chore(build): Add macOS production scheme and Developer ID Application signing support for standalone distribution (#3185)

* change product bundle identifier (com.komodo.wallet)

* Set sdk submodule to chore/sdk-universal-macos-cdn-pods

#3175

* XCode: add production scheme and corresponding configurations

* make Release-production sign with Developer ID Application

* sdk: temp following submodules for patch-macos-release-profile

new https://github.com/KomodoPlatform/komodo-defi-sdk-flutter/tree/patch-macos-release-profile
branch for macos Developer ID Application release preparations.

* sdk: update submodules

* add OTHER_CODE_SIGN_FLAGS --options=runtime --timestamp

* fix developement team for Release-production

after this - kdf binary is signed (but still without timestamp)

* fix codesigning for Pods (now CP-User signing in Pods receive correct env)

'Release-production'=> :release, - CocoaPods will create this config in Pods project

* add --options=runtime --timestamp for codesigning pods

* sdk: pin version with code_sign_if_enabled in cp-user sh script

* sdk: bump to new location of KDF binary under MacOS

* macos: XCode project update / Pods_Runner.framework in Frameworks

* build(macos): set CODE_SIGN_INJECT_BASE_ENTITLEMENTS to NO for Release

need to remove below from Entitlements
"com.apple.security.get-task-allow" = 1;

To check:
codesign -d --entitlements :- "build/macos/Build/Products/Release-production/Komodo Wallet.app" | plutil -p -

Read more:
https://developer.apple.com/documentation/security/resolving-common-notarization-issues#3087731

* update .gitignore to exclude dist/ directory

* feat: add make-dmg.sh script for building DMG files on macOS

This script automates the process of creating a DMG file for the Komodo Wallet application, including setting up the Finder layout and handling background images. It requires macOS and utilizes hdiutil, osascript, and ditto for the operations.

* feat: add test-sign-timestamp.sh script for verifying code signing and timestamping on macOS

This script checks the code signing and timestamping of the Komodo Wallet application, providing feedback on the presence of timestamps and the authority of the timestamping service. It simplifies the verification process for macOS app builds.

* feat: enhance make-dmg.sh script with default app path and usage instructions

* chore: update Podfile.lock to include device_info_plus and update dependencies

* chore: update subproject commit reference in sdk

* feat: add README.md for contrib scripts and enhance test-sign-timestamp.sh

* chore(sdk): roll submodule to latest dev

- Update .gitmodules to track dev
- Sync sdk to origin/dev

---------

Co-authored-by: Nitride <[email protected]>

Author: DeckerSU

.gitignore

@@ -82,3 +82,5 @@ venv/
 .fvm/
 /macos/build
 AGENTS_1.md
+# .dmg Release
+dist/

contrib/README.md

@@ -0,0 +1,147 @@
+# Contrib Scripts
+
+This directory contains utility scripts for building, packaging, and testing the Komodo Wallet application.
+
+## Scripts Overview
+
+### `make-dmg.sh`
+Creates a professional DMG installer for macOS applications.
+
+**Purpose:** Builds a disk image (.dmg) file with proper layout for distributing macOS applications.
+
+**Features:**
+- Creates a disk image with the application bundle
+- Adds a shortcut to the Applications folder
+- Supports custom background images
+- Configures proper Finder window layout and icon positioning
+- Compresses the final output
+
+**Usage:**
+```bash
+# Use default app path
+./make-dmg.sh
+
+# Or specify custom parameters
+APP="build/.../Komodo Wallet.app" \
+VOL="Komodo Wallet" \
+OUT="dist/KomodoWallet.dmg" \
+BG="assets/dmg_background.png" \
+./make-dmg.sh
+```
+
+**Default Parameters:**
+- `APP`: `build/macos/Build/Products/Release-production/Komodo Wallet.app`
+- `VOL`: `Komodo Wallet`
+- `OUT`: `dist/KomodoWallet.dmg`
+- `BG`: (optional background image)
+- `ICON_SIZE`: `128`
+- `WIN_W`: `530` (Finder window width)
+- `WIN_H`: `400` (Finder window height)
+
+**Requirements:** macOS, hdiutil, osascript, ditto
+
+---
+
+### `test-sign-timestamp.sh`
+Checks code signing and timestamping for macOS applications.
+
+**Purpose:** Verifies that all executable Mach-O files in the app bundle are properly signed and timestamped.
+
+**Features:**
+- Scans all executable files in the app bundle
+- Checks for valid code signatures
+- Verifies timestamping (Apple's timestamp authority)
+- Provides colored output for easy reading
+- Reports missing timestamps
+
+**Usage:**
+```bash
+# Use default app path
+./test-sign-timestamp.sh
+
+# Or specify custom app path
+./test-sign-timestamp.sh "path/to/your/app.app"
+```
+
+**Default App Path:** `build/macos/Build/Products/Release-production/Komodo Wallet.app`
+
+**Requirements:** macOS, codesign utility
+
+
+## Release Build and Notarization Process for macOS (Non-App Store Distribution)
+
+To build and notarize the macOS app for release (for distribution outside the Mac App Store), follow these steps.  
+Note: The `--flavor production` flag is mandatory in the build command to ensure correct provisioning for signing with a Developer ID Application certificate and for proper notarization/distribution outside the App Store.
+
+```bash
+# 1. Clean the project and fetch dependencies
+flutter clean
+flutter pub get --enforce-lockfile
+pushd macos; pod deintegrate; pod install; popd    # Generating Pods project
+
+# 2. Fetch all required artifacts (this runs komodo_wallet_build_transformer)
+flutter build web --no-pub -v
+
+# 3. Build the macOS release application (ensure --flavor production is present)
+flutter build macos --no-pub --release -v \
+  --dart-define=COMMIT_HASH=<hash> \
+  --dart-define=FEEDBACK_API_KEY=<key> \
+  --dart-define=FEEDBACK_PRODUCTION_URL=<url> \
+  --dart-define=TRELLO_BOARD_ID=<id> \
+  --dart-define=TRELLO_LIST_ID=<id> \
+  --dart-define=MATOMO_URL=<url> \
+  --dart-define=MATOMO_SITE_ID=<id> \
+  --flavor production
+```
+Replace the `<...>` placeholders above with your actual values.
+
+To view app entitlements used in the resulting .app:
+```bash
+codesign -d --entitlements :- "build/macos/Build/Products/Release-production/Komodo Wallet.app" | plutil -p -
+```
+
+Package the application bundle as a ZIP archive (required by notary service):
+```bash
+APP="build/macos/Build/Products/Release-production/Komodo Wallet.app"
+ZIP="KomodoWallet.zip"
+ditto -c -k --keepParent "$APP" "$ZIP"
+```
+
+Submit the ZIP archive to Apple Notary Service:
+```bash
+xcrun notarytool submit "$ZIP" --keychain-profile "AC_NOTARY" --wait
+```
+
+Check notarization status for a specific request:
+```bash
+xcrun notarytool info <REQUEST_ID> \
+  --apple-id "<apple_id_email>" \
+  --team-id "<TEAM_ID>" \
+  --password "<app-specific-password>"
+```
+
+Download notarization log:
+```bash
+xcrun notarytool log <REQUEST_ID> --keychain-profile AC_NOTARY > notarization_errors.json
+```
+
+If there were no errors and the submission status was `Accepted`, you can proceed with the following steps to staple and validate the app:
+
+```bash
+xcrun stapler staple "$APP"
+xcrun stapler validate "$APP"
+spctl --assess --type execute -vv "$APP"   # now the status should be accepted
+```
+
+
+
+
+
+
+
+
+
+
+
+
+

contrib/make-dmg.sh

@@ -0,0 +1,228 @@
+#!/usr/bin/env bash
+# make_dmg.sh — Build DMG with layout «App ⇢ Applications»
+# 
+# This script creates a professional DMG installer for macOS applications.
+# It creates a disk image with:
+# - The application bundle
+# - A shortcut to Applications folder
+# - Custom background image (optional)
+# - Proper Finder window layout and icon positioning
+# - Compressed final output
+#
+# Requires: macOS, hdiutil, osascript, ditto.
+
+set -euo pipefail
+
+# ------------------------ PARAMETERS ------------------------
+# Default app path
+DEFAULT_APP="build/macos/Build/Products/Release-production/Komodo Wallet.app"
+
+APP="${APP:-$DEFAULT_APP}"            # Path to .app (uses default if not specified)
+VOL="${VOL:-Komodo Wallet}"          # Volume/window name for DMG
+OUT="${OUT:-dist/KomodoWallet.dmg}"  # Path to output .dmg
+BG="${BG:-}"                         # Path to PNG background (optional)
+ICON_SIZE="${ICON_SIZE:-128}"        # Icon size
+WIN_W="${WIN_W:-530}"                # Finder window width in DMG
+WIN_H="${WIN_H:-400}"                # Finder window height in DMG
+APP_X="${APP_X:-120}"                # .app icon position (x)
+APP_Y="${APP_Y:-200}"                # .app icon position (y)
+APPS_X="${APPS_X:-400}"              # Applications shortcut position (x)
+APPS_Y="${APPS_Y:-200}"              # Applications shortcut position (y)
+
+usage() {
+  cat <<EOF
+Usage:
+  # Use default app path
+  ./make_dmg.sh
+  
+  # Or specify custom parameters
+  APP="build/.../Komodo Wallet.app" \\
+  VOL="Komodo Wallet" \\
+  OUT="dist/KomodoWallet.dmg" \\
+  BG="assets/dmg_background.png" \\
+  ./make_dmg.sh
+  
+Default APP path: $DEFAULT_APP
+EOF
+}
+[[ ! -d "${APP}" ]] && { echo >&2 "ERROR: .app not found: ${APP}"; exit 1; }
+
+APP_BASENAME="$(basename "${APP}")"
+OUT_DIR="$(dirname "${OUT}")"
+mkdir -p "${OUT_DIR}"
+
+# Work in local tmp inside project — fewer TCC issues
+TMPROOT="${TMPROOT:-$PWD/.dmg_tmp}"
+mkdir -p "$TMPROOT"
+TMPDIR="$(mktemp -d "$TMPROOT/tmp.XXXXXXXX")"
+STAGING="${TMPDIR}/staging"
+mkdir -p "${STAGING}"
+
+cleanup() {
+  set +e
+  if [[ -n "${MOUNT_POINT:-}" && -d "${MOUNT_POINT:-}" ]]; then
+    hdiutil detach "${MOUNT_POINT}" -quiet || true
+  fi
+  rm -rf "${TMPDIR}" >/dev/null 2>&1 || true
+}
+trap cleanup EXIT
+
+echo "==> Preparing staging"
+cp -R "${APP}" "${STAGING}/"
+ln -s /Applications "${STAGING}/Applications"
+
+if [[ -n "${BG}" ]]; then
+  echo "==> Adding background ${BG}"
+  mkdir -p "${STAGING}/.background"
+  cp "${BG}" "${STAGING}/.background/background.png"
+  chflags hidden "${STAGING}/.background" || true
+fi
+
+# --------- IMAGE SIZE CALCULATION (with margin) ----------
+echo "==> Estimating image size"
+# Staging size in kilobytes
+SIZE_KB=$(du -sk "${STAGING}" | awk '{print $1}')
+# Add ~30% margin + minimum 20 MB
+HEADROOM_KB=$(( SIZE_KB / 3 ))
+[[ ${HEADROOM_KB} -lt 20480 ]] && HEADROOM_KB=20480
+TOTAL_KB=$(( SIZE_KB + HEADROOM_KB ))
+# Round to megabytes
+TOTAL_MB=$(( (TOTAL_KB + 1023) / 1024 ))
+echo "    Estimated size: ${TOTAL_MB} MiB"
+
+TMP_DMG="${TMPDIR}/tmp.dmg"
+FINAL_DMG="${OUT}"
+
+echo "==> Creating empty RW DMG (${TOTAL_MB} MiB)"
+hdiutil create -verbose \
+  -size "${TOTAL_MB}m" \
+  -fs HFS+J -volname "${VOL}" \
+  "${TMP_DMG}"
+
+# if volume with same name is mounted — unmount it
+if [[ -d "/Volumes/${VOL}" ]]; then
+  hdiutil detach "/Volumes/${VOL}" -force -quiet || true
+fi
+
+echo "==> Mounting DMG"
+MOUNT_POINT="${TMPDIR}/mnt"
+mkdir -p "${MOUNT_POINT}"
+
+# Mount directly to our directory
+if ! hdiutil attach "${TMP_DMG}" \
+      -readwrite -noverify -noautoopen \
+      -mountpoint "${MOUNT_POINT}" >/dev/null; then
+  echo >&2 "ERROR: failed to mount DMG (attach returned error)"
+  exit 1
+fi
+
+# Check that it's actually mounted
+if [[ ! -d "${MOUNT_POINT}" || ! -e "${MOUNT_POINT}/." ]]; then
+  echo >&2 "ERROR: failed to mount DMG (mountpoint not accessible)"
+  exit 1
+fi
+echo "    Mounted at: ${MOUNT_POINT}"
+
+# --------- CONTENT COPYING (DITTO) ----------
+echo "==> Copying content to volume (ditto)"
+# Application
+ditto "${STAGING}/${APP_BASENAME}" "${MOUNT_POINT}/${APP_BASENAME}"
+# Applications shortcut (recreate on volume side)
+rm -f "${MOUNT_POINT}/Applications" 2>/dev/null || true
+ln -s /Applications "${MOUNT_POINT}/Applications"
+# Background (if exists)
+if [[ -f "${STAGING}/.background/background.png" ]]; then
+  mkdir -p "${MOUNT_POINT}/.background"
+  ditto "${STAGING}/.background/background.png" "${MOUNT_POINT}/.background/background.png"
+  chflags hidden "${MOUNT_POINT}/.background" || true
+fi
+
+# --------- FINDER WINDOW STYLING ----------
+echo "==> Setting up Finder layout"
+sleep 2  # give Finder a bit more time to see the mounted volume
+osascript <<OSAEOF
+set mpPOSIX to "$MOUNT_POINT"
+set appName to "$APP_BASENAME"
+
+tell application "Finder"
+  activate
+  set mp to (POSIX file mpPOSIX) as alias
+
+  -- Open and get real window
+  open mp
+  delay 0.5
+  set w to window 1
+  try
+    set target of w to (folder mp)
+  end try
+
+  -- Window parameters
+  try
+    tell w
+      set current view to icon view
+      set toolbar visible to false
+      set statusbar visible to false
+      set bounds to {100, 100, 100 + $WIN_W, 100 + $WIN_H}
+    end tell
+  end try
+
+  -- Icon options
+  try
+    set vo to the icon view options of w
+    try
+      set arrangement of vo to not arranged
+    end try
+    try
+      set icon size of vo to $ICON_SIZE
+    end try
+  end try
+
+  -- Background (if possible — great; if not — just skip)
+  try
+    set bgAlias to (POSIX file (mpPOSIX & "/.background/background.png")) as alias
+    set background picture of (the icon view options of w) to bgAlias
+  end try
+
+  -- Icon positions
+  try
+    set position of item appName of (folder mp) to {$APP_X, $APP_Y}
+  end try
+  try
+    set position of item "Applications" of (folder mp) to {$APPS_X, $APPS_Y}
+  end try
+
+  try
+    update without registering applications
+  end try
+
+  delay 0.6
+  try
+    close w
+    delay 0.3
+    open mp
+    delay 0.3
+  end try
+end tell
+OSAEOF
+
+echo "==> Unmounting DMG"
+for i in {1..5}; do
+  if hdiutil detach "${MOUNT_POINT}" -quiet; then
+    DETACHED=1
+    break
+  fi
+  echo "    Retry attempt (${i})..."
+  sleep 1
+done
+[[ -z "${DETACHED:-}" ]] && { echo >&2 "ERROR: failed to unmount ${MOUNT_POINT}"; exit 1; }
+
+# Remove old DMG if it already exists
+if [[ -f "${FINAL_DMG}" ]]; then
+  echo "==> Removing old file ${FINAL_DMG}"
+  rm -f "${FINAL_DMG}"
+fi
+
+echo "==> Converting to compressed UDZO"
+hdiutil convert -verbose "${TMP_DMG}" -format UDZO -imagekey zlib-level=9 -o "${FINAL_DMG}"
+
+echo "==> Done: ${FINAL_DMG}"