Separate build and sign steps for macOS package

[Bargsteen]

Task description

This task is about separating the build and sign steps for the macOS package so that it can be built on Jenkins and subsequently signed on a machine with the necessary keys.

Currently, it is possible to build an unsigned version on Jenkins, but this cannot be properly signed subsequently. For releases, we, therefore, build and sign the macOS package on a machine with the required keys, which is error-prone.

Background

On macOS, there exist different types of packages and installers.

For basic installers that move files to a target destination, it is sufficient to use an installer component package, which can be created with the pkgbuild utility. These are also known as flat packages. The Concordium Client package is an example of such a package.

For more advanced installers, which need to run scripts and use installer plugins (custom pages in the installer wizard), a product archive is needed, which can be created with the productbuild utility. A product archive contains one or more installer component packages. Since the node installer has a configuration page, which is an installer plugin, and uses a few scripts during installation, it must be a product archive.

Aside: For added confusion, both types of packages use the file ending .pkg.

Separating the build and sign steps is relatively easy for installer component packages because you can expand the pkg file, sign the contents, and repackage them. As such, Jenkins can create the pkg file and you can sign it subsequently.

But for product archives, there appears to be no easy way to do the same, i.e., expand, sign, and repackage. And thus the crux of the issue.