Update MacQetDeploy_arm64.sh

↓
  windows-build.yml
  ├── build-windows  →  generates an exe file + zip + portable artefact
  └── deploy-pages   →  clears old files, uploads the exe file + zip to the ‘release nightly’ repository
        ↓ (workflow_run: completed + successful)
  windows-msi.yml
  ├── uploads the portable artefact
  ├── builds the MSI with WiX v7
  ├── deletes the old .msi, uploads the MSI to the nightly version
  └── generates and deploys GitHub Pages  ← the 3 URLs are known here
The GitHub Pages page is no longer generated by windows-build.yml but by windows-msi.yml once the MSI is in the release

.github/workflows/windows-build.yml

@@ -1,11 +1,9 @@
 name: Windows Build
 
 on:
-  push:
-    branches: [ master ]
-  pull_request:
-    branches: [ master ]
-  workflow_dispatch:
+  schedule:
+    - cron: '0 2 * * 1'   # Every Monday at 2:00 UTC
+  workflow_dispatch:       # Manual trigger available at any time
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -366,8 +364,6 @@ jobs:
     if: github.event_name != 'pull_request'
     permissions:
       contents: write
-      pages: write
-      id-token: write
 
     steps:
       - name: Checkout master (for build-aux scripts)
@@ -391,6 +387,20 @@ jobs:
           path: downloaded/portable/
           merge-multiple: true
 
+      - name: Delete old nightly assets (.exe and .zip)
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+        run: |
+          # Fetch existing .exe and .zip asset names and delete them
+          gh release view nightly --repo "$REPO" --json assets \
+            --jq '.assets[] | select(.name | test("\\.(exe|zip)$")) | .name' \
+          | while read -r name; do
+              echo "Deleting old asset: $name"
+              gh release delete-asset nightly "$name" --repo "$REPO" --yes
+            done
+          echo "Old .exe and .zip assets deleted."
+
       - name: Update nightly release
         uses: softprops/action-gh-release@v2
         with:
@@ -414,39 +424,5 @@ jobs:
             downloaded/portable/*.zip
           token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Generate download page (index.html)
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          DATE: "placeholder"
-        run: |
-          DATE=$(date -u '+%Y-%m-%d %H:%M UTC')
-          SHORT="${{ github.sha }}"
-          SHORT="${SHORT:0:7}"
-          REPO="${{ github.repository }}"
-          RUN_URL="https://github.com/$REPO/actions/runs/${{ github.run_id }}"
-          EXE_NAME=$(ls downloaded/installer/*.exe | xargs -I{} basename {})
-          INSTALLER_URL="https://github.com/$REPO/releases/download/nightly/$EXE_NAME"
-          ZIP_NAME=$(ls downloaded/portable/*.zip | xargs -I{} basename {})
-          PORTABLE_URL="https://github.com/$REPO/releases/download/nightly/$ZIP_NAME"
-          MSI_NAME=$(gh release view nightly --json assets --jq '.assets[].name' 2>/dev/null \
-            | grep '\.msi$' | head -1 || echo "")
-          MSI_URL=""
-          [ -n "$MSI_NAME" ] && MSI_URL="https://github.com/$REPO/releases/download/nightly/$MSI_NAME"
-          DATE=$(date -u '+%Y-%m-%d %H:%M UTC')
-          export DATE SHORT REPO SHA="${{ github.sha }}" RUN_URL
-          export RUN_NUMBER="${{ github.run_number }}"
-          export INSTALLER_URL PORTABLE_URL MSI_URL
-          # Write the page generator script to /tmp (build-aux/ not available
-          # in deploy-pages job which only checks out gh-pages branch)
-          python3 source/build-aux/generate-page.py
-
-      - name: Add .nojekyll to disable Jekyll processing
-        run: touch gh-pages/.nojekyll
-
-      - name: Upload GitHub Pages artifact
-        uses: actions/upload-pages-artifact@v3
-        with:
-          path: gh-pages/
-
-      - name: Deploy to GitHub Pages
-        uses: actions/deploy-pages@v4
+      # GitHub Pages is generated and deployed by windows-msi.yml
+      # after the MSI upload, so that all 3 URLs (exe, zip, msi) are known.

.github/workflows/windows-msi.yml

@@ -1,10 +1,16 @@
 name: Windows MSI (WiX v7)
 
 on:
+  # Triggered automatically after a successful Windows build on master
+  workflow_run:
+    workflows: ["Windows Build"]
+    types: [completed]
+    branches: [master]
+  # Manual trigger still available (e.g. for a specific run_id)
   workflow_dispatch:
     inputs:
       run_id:
-        description: "Run ID of 'Windows Build' (leave empty for the latest successful run)"
+        description: "Run ID of 'Windows Build' (leave empty for automatic)"
         required: false
         default: ""
 
@@ -12,6 +18,14 @@ jobs:
   build-msi:
     name: Build MSI with WiX v7
     runs-on: windows-latest
+    # Only runs if Windows Build succeeded (or triggered manually)
+    if: >
+      github.event_name == 'workflow_dispatch' ||
+      github.event.workflow_run.conclusion == 'success'
+    permissions:
+      contents: write
+      pages: write
+      id-token: write
 
     steps:
       # ----------------------------------------------------------------
@@ -32,7 +46,9 @@ jobs:
         with:
           name: qelectrotech-windows-portable
           path: artifact\files
-          run-id: ${{ github.event.inputs.run_id || github.run_id }}
+          # workflow_run => use the triggering run's ID
+          # workflow_dispatch => use input run_id if provided, otherwise current run
+          run-id: ${{ github.event.workflow_run.id || github.event.inputs.run_id || github.run_id }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
           repository: ${{ github.repository }}
 
@@ -122,6 +138,10 @@ jobs:
 
           # Search for qelectrotech.exe in the artifact
           $exe = Get-ChildItem -Path "artifact\files" -Filter "qelectrotech.exe" -Recurse | Select-Object -First 1
+          if (-not $exe) {
+            # Also try QElectroTech.exe (capital Q)
+            $exe = Get-ChildItem -Path "artifact\files" -Filter "QElectroTech.exe" -Recurse | Select-Object -First 1
+          }
           if (-not $exe) {
             Write-Error "qelectrotech.exe not found in artifact"
             exit 1
@@ -243,10 +263,22 @@ jobs:
           if-no-files-found: error
 
       # ----------------------------------------------------------------
-      # 11. Upload MSI to nightly release
-      #     The nightly release is created/updated by windows-build.yml.
-      #     The MSI is added here so the GitHub Pages can link to it.
+      # 11. Delete old .msi asset then upload new MSI to nightly release
       # ----------------------------------------------------------------
+      - name: Delete old nightly .msi asset
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+        run: |
+          gh release view nightly --repo "$REPO" --json assets \
+            --jq '.assets[] | select(.name | test("\\.msi$")) | .name' \
+          | while read -r name; do
+              echo "Deleting old asset: $name"
+              gh release delete-asset nightly "$name" --repo "$REPO" --yes
+            done
+          echo "Old .msi assets deleted."
+        shell: bash
+
       - name: Upload MSI to nightly release
         uses: softprops/action-gh-release@v2
         with:
@@ -273,3 +305,59 @@ jobs:
           } else {
             Write-Host "MSI          : FAILED ✗"
           }
+
+      # ----------------------------------------------------------------
+      # 13. Generate and deploy the GitHub Pages download page
+      #     Toutes les URLs sont connues ici (exe, zip, msi).
+      # ----------------------------------------------------------------
+      - name: Checkout (for generate-page.py)
+        uses: actions/checkout@v4
+        with:
+          ref: master
+          path: source
+          sparse-checkout: build-aux/generate-page.py
+          sparse-checkout-cone-mode: false
+
+      - name: Generate download page (index.html)
+        shell: bash
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          REPO="${{ github.repository }}"
+
+          # Fetch asset names from the nightly release (source of truth)
+          ASSETS=$(gh release view nightly --repo "$REPO" --json assets --jq '.assets[].name')
+
+          EXE_NAME=$(echo "$ASSETS" | grep '\.exe$' | head -1)
+          ZIP_NAME=$(echo "$ASSETS" | grep '\.zip$' | head -1)
+          MSI_NAME=$(echo "$ASSETS" | grep '\.msi$' | head -1 || echo "")
+
+          BASE="https://github.com/$REPO/releases/download/nightly"
+          INSTALLER_URL="$BASE/$EXE_NAME"
+          PORTABLE_URL="$BASE/$ZIP_NAME"
+          MSI_URL=""
+          [ -n "$MSI_NAME" ] && MSI_URL="$BASE/$MSI_NAME"
+
+          SHA="${{ github.event.workflow_run.head_sha || github.sha }}"
+          SHORT="${SHA:0:7}"
+          DATE=$(date -u '+%Y-%m-%d %H:%M UTC')
+          RUN_URL="https://github.com/$REPO/actions/runs/${{ github.run_id }}"
+          RUN_NUMBER="${{ github.run_number }}"
+
+          export DATE SHORT REPO SHA RUN_URL RUN_NUMBER
+          export INSTALLER_URL PORTABLE_URL MSI_URL
+
+          python3 source/build-aux/generate-page.py
+
+      - name: Add .nojekyll
+        shell: bash
+        run: touch gh-pages/.nojekyll
+
+      - name: Upload GitHub Pages artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: gh-pages/
+
+      - name: Deploy to GitHub Pages
+        uses: actions/deploy-pages@v4

misc/MacQetDeploy_arm64.sh

@@ -16,7 +16,6 @@
     # along with QElectroTech.  If not, see <http://www.gnu.org/licenses/>.
  # Need homebrew and coreutils installed see <http://brew.sh>.
 
- 
 #Force MacOSX12.3.sdk
 #see: https://www.downtowndougbrown.com/2023/08/how-to-create-a-qt-5-arm-intel-universal-binary-for-mac/
 
@@ -26,14 +25,20 @@ export DEVELOPER_DIR=/Applications/Xcode_14.01.app/Contents/Developer
 APPNAME='qelectrotech'
 BUNDLE=$APPNAME.app
 APPBIN="$BUNDLE/Contents/MacOS/$APPNAME"
+IDENTITY="Developer ID Application: Laurent TRINQUES (Y73WZ6WZ5X)"
 
-# Emplacement du script
+# Temp paths
+RW_DMG="/tmp/qet_rw.dmg"
+MOUNT_POINT="/tmp/qet_dmg_mount"
+STAGING="/tmp/qet_dmg_staging"
+
+# Script location
 current_dir=$(dirname "$0")
 
-# On se remet au depart 
+# Go back to repo root
 cd "${current_dir}/../"
 
-# Emplacement courant
+# Current directory
 current_dir=$(PWD)
 
 
@@ -46,11 +51,11 @@ echo "Please see the \"Deploying an Application on Qt/Mac\""
 echo "page in the Qt documentation for more information."
 echo
 echo "This script :"
-echo "\t - up date the git depot"
-echo "\t - built the application bundle,"
+echo "\t - update the git depot"
+echo "\t - build the application bundle,"
 echo "\t - copy over required Qt frameworks,"
 echo "\t - copy additional files: translations, titleblocks and elements,"
-echo "\t - create image disk."
+echo "\t - notarize the .app, then create a signed DMG."
 echo
 echo "Enjoy ;-)"
 echo
@@ -70,25 +75,23 @@ echo
 echo "______________________________________________________________"
 echo "Run GIT:"
 
-# Fait une mise à jour
 git submodule init
 git submodule update
 git pull --recurse-submodules
 git pull
-#git checkout foliolist_position
-
-# recupere le numero de la nouvelle revision
 
+# Get revision number and version
 GITCOMMIT=$(git rev-parse --short HEAD)
 A=$(git rev-list HEAD --count)
 HEAD=$(($A+473))
 
-
 VERSION=$(cat sources/qetversion.cpp | grep "return QVersionNumber{"| head -n 1| awk -F "{" '{ print $2 }' | awk -F "}" '{ print $1 }' | sed -e 's/,/./g' -e 's/ //g')
-#VERSION=$(cat sources/qetversion.cpp | grep "return QVersionNumber{ 0, "| head -n 1| cut -c32-40| sed -e 's/,/./g' -e 's/ //g')   #Find major, minor, and micro version numbers in sources/qetversion.cp
 
-# Tarball de la dernière revision déjà créé
-if [ -e "build-aux/mac-osx/${APPNAME}-$VERSION-r$HEAD-arm64.zip" ] ; then
+DMG_NAME="${APPNAME}-$VERSION-r$HEAD-arm64.dmg"
+DMG_PATH="build-aux/mac-osx/$DMG_NAME"
+
+# Check if already built
+if [ -e "$DMG_PATH" ] ; then
     echo "There are not new updates, make disk image can"
     echo "take a lot of time (5 min). Can you continu?"
     echo  "[y/n]"
@@ -108,28 +111,27 @@ echo
 echo "______________________________________________________________"
 echo "Run make install:"
 
-# pour effacer l’ancienne compilation
+# Remove old bundle
 if [ -d $BUNDLE ] ; then
-    echo "Removing hold bundle..."
+    echo "Removing old bundle..."
     rm -rf $BUNDLE
 fi
 if [ -e Makefile ] ; then
-    echo "Removing hold Makefile..."
+    echo "Removing old Makefile..."
     rm .qmake.stash
     make clean
 fi
 
-# genere le Makefile
+# Generate Makefile
 echo "Generating new makefile..."
-qmake -spec macx-clang 
+qmake -spec macx-clang
 
-# compilation
+# Compile
 if [ -e Makefile.Release ] ; then
-	START_TIME=$SECONDS
-    
-    # arret du script si erreur de compilation
+    START_TIME=$SECONDS
+
     testSuccessBuild () {
-        if [ $? -ne 0 ]; then 
+        if [ $? -ne 0 ]; then
             cleanVerionTag
             ELAPSED_TIME=$(($SECONDS - $START_TIME))
             echo
@@ -138,19 +140,18 @@ if [ -e Makefile.Release ] ; then
         fi
     }
 
-    # utilise tout les coeurs pour une compilation plus rapide
     coeur=$(sysctl hw.ncpu | awk '{print $2}')
-    if [ $? -ne 0 ]; then 
+    if [ $? -ne 0 ]; then
         make -f Makefile.Release
         testSuccessBuild
     else
         make -j$(($coeur + 1)) -f Makefile.Release
         testSuccessBuild
     fi
-	
+
     ELAPSED_TIME=$(($SECONDS - $START_TIME))
-	echo
-	echo "The time of compilation is $(($ELAPSED_TIME/60)) min $(($ELAPSED_TIME%60)) sec" 
+    echo
+    echo "The time of compilation is $(($ELAPSED_TIME/60)) min $(($ELAPSED_TIME%60)) sec"
 else
     echo "ERROR: Makefile not found. This script requires the macx-clang makespec"
     exit
@@ -158,8 +159,7 @@ fi
 
 cp -R ${current_dir}/misc/Info.plist qelectrotech.app/Contents/
 cp -R ${current_dir}/ico/mac_icon/*.icns qelectrotech.app/Contents/Resources/
-# On rajoute le numero de version pour "cmd + i"
-/usr/libexec/PlistBuddy -c "Set :CFBundleShortVersionString $VERSION r$HEAD" "qelectrotech.app/Contents/Info.plist"  # Version number
+/usr/libexec/PlistBuddy -c "Set :CFBundleShortVersionString $VERSION r$HEAD" "qelectrotech.app/Contents/Info.plist"
 
 
 ### copy over frameworks ############################################
@@ -168,70 +168,58 @@ echo
 echo "______________________________________________________________"
 echo "Copy Qt libraries and private frameworks:"
 
-echo "Processing Mac deployment tool..." 
+echo "Processing Mac deployment tool..."
 if [ ! -d $BUNDLE ] ; then
     echo "ERROR: cannot find application bundle \"$BUNDLE\" in current directory"
     exit
 fi
-#~/Qt/5.5/clang_64/bin/macdeployqt $BUNDLE
 macdeployqt $BUNDLE
 
-### add file missing #######################################
+### add missing files ###############################################
 
 echo
 echo "______________________________________________________________"
-echo "Copy file missing:"
+echo "Copy missing files:"
 
-# Dossier à ajouter
 QET_ELMT_DIR="${current_dir}/elements/"
 QET_TBT_DIR="${current_dir}/titleblocks/"
 QET_LANG_DIR="${current_dir}/lang/"
 QET_EXAMPLES_DIR="${current_dir}/examples/"
 QET_FONTS_DIR="${current_dir}/fonts/"
 QET_LICENSES_DIR="${current_dir}/licenses/"
-
-
-# Add new folder for Qt dialog translation see
-## see <https://download.tuxfamily.org/qet/Qt_lang/>.
-
 LANG_DIR="${current_dir}/lang1/"
 
 if [ -d "${QET_ELMT_DIR}" ]; then
-    echo "Copying add elements in the bundle..."
-    #mkdir $BUNDLE/Contents/Resources/elements
+    echo "Copying elements in the bundle..."
     cp -R ${QET_ELMT_DIR} $BUNDLE/Contents/Resources/elements
 fi
 
 if [ -d "${QET_TBT_DIR}" ]; then
     echo "Copying titleblocks in the bundle..."
-    #mkdir $BUNDLE/Contents/Resources/titleblocks
     cp -R ${QET_TBT_DIR} $BUNDLE/Contents/Resources/titleblocks
 fi
 
 if [ -d "${QET_LANG_DIR}" ]; then
-    echo "Copying translations in the bundle... "
+    echo "Copying translations in the bundle..."
     mkdir $BUNDLE/Contents/Resources/lang
     cp ${current_dir}/lang/*.qm $BUNDLE/Contents/Resources/lang
 fi
 
 if [ -d "${LANG_DIR}" ]; then
-   echo "Copying translations in the bundle... "
-   cp ${current_dir}/lang1/*.qm $BUNDLE/Contents/Resources/lang
-
+    echo "Copying extra translations in the bundle..."
+    cp ${current_dir}/lang1/*.qm $BUNDLE/Contents/Resources/lang
 fi
 
 if [ -d "${QET_EXAMPLES_DIR}" ]; then
-   echo "Copying examples in the bundle... "
-   mkdir $BUNDLE/Contents/Resources/examples
-   cp ${current_dir}/examples/*.qet $BUNDLE/Contents/Resources/examples
-
+    echo "Copying examples in the bundle..."
+    mkdir $BUNDLE/Contents/Resources/examples
+    cp ${current_dir}/examples/*.qet $BUNDLE/Contents/Resources/examples
 fi
 
 if [ -d "${QET_FONTS_DIR}" ]; then
-   echo "Copying fonts in the bundle... "
-   mkdir $BUNDLE/Contents/Resources/fonts
-   cp ${current_dir}/fonts/*.ttf $BUNDLE/Contents/Resources/fonts
-
+    echo "Copying fonts in the bundle..."
+    mkdir $BUNDLE/Contents/Resources/fonts
+    cp ${current_dir}/fonts/*.ttf $BUNDLE/Contents/Resources/fonts
 fi
 
 if [ -d "${QET_LICENSES_DIR}" ]; then
@@ -240,99 +228,282 @@ if [ -d "${QET_LICENSES_DIR}" ]; then
     cp -R -L ${QET_LICENSES_DIR} $BUNDLE/Contents/Resources/licenses
 fi
 
-codesign  --force --deep --sign --timestamp -s "Developer ID Application: Laurent TRINQUES (Y73WZ6WZ5X)" --options=runtime $BUNDLE
-### create zip tarball ###############################################
+### Sign the bundle #################################################
+# Sign in correct order: all dylibs first (including flat libs copied
+# by macdeployqt from Homebrew), then frameworks, plugins, bundle last.
 
 echo
 echo "______________________________________________________________"
-echo "Create zip tarball:"
+echo "Code signing (dylibs -> frameworks -> plugins -> bundle):"
 
-/usr/bin/ditto -c -k --keepParent $BUNDLE "build-aux/mac-osx/${APPNAME}-$VERSION-r$HEAD-arm64.zip"
+# 1. Sign all flat .dylib files in Frameworks/
+echo "-- Signing dylibs in Frameworks/..."
+find "$BUNDLE/Contents/Frameworks" -name "*.dylib" | while read lib; do
+    echo "  $(basename $lib)"
+    codesign --force --sign "$IDENTITY" --timestamp --options=runtime "$lib"
+done
 
-### notarize zip tarball ###############################################
-echo  -e "\033[1;31mWould you like to upload for Notarize packages "${APPNAME}"-"$VERSION"-"r$HEAD-arm64.zip", n/Y?.\033[m"
+# 2. Sign .framework bundles
+echo "-- Signing .framework bundles..."
+find "$BUNDLE/Contents/Frameworks" -maxdepth 1 -name "*.framework" | while read fw; do
+    echo "  $(basename $fw)"
+    codesign --force --sign "$IDENTITY" --timestamp --options=runtime "$fw"
+done
+
+# 3. Sign plugins
+echo "-- Signing plugins..."
+find "$BUNDLE/Contents/PlugIns" \( -name "*.dylib" -o -name "*.so" \) | while read lib; do
+    echo "  $(basename $lib)"
+    codesign --force --sign "$IDENTITY" --timestamp --options=runtime "$lib"
+done
+
+# 4. Sign any dylibs in MacOS/
+echo "-- Signing dylibs in MacOS/..."
+find "$BUNDLE/Contents/MacOS" -name "*.dylib" | while read lib; do
+    echo "  $(basename $lib)"
+    codesign --force --sign "$IDENTITY" --timestamp --options=runtime "$lib"
+done
+
+# 5. Sign the main executable explicitly
+echo "-- Signing main executable..."
+codesign --force --sign "$IDENTITY" --timestamp --options=runtime \
+    "$BUNDLE/Contents/MacOS/$APPNAME"
+
+# 6. Sign the bundle itself last
+echo "-- Signing bundle..."
+codesign --force --sign "$IDENTITY" --timestamp --options=runtime "$BUNDLE"
+
+# 7. Verify
+echo
+echo "Verifying bundle signature..."
+codesign --verify --deep --strict --verbose=2 "$BUNDLE"
+if [ $? -ne 0 ]; then
+    echo "ERROR: bundle signature verification failed, aborting."
+    exit 1
+fi
+spctl -a -vv "$BUNDLE"
+echo "Bundle signature OK."
+
+### Notarize the .app (via temporary ZIP) ###########################
+
+echo
+echo "______________________________________________________________"
+echo "Create temporary ZIP for notarization:"
+
+NOTARIZE_ZIP="/tmp/${APPNAME}-$VERSION-r$HEAD-arm64-notarize.zip"
+/usr/bin/ditto -c -k --keepParent "$BUNDLE" "$NOTARIZE_ZIP"
+
+echo -e "\033[1;31mWould you like to notarize the .app \"${APPNAME}-${VERSION}-r${HEAD}\", n/Y?\033[m"
 read a
 if [[ $a == "Y" || $a == "y" ]]; then
-echo
-echo "______________________________________________________________"
-echo "Notarize zip tarball:"
-
-xcrun notarytool submit build-aux/mac-osx/${APPNAME}-$VERSION-r$HEAD-arm64.zip --keychain-profile "org.qelectrotech" --wait 
+    echo
+    echo "______________________________________________________________"
+    echo "Notarizing .app:"
+    xcrun notarytool submit "$NOTARIZE_ZIP" --keychain-profile "org.qelectrotech" --wait
+    if [ $? -ne 0 ]; then
+        echo "ERROR: notarization failed. Check the log with:"
+        echo "  xcrun notarytool log <submission-id> --keychain-profile org.qelectrotech"
+        rm -f "$NOTARIZE_ZIP"
+        exit 1
+    fi
 else
-echo  -e "\033[1;33mExit.\033[m"
-
+    echo -e "\033[1;33mExit.\033[m"
 fi
 
-### The end, process is done ##########################################
+echo "Cleaning up temporary notarization ZIP..."
+rm -f "$NOTARIZE_ZIP"
 
-echo
-echo "______________________________________________________________"
-echo "The process of creating deployable application zip is done."
-echo The disque image is in the folder \'build-aux/mac-osx\'.
-# Affiche les mise à jour depuis l'ancienne revision 
-#if [ ! $(($HEAD - $revAv)) -eq 0 ] ; then
-#    echo
-#    echo "There are new updates. This numero of revision is $HEAD."
- #   svn log -l $(($HEAD - $revAv))
-#else
- #   echo
-#    echo "There are not new updates. This numero of revision is $HEAD."
-# fi
-# echo
+### Staple the .app #################################################
 
-# La version en local n'est pas conforme à la dernière version svn
-# svnversion | grep -q '[MS:]' ; if [ $? -eq 0 ] ; then 
-#     echo Please note that the latest \local version is $(svnversion).
-#     echo This is not the same version as the deposit. 
-#     echo You can use \'svn diff\' to see the differences. 
-#     echo And use \'svn revert \<fichier\>\' to delete the difference. 
-#     echo To go back, you can use svn update -r 360 
-#     echo to go to revision number 360.
-#     echo
-#fi 
-
-# Clean up disk folder
-echo 'Cleaning up... '
-rm "build-aux/mac-osx/${APPNAME}-$VERSION-r$HEAD-arm64.zip"
-
-# staple the app
-echo  -e "\033[1;31mWould you like to  staple the app MacOS packages "${APPNAME}"-"$VERSION"-"r$HEAD", n/Y?.\033[m"
+echo -e "\033[1;31mWould you like to staple the .app \"${APPNAME}-${VERSION}-r${HEAD}\", n/Y?\033[m"
 read a
 if [[ $a == "Y" || $a == "y" ]]; then
-xcrun stapler staple -v $BUNDLE
+    xcrun stapler staple -v "$BUNDLE"
+    if [ $? -ne 0 ]; then
+        echo "ERROR: stapling .app failed."
+        exit 1
+    fi
+    echo "Verifying staple on .app..."
+    xcrun stapler validate -v "$BUNDLE"
+    spctl -a -vv "$BUNDLE"
+    echo ".app stapled OK."
 else
-echo  -e "\033[1;33mExit.\033[m"
-
+    echo -e "\033[1;33mExit.\033[m"
 fi
 
+### Create staging folder with Applications symlink #################
+# The staging folder contains the .app and a symlink to /Applications
+# so the user can drag-and-drop to install directly from the DMG.
 
 echo
 echo "______________________________________________________________"
-echo "Re Create zip tarball:"
+echo "Preparing DMG staging folder:"
 
-#/usr/bin/ditto -c -k --sequesterRsrc --keepParent $BUNDLE "build-aux/mac-osx/${APPNAME}-$VERSION-r$HEAD-arm64.zip"
-cd "$(dirname $BUNDLE)" && zip -r --symlinks "build-aux/mac-osx/${APPNAME}-$VERSION-r$HEAD-arm64.zip" "$BUNDLE" && cd -
+rm -rf "$STAGING"
+mkdir -p "$STAGING"
+cp -R "$BUNDLE" "$STAGING/"
+ln -s /Applications "$STAGING/Applications"
+echo "Staging folder ready: $STAGING"
 
+### Create writable DMG (UDRW) ######################################
+# We use a writable DMG first so we can re-sign the .app inside
+# after hdiutil copies it (hdiutil can invalidate Sealed Resources
+# during the copy, so we must re-sign inside the mounted volume).
 
-# Clean up disk folder
-echo 'Cleaning up... '
-rm -rf $BUNDLE
+echo
+echo "______________________________________________________________"
+echo "Create writable DMG (UDRW) and re-sign .app inside:"
 
+rm -f "$RW_DMG"
+hdiutil create \
+    -volname "QElectroTech $VERSION" \
+    -srcfolder "$STAGING" \
+    -ov \
+    -format UDRW \
+    -fs HFS+ \
+    "$RW_DMG"
 
-#rsync to TF DMG builds
-echo  -e "\033[1;31mWould you like to upload MacOS packages "${APPNAME}"-"$VERSION"-"r$HEAD-arm64.zip", n/Y?.\033[m"
+if [ $? -ne 0 ]; then
+    echo "ERROR: hdiutil failed to create writable DMG."
+    rm -rf "$STAGING"
+    exit 1
+fi
+
+# Mount the writable DMG
+rm -rf "$MOUNT_POINT"
+mkdir -p "$MOUNT_POINT"
+hdiutil attach "$RW_DMG" -mountpoint "$MOUNT_POINT" -nobrowse -noverify
+
+if [ $? -ne 0 ]; then
+    echo "ERROR: failed to mount writable DMG."
+    rm -f "$RW_DMG"
+    rm -rf "$STAGING"
+    exit 1
+fi
+
+# Re-sign all binaries inside the mounted DMG
+echo "-- Re-signing dylibs inside DMG..."
+find "$MOUNT_POINT/$BUNDLE/Contents/Frameworks" -name "*.dylib" | while read lib; do
+    codesign --force --sign "$IDENTITY" --timestamp --options=runtime "$lib"
+done
+
+find "$MOUNT_POINT/$BUNDLE/Contents/Frameworks" -maxdepth 1 -name "*.framework" | while read fw; do
+    codesign --force --sign "$IDENTITY" --timestamp --options=runtime "$fw"
+done
+
+find "$MOUNT_POINT/$BUNDLE/Contents/PlugIns" \( -name "*.dylib" -o -name "*.so" \) | while read lib; do
+    codesign --force --sign "$IDENTITY" --timestamp --options=runtime "$lib"
+done
+
+echo "-- Re-signing main executable inside DMG..."
+codesign --force --sign "$IDENTITY" --timestamp --options=runtime \
+    "$MOUNT_POINT/$BUNDLE/Contents/MacOS/$APPNAME"
+
+echo "-- Re-signing bundle inside DMG..."
+codesign --force --sign "$IDENTITY" --timestamp --options=runtime \
+    "$MOUNT_POINT/$BUNDLE"
+
+# Verify signature inside the mounted DMG
+echo "Verifying bundle signature inside DMG..."
+codesign --verify --deep --strict --verbose=2 "$MOUNT_POINT/$BUNDLE"
+if [ $? -ne 0 ]; then
+    echo "ERROR: bundle signature invalid inside DMG, aborting."
+    hdiutil detach "$MOUNT_POINT"
+    rm -f "$RW_DMG"
+    rm -rf "$STAGING" "$MOUNT_POINT"
+    exit 1
+fi
+echo "Bundle signature inside DMG OK."
+
+# Detach the writable DMG
+hdiutil detach "$MOUNT_POINT"
+
+### Convert UDRW to final compressed UDZO ###########################
+
+echo
+echo "______________________________________________________________"
+echo "Convert to final compressed DMG (UDZO):"
+
+mkdir -p "build-aux/mac-osx"
+rm -f "$DMG_PATH"
+
+hdiutil convert "$RW_DMG" \
+    -format UDZO \
+    -o "$DMG_PATH"
+
+if [ $? -ne 0 ]; then
+    echo "ERROR: hdiutil convert failed."
+    rm -f "$RW_DMG"
+    rm -rf "$STAGING" "$MOUNT_POINT"
+    exit 1
+fi
+
+rm -f "$RW_DMG"
+rm -rf "$STAGING" "$MOUNT_POINT"
+
+### Sign the final DMG ##############################################
+
+echo "Signing final DMG..."
+codesign --sign "$IDENTITY" --timestamp "$DMG_PATH"
+
+### Notarize and staple the final DMG ###############################
+
+echo -e "\033[1;31mWould you like to notarize the DMG \"${DMG_NAME}\", n/Y?\033[m"
 read a
 if [[ $a == "Y" || $a == "y" ]]; then
-cp -Rf "build-aux/mac-osx/${APPNAME}-$VERSION-r$HEAD-arm64.zip" /Users/laurent/MAC_OS_X/
-rsync -e ssh -av --delete-after --no-owner --no-g --chmod=g+w --progress --exclude='.DS_Store' /Users/laurent/MAC_OS_X/ server:download.qelectrotech.org/qet/builds/MAC_OS_X/arm64/
-if [ $? != 0 ]; then
-{
-echo "RSYNC ERROR: problem syncing ${APPNAME}-$VERSION-r$HEAD-arm64.zip"
-rsync -e ssh -av --delete-after --no-owner --no-g --chmod=g+w --progress --exclude='.DS_Store' /Users/laurent/MAC_OS_X/ server:download.qelectrotech.org/qet/builds/MAC_OS_X/arm64/
+    echo
+    echo "______________________________________________________________"
+    echo "Notarizing DMG:"
+    xcrun notarytool submit "$DMG_PATH" --keychain-profile "org.qelectrotech" --wait
+    if [ $? -ne 0 ]; then
+        echo "ERROR: DMG notarization failed. Check the log with:"
+        echo "  xcrun notarytool log <submission-id> --keychain-profile org.qelectrotech"
+        exit 1
+    fi
 
-} fi
+    echo "Stapling DMG..."
+    xcrun stapler staple "$DMG_PATH"
+    if [ $? -ne 0 ]; then
+        echo "ERROR: stapling DMG failed."
+        exit 1
+    fi
+    echo "DMG notarized and stapled OK."
 
+    echo "Verifying final DMG..."
+    spctl -a -vv "$DMG_PATH"
 else
-echo  -e "\033[1;33mExit.\033[m"
-
+    echo -e "\033[1;33mExit.\033[m"
+fi
+
+### Clean up bundle #################################################
+
+echo "Cleaning up bundle..."
+rm -rf "$BUNDLE"
+
+### The end #########################################################
+
+echo
+echo "______________________________________________________________"
+echo "The process is done."
+echo "DMG is in the folder 'build-aux/mac-osx'."
+
+### Upload via rsync ################################################
+
+echo -e "\033[1;31mWould you like to upload MacOS package \"${DMG_NAME}\", n/Y?\033[m"
+read a
+if [[ $a == "Y" || $a == "y" ]]; then
+    cp -Rf "$DMG_PATH" /Users/laurent/MAC_OS_X/
+    rsync -e ssh -av --delete-after --no-owner --no-g --chmod=g+w \
+        --progress --exclude='.DS_Store' \
+        /Users/laurent/MAC_OS_X/ \
+        server:download.qelectrotech.org/qet/builds/MAC_OS_X/arm64/
+    if [ $? != 0 ]; then
+        echo "RSYNC ERROR: problem syncing ${DMG_NAME}, retrying..."
+        rsync -e ssh -av --delete-after --no-owner --no-g --chmod=g+w \
+            --progress --exclude='.DS_Store' \
+            /Users/laurent/MAC_OS_X/ \
+            server:download.qelectrotech.org/qet/builds/MAC_OS_X/arm64/
+    fi
+else
+    echo -e "\033[1;33mExit.\033[m"
 fi