From 23a9f30d45ea25fada809db757b85c175d048936 Mon Sep 17 00:00:00 2001
From: Jim Myhrberg <contact@jimeh.me>
Date: Tue, 14 Nov 2023 21:17:37 +0000
Subject: [PATCH] fix(signing): add self-signing step that is enabled by
 default

This should resolve issues on Apple Silicon machines where macOS refuses
to run applications without any signatures. On Intel machines it seems
to make not difference.

If you want to skip the self-signing step, use the `--no-self-sign`
flag.
---
 build-emacs-for-macos | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/build-emacs-for-macos b/build-emacs-for-macos
index 5f11275..c8dae31 100755
--- a/build-emacs-for-macos
+++ b/build-emacs-for-macos
@@ -172,6 +172,7 @@ class Build
       relink_eln_files: options[:relink_eln]
     ).embed
     GccLibEmbedder.new(app, gcc_info).embed if options[:native_comp]
+    self_sign_app(app) if options[:self_sign]
 
     archive_build(build_dir) if options[:archive]
   end
@@ -646,6 +647,10 @@ class Build
     @archive_filename ||= File.join(output_dir, "#{build_name}.tbz")
   end
 
+  def self_sign_app(app)
+    cmd('codesign', '--force', '--deep', '-s', '-', app)
+  end
+
   def archive_build(build_dir)
     filename = File.basename(archive_filename)
     target_dir = File.dirname(archive_filename)
@@ -1470,6 +1475,7 @@ if __FILE__ == $PROGRAM_NAME
     github_src_repo: nil,
     github_auth: true,
     dist_include: ['COPYING'],
+    self_sign: true,
     archive: true,
     archive_keep: false,
     log_level: 'info'
@@ -1604,6 +1610,11 @@ if __FILE__ == $PROGRAM_NAME
           'folder/archive (default: COPYING)'
         ) { |v| cli_options[:dist_include] = v }
 
+        opts.on(
+          '--[no-]self-sign',
+          'Enable/disable self-signing of Emacs.app (default: enabled)'
+        ) { |v| cli_options[:self_sign] = v }
+
         opts.on(
           '--[no-]archive',
           'Enable/disable creating *.tbz archive (default: enabled)'