From cb2a5003441cc82bf3443d2c652c515649dd40f7 Mon Sep 17 00:00:00 2001
From: h3p <apps@hpedersen.de>
Date: Wed, 25 Feb 2026 18:32:16 +0100
Subject: [PATCH] Harden DMG mount verification in notarized release workflows

---
 .github/workflows/release-notarized-selfhosted.yml        | 8 +++++---
 .github/workflows/release-notarized.yml                   | 8 +++++---
 Neon Vision Editor.xcodeproj/project.pbxproj              | 4 ++--
 scripts/ci/verify_release_asset.sh                        | 8 +++++---
 .../workflow-templates/release-notarized-selfhosted.yml   | 8 +++++---
 scripts/workflow-templates/release-notarized.yml          | 8 +++++---
 6 files changed, 27 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/release-notarized-selfhosted.yml b/.github/workflows/release-notarized-selfhosted.yml
index a82c588..2ad908f 100644
--- a/.github/workflows/release-notarized-selfhosted.yml
+++ b/.github/workflows/release-notarized-selfhosted.yml
@@ -277,9 +277,11 @@ jobs:
           gh release download "$TAG_NAME" -p Neon.Vision.Editor.app.zip -p Neon.Vision.Editor.app.dmg -D "$WORK_DIR"
           ditto -x -k "$WORK_DIR/Neon.Vision.Editor.app.zip" "$WORK_DIR/extracted"
           scripts/ci/verify_icon_payload.sh "$WORK_DIR/extracted/Neon Vision Editor.app"
-          MOUNT_POINT="$(hdiutil attach "$WORK_DIR/Neon.Vision.Editor.app.dmg" -nobrowse -quiet | awk '/\/Volumes\// {print $3; exit}')"
-          if [[ -z "${MOUNT_POINT}" ]]; then
-            echo "Failed to mount DMG asset." >&2
+          MOUNT_POINT="$WORK_DIR/dmg-mount"
+          mkdir -p "$MOUNT_POINT"
+          hdiutil attach "$WORK_DIR/Neon.Vision.Editor.app.dmg" -nobrowse -mountpoint "$MOUNT_POINT" -quiet
+          if [[ ! -d "$MOUNT_POINT/Neon Vision Editor.app" ]]; then
+            echo "Mounted DMG does not contain app bundle." >&2
             exit 1
           fi
           scripts/ci/verify_icon_payload.sh "$MOUNT_POINT/Neon Vision Editor.app"
diff --git a/.github/workflows/release-notarized.yml b/.github/workflows/release-notarized.yml
index e67ca91..aac7405 100644
--- a/.github/workflows/release-notarized.yml
+++ b/.github/workflows/release-notarized.yml
@@ -235,9 +235,11 @@ jobs:
           gh release download "$TAG_NAME" -p Neon.Vision.Editor.app.zip -p Neon.Vision.Editor.app.dmg -D "$WORK_DIR"
           ditto -x -k "$WORK_DIR/Neon.Vision.Editor.app.zip" "$WORK_DIR/extracted"
           scripts/ci/verify_icon_payload.sh "$WORK_DIR/extracted/Neon Vision Editor.app"
-          MOUNT_POINT="$(hdiutil attach "$WORK_DIR/Neon.Vision.Editor.app.dmg" -nobrowse -quiet | awk '/\/Volumes\// {print $3; exit}')"
-          if [[ -z "${MOUNT_POINT}" ]]; then
-            echo "Failed to mount DMG asset." >&2
+          MOUNT_POINT="$WORK_DIR/dmg-mount"
+          mkdir -p "$MOUNT_POINT"
+          hdiutil attach "$WORK_DIR/Neon.Vision.Editor.app.dmg" -nobrowse -mountpoint "$MOUNT_POINT" -quiet
+          if [[ ! -d "$MOUNT_POINT/Neon Vision Editor.app" ]]; then
+            echo "Mounted DMG does not contain app bundle." >&2
             exit 1
           fi
           scripts/ci/verify_icon_payload.sh "$MOUNT_POINT/Neon Vision Editor.app"
diff --git a/Neon Vision Editor.xcodeproj/project.pbxproj b/Neon Vision Editor.xcodeproj/project.pbxproj
index 5e1c024..2b620b2 100644
--- a/Neon Vision Editor.xcodeproj/project.pbxproj	
+++ b/Neon Vision Editor.xcodeproj/project.pbxproj	
@@ -361,7 +361,7 @@
 				CODE_SIGNING_ALLOWED = YES;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
-				CURRENT_PROJECT_VERSION = 353;
+				CURRENT_PROJECT_VERSION = 354;
 				DEAD_CODE_STRIPPING = YES;
 				DEVELOPMENT_TEAM = CS727NF72U;
 				ENABLE_APP_SANDBOX = YES;
@@ -441,7 +441,7 @@
 				CODE_SIGNING_ALLOWED = YES;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
-				CURRENT_PROJECT_VERSION = 353;
+				CURRENT_PROJECT_VERSION = 354;
 				DEAD_CODE_STRIPPING = YES;
 				DEVELOPMENT_TEAM = CS727NF72U;
 				ENABLE_APP_SANDBOX = YES;
diff --git a/scripts/ci/verify_release_asset.sh b/scripts/ci/verify_release_asset.sh
index 6012b18..c046bdb 100755
--- a/scripts/ci/verify_release_asset.sh
+++ b/scripts/ci/verify_release_asset.sh
@@ -26,9 +26,11 @@ ditto -x -k "$WORK_DIR/Neon.Vision.Editor.app.zip" "$WORK_DIR/extracted"
 APP="$WORK_DIR/extracted/Neon Vision Editor.app"
 REQUIRE_ICONSTACK=1 scripts/ci/verify_icon_payload.sh "$APP"
 
-MOUNT_POINT="$(hdiutil attach "$WORK_DIR/Neon.Vision.Editor.app.dmg" -nobrowse -quiet | awk '/\/Volumes\// {print $3; exit}')"
-if [[ -z "${MOUNT_POINT}" ]]; then
-  echo "Failed to mount DMG asset." >&2
+MOUNT_POINT="$WORK_DIR/dmg-mount"
+mkdir -p "$MOUNT_POINT"
+hdiutil attach "$WORK_DIR/Neon.Vision.Editor.app.dmg" -nobrowse -mountpoint "$MOUNT_POINT" -quiet
+if [[ ! -d "$MOUNT_POINT/Neon Vision Editor.app" ]]; then
+  echo "Mounted DMG does not contain app bundle." >&2
   exit 1
 fi
 trap 'hdiutil detach "${MOUNT_POINT}" -quiet || true' EXIT
diff --git a/scripts/workflow-templates/release-notarized-selfhosted.yml b/scripts/workflow-templates/release-notarized-selfhosted.yml
index 79c699d..356de99 100644
--- a/scripts/workflow-templates/release-notarized-selfhosted.yml
+++ b/scripts/workflow-templates/release-notarized-selfhosted.yml
@@ -271,9 +271,11 @@ jobs:
           gh release download "$TAG_NAME" -p Neon.Vision.Editor.app.zip -p Neon.Vision.Editor.app.dmg -D "$WORK_DIR"
           ditto -x -k "$WORK_DIR/Neon.Vision.Editor.app.zip" "$WORK_DIR/extracted"
           scripts/ci/verify_icon_payload.sh "$WORK_DIR/extracted/Neon Vision Editor.app"
-          MOUNT_POINT="$(hdiutil attach "$WORK_DIR/Neon.Vision.Editor.app.dmg" -nobrowse -quiet | awk '/\/Volumes\// {print $3; exit}')"
-          if [[ -z "${MOUNT_POINT}" ]]; then
-            echo "Failed to mount DMG asset." >&2
+          MOUNT_POINT="$WORK_DIR/dmg-mount"
+          mkdir -p "$MOUNT_POINT"
+          hdiutil attach "$WORK_DIR/Neon.Vision.Editor.app.dmg" -nobrowse -mountpoint "$MOUNT_POINT" -quiet
+          if [[ ! -d "$MOUNT_POINT/Neon Vision Editor.app" ]]; then
+            echo "Mounted DMG does not contain app bundle." >&2
             exit 1
           fi
           scripts/ci/verify_icon_payload.sh "$MOUNT_POINT/Neon Vision Editor.app"
diff --git a/scripts/workflow-templates/release-notarized.yml b/scripts/workflow-templates/release-notarized.yml
index 68e540e..37a45d2 100644
--- a/scripts/workflow-templates/release-notarized.yml
+++ b/scripts/workflow-templates/release-notarized.yml
@@ -235,9 +235,11 @@ jobs:
           gh release download "$TAG_NAME" -p Neon.Vision.Editor.app.zip -p Neon.Vision.Editor.app.dmg -D "$WORK_DIR"
           ditto -x -k "$WORK_DIR/Neon.Vision.Editor.app.zip" "$WORK_DIR/extracted"
           scripts/ci/verify_icon_payload.sh "$WORK_DIR/extracted/Neon Vision Editor.app"
-          MOUNT_POINT="$(hdiutil attach "$WORK_DIR/Neon.Vision.Editor.app.dmg" -nobrowse -quiet | awk '/\/Volumes\// {print $3; exit}')"
-          if [[ -z "${MOUNT_POINT}" ]]; then
-            echo "Failed to mount DMG asset." >&2
+          MOUNT_POINT="$WORK_DIR/dmg-mount"
+          mkdir -p "$MOUNT_POINT"
+          hdiutil attach "$WORK_DIR/Neon.Vision.Editor.app.dmg" -nobrowse -mountpoint "$MOUNT_POINT" -quiet
+          if [[ ! -d "$MOUNT_POINT/Neon Vision Editor.app" ]]; then
+            echo "Mounted DMG does not contain app bundle." >&2
             exit 1
           fi
           scripts/ci/verify_icon_payload.sh "$MOUNT_POINT/Neon Vision Editor.app"