Enable Apple notarization for all build server builds

3 files changed, 11 insertions, 9 deletions

diff --git a/build.sh b/build.sh
index 367febba7f..f6a68753d6 100755
--- a/build.sh
+++ b/build.sh
@@ -25,6 +25,8 @@ log_header "Building Mullvad VPN $PRODUCT_VERSION"
 OPTIMIZE="false"
 # If the produced binaries should be signed (Windows + macOS only)
 SIGN="false"
+# If the produced app and pkg should be notarized by apple (macOS only)
+NOTARIZE="false"
 # If a macOS build should create an installer artifact working on both
 # Intel and Apple Silicon Macs
 UNIVERSAL="false"
@@ -33,6 +35,7 @@ while [[ "$#" -gt 0 ]]; do
     case $1 in
         --optimize) OPTIMIZE="true";;
         --sign)     SIGN="true";;
+        --notarize) NOTARIZE="true";;
         --universal)
             if [[ "$(uname -s)" != "Darwin" ]]; then
                 log_error "--universal only works on macOS"
@@ -127,6 +130,10 @@ else
     export CSC_IDENTITY_AUTO_DISCOVERY=false
 fi
 
+if [[ "$NOTARIZE" == "true" ]]; then
+    NPM_PACK_ARGS+=(--notarize)
+fi
+
 if [[ "$IS_RELEASE" == "true" ]]; then
     log_info "Removing old Rust build artifacts..."
     cargo clean
@@ -136,11 +143,6 @@ if [[ "$IS_RELEASE" == "true" ]]; then
 else
     # Allow dev builds to override which API server to use at runtime.
     CARGO_ARGS+=(--features api-override)
-
-    if [[ "$(uname -s)" == "Darwin" ]]; then
-        log_info "Disabling Apple notarization of installer in dev build"
-        NPM_PACK_ARGS+=(--no-apple-notarization)
-    fi
 fi
 
 # Make Windows builds include a manifest in the daemon binary declaring it must
diff --git a/ci/buildserver-build.sh b/ci/buildserver-build.sh
index e026764f5a..6d491bb56f 100755
--- a/ci/buildserver-build.sh
+++ b/ci/buildserver-build.sh
@@ -156,7 +156,7 @@ function build_ref {
 
     local build_args=(--optimize --sign)
     if [[ "$(uname -s)" == "Darwin" ]]; then
-        build_args+=(--universal)
+        build_args+=(--universal --notarize)
     fi
 
     artifact_dir=$artifact_dir build "${build_args[@]}" || return 1
diff --git a/gui/tasks/distribution.js b/gui/tasks/distribution.js
index acdbf23e97..e41b5ecc94 100644
--- a/gui/tasks/distribution.js
+++ b/gui/tasks/distribution.js
@@ -6,7 +6,7 @@ const { notarize } = require('@electron/notarize');
 const { execFileSync } = require('child_process');
 
 const noCompression = process.argv.includes('--no-compression');
-const noAppleNotarization = process.argv.includes('--no-apple-notarization');
+const shouldNotarize = process.argv.includes('--notarize');
 
 const universal = process.argv.includes('--universal');
 const release = process.argv.includes('--release');
@@ -305,7 +305,7 @@ function packMac() {
         return Promise.resolve();
       },
       afterAllArtifactBuild: async (buildResult) => {
-        if (!noAppleNotarization) {
+        if (shouldNotarize) {
           // buildResult.artifactPaths[0] contains the path to the pkg.
           await notarizeMac(buildResult.artifactPaths[0]);
         }
@@ -322,7 +322,7 @@ function packMac() {
         const appOutDir = context.appOutDir;
         appOutDirs.push(appOutDir);
 
-        if (!noAppleNotarization) {
+        if (shouldNotarize) {
           const appName = context.packager.appInfo.productFilename;
           return notarizeMac(path.join(appOutDir, `${appName}.app`));
         }