout@v6
- name: Download Android artifacts
@@ -196,11 +196,11 @@ jobs:
with:
name: android-artifacts
path: android-artifacts
- - name: Download macOS artifact
- uses: actions/download-artifact@v8
- with:
- name: wispar-macos-dmg
- path: macos-artifacts
+ # - name: Download macOS artifact
+ # uses: actions/download-artifact@v8
+ # with:
+ # name: wispar-macos-dmg
+ # path: macos-artifacts
- name: Download Windows artifact
uses: actions/download-artifact@v8
with:
@@ -217,7 +217,6 @@ jobs:
artifacts: |
android-artifacts/app-release.apk,
android-artifacts/app-release.aab,
- macos-artifacts/Wispar.dmg,
windows-artifacts/wispar_setup.exe
tag: v${{ env.VERSION }}
token: ${{ secrets.TOKEN }}
diff --git a/macos/Runner.xcodeproj/project.pbxproj b/macos/Runner.xcodeproj/project.pbxproj
index ad1fd32f..800de1a9 100644
--- a/macos/Runner.xcodeproj/project.pbxproj
+++ b/macos/Runner.xcodeproj/project.pbxproj
@@ -577,9 +577,9 @@
CLANG_ENABLE_MODULES = YES;
CODE_SIGN_ENTITLEMENTS = Runner/DebugProfile.entitlements;
CODE_SIGN_IDENTITY = "Apple Development";
- CODE_SIGN_STYLE = Manual;
+ CODE_SIGN_STYLE = Automatic;
COMBINE_HIDPI_IMAGES = YES;
- DEVELOPMENT_TEAM = "";
+ DEVELOPMENT_TEAM = MAX4AK5MU7;
ENABLE_APP_SANDBOX = YES;
ENABLE_HARDENED_RUNTIME = YES;
ENABLE_INCOMING_NETWORK_CONNECTIONS = NO;
@@ -697,7 +697,7 @@
CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
CLANG_WARN_RANGE_LOOP_ANALYSIS = YES;
CLANG_WARN_SUSPICIOUS_MOVE = YES;
- CODE_SIGN_IDENTITY = "";
+ CODE_SIGN_IDENTITY = "-";
COPY_PHASE_STRIP = NO;
DEAD_CODE_STRIPPING = YES;
DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
@@ -729,9 +729,9 @@
CLANG_ENABLE_MODULES = YES;
CODE_SIGN_ENTITLEMENTS = Runner/DebugProfile.entitlements;
CODE_SIGN_IDENTITY = "Apple Development";
- CODE_SIGN_STYLE = Manual;
+ CODE_SIGN_STYLE = Automatic;
COMBINE_HIDPI_IMAGES = YES;
- DEVELOPMENT_TEAM = "";
+ DEVELOPMENT_TEAM = MAX4AK5MU7;
ENABLE_APP_SANDBOX = YES;
ENABLE_HARDENED_RUNTIME = YES;
ENABLE_INCOMING_NETWORK_CONNECTIONS = NO;
@@ -764,10 +764,10 @@
ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
CLANG_ENABLE_MODULES = YES;
CODE_SIGN_ENTITLEMENTS = Runner/Release.entitlements;
- CODE_SIGN_IDENTITY = "";
- CODE_SIGN_STYLE = Manual;
+ CODE_SIGN_IDENTITY = "Apple Development";
+ CODE_SIGN_STYLE = Automatic;
COMBINE_HIDPI_IMAGES = YES;
- DEVELOPMENT_TEAM = "";
+ DEVELOPMENT_TEAM = MAX4AK5MU7;
ENABLE_APP_SANDBOX = YES;
ENABLE_HARDENED_RUNTIME = YES;
ENABLE_INCOMING_NETWORK_CONNECTIONS = NO;