Use correct cert and sign .node only (#392)

* Use find tool to find binaries that need signing

* Check if binary is indeed signed before

* Sign only .node binaries and use correct cert

* Force replace signed binaries

.github/workflows/image.yml

@@ -72,24 +72,20 @@ jobs:
 
       - name: Sign required binaries for MacOS
         run: |
-          # Find a valid signing certificate in your keychain
-          CERTIFICATE=$(security find-identity -v -p codesigning -s - | tail -n +2 | grep -o '"[^"]*"' | sed 's/"//g')
+          # Find a valid code signing certificate in your keychain for distribution outside Mac App Store
+          CERTIFICATE=$(security find-identity -v -p codesigning -s - | tail -n +2 | grep -o '"Developer ID Application:[^"]*"' | sed 's/"//g')
+
+          # Paths to the binaries you want to sign only ending with .node
+          BINARIES=($(find . -type f -perm +111 -name "*.node" ! -path "*.framework/*" ! -path "*.dSYM/*"))
           
-          # Paths to the binaries you want to sign
-          BINARIES=($(find . -type f -perm +111 ! -path "*.framework/*" ! -path "*.dSYM/*"))
-      
           # Loop through the binary paths and sign each one with a secure timestamp
           for binary in "${BINARIES[@]}"; do
             # Check if the binary is already signed
-            if codesign -v "$binary" &>/dev/null; then
-              echo "Already signed: $binary"
+            codesign --timestamp -f -s "$CERTIFICATE" "$binary"
+            if [ $? -eq 0 ]; then
+              echo "Successfully signed (with secure timestamp): $binary"
             else
-              codesign --timestamp -s "$CERTIFICATE" "$binary"
-              if [ $? -eq 0 ]; then
-                echo "Successfully signed (with secure timestamp): $binary"
-              else
-                echo "Failed to sign: $binary"
-              fi
+              echo "Failed to sign: $binary"
             fi
           done