move signing mac apps to own script (#5999)

.github/workflows/desktop-build.yml

@@ -292,10 +292,6 @@ jobs:
           BUILDTYPE: '${{matrix.type}}'
           MAKE_PACKAGE: '${{matrix.make_package}}'
           PACKAGE_SUFFIX: '-macOS${{matrix.target}}_${{matrix.soc}}'
-          MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
-          MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
-          MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
-          MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
           CMAKE_GENERATOR: '${{env.CMAKE_GENERATOR}}'
         run: .ci/compile.sh --server --test --ccache "$CCACHE_SIZE"
 
@@ -308,47 +304,16 @@ jobs:
 
       - name: Sign app bundle
         if: matrix.make_package && (github.ref == 'refs/heads/master' || needs.configure.outputs.tag != null)
+        shell: bash
         env:
           MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
+          MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
+          MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
           MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
-        run: |
-          if [[ -n "$MACOS_CERTIFICATE_NAME" ]]
-          then
-            security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
-            /usr/bin/codesign --sign="$MACOS_CERTIFICATE_NAME" --entitlements=".ci/macos.entitlements" --options=runtime --force --deep --timestamp --verbose ${{steps.build.outputs.path}}
-          fi
-
-      - name: Notarize app bundle
-        if: matrix.make_package && (github.ref == 'refs/heads/master' || needs.configure.outputs.tag != null)
-        env:
           MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
           MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
           MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
-        run: |
-          if [[ -n "$MACOS_NOTARIZATION_APPLE_ID" ]]
-          then
-            # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
-            echo "Create keychain profile"
-            xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
-  
-            # We can't notarize an app bundle directly, but we need to compress it as an archive.
-            # Therefore, we create a zip file containing our app bundle, so that we can send it to the
-            # notarization service
-            echo "Creating temp notarization archive"
-            ditto -c -k --keepParent ${{steps.build.outputs.path}} "notarization.zip"
-  
-            # Here we send the notarization request to the Apple's Notarization service, waiting for the result.
-            # This typically takes a few seconds inside a CI environment, but it might take more depending on the App
-            # characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
-            # you're curious
-            echo "Notarize app"
-            xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
-  
-            # Finally, we need to "attach the staple" to our executable, which will allow our app to be
-            # validated by macOS even when an internet connection is not available.
-            echo "Attach staple"
-            xcrun stapler staple ${{steps.build.outputs.path}}
-          fi
+        run: .ci/sign_macos.sh ${{steps.build.outputs.path}}
 
       - name: Upload artifact
         id: upload_artifact