From f46bfee3384efc56ed715148cc44fbda89c984d7 Mon Sep 17 00:00:00 2001
From: jonathancaudill <jsccjr1@gmail.com>
Date: Fri, 27 Feb 2026 19:53:28 -0500
Subject: [PATCH 1/2] fix: remove duplicate Sparkle.framework codesign causing
 invalid signature

Signing both Versions/B and the top-level Sparkle.framework symlink
signs the same directory twice, invalidating the first signature and
producing "The signature of the binary is invalid" errors during
notarization. Only sign Versions/B directly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/macos-notarize.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/macos-notarize.yml b/.github/workflows/macos-notarize.yml
index c826dbfc..e242a676 100644
--- a/.github/workflows/macos-notarize.yml
+++ b/.github/workflows/macos-notarize.yml
@@ -105,10 +105,10 @@ jobs:
           codesign --force --sign "$SIGNING_IDENTITY" --timestamp --options runtime \
             "$SPARKLE/Updater.app"
 
-          # Sign the framework version and top-level
+          # Sign the framework version (Versions/B) — do NOT also sign the
+          # top-level Sparkle.framework symlink; it resolves to the same Versions/B
+          # directory and double-signing invalidates the signature.
           codesign --force --sign "$SIGNING_IDENTITY" --timestamp "$SPARKLE"
-          codesign --force --sign "$SIGNING_IDENTITY" --timestamp \
-            "Nook.app/Contents/Frameworks/Sparkle.framework"
 
           # Re-sign the main app with entitlements and hardened runtime
           codesign --force --sign "$SIGNING_IDENTITY" --timestamp \

From a489fc4a9acd2b5f964cb8469aed265bb7fe94ca Mon Sep 17 00:00:00 2001
From: jonathancaudill <jsccjr1@gmail.com>
Date: Fri, 27 Feb 2026 20:15:38 -0500
Subject: [PATCH 2/2] fix: add .gitmodules and fix Sparkle dylib signing for
 notarization
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add .gitmodules with all 7 submodule URLs (Fuzi, Highlightr, LRUCache,
  Motion, reeeed, swift-atomics, swift-numerics) so git branch operations
  (e.g. checkout gh-pages) don't fatal on missing submodule URLs
- Explicitly sign Sparkle.framework/Versions/B/Sparkle dylib before
  signing the framework version bundle — omitting this caused the dylib
  to have an invalid signature under notarization scrutiny
- Add pre-notarize codesign --verify step to catch signing failures
  before wasting a notarization submission

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/macos-notarize.yml |  9 ++++++++-
 .gitmodules                          | 21 +++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 .gitmodules

diff --git a/.github/workflows/macos-notarize.yml b/.github/workflows/macos-notarize.yml
index e242a676..5f2d42dd 100644
--- a/.github/workflows/macos-notarize.yml
+++ b/.github/workflows/macos-notarize.yml
@@ -105,9 +105,13 @@ jobs:
           codesign --force --sign "$SIGNING_IDENTITY" --timestamp --options runtime \
             "$SPARKLE/Updater.app"
 
+          # Sign the Sparkle dylib itself before signing the framework bundle
+          codesign --force --sign "$SIGNING_IDENTITY" --timestamp \
+            "$SPARKLE/Sparkle"
+
           # Sign the framework version (Versions/B) — do NOT also sign the
           # top-level Sparkle.framework symlink; it resolves to the same Versions/B
-          # directory and double-signing invalidates the signature.
+          # directory and double-signing would invalidate the signature.
           codesign --force --sign "$SIGNING_IDENTITY" --timestamp "$SPARKLE"
 
           # Re-sign the main app with entitlements and hardened runtime
@@ -116,6 +120,9 @@ jobs:
             --entitlements "$(pwd)/Nook/Nook.entitlements" \
             "Nook.app"
 
+      - name: Verify signature before notarizing
+        run: codesign --verify --deep --strict --verbose=2 "Nook.app"
+
       - name: Notarize app
         env:
           APPLE_ID: ${{ secrets.APPLE_ID }}
diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 00000000..1eb04376
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,21 @@
+[submodule "Fuzi"]
+	path = Fuzi
+	url = https://github.com/cezheng/Fuzi.git
+[submodule "Highlightr"]
+	path = Highlightr
+	url = https://github.com/raspu/Highlightr.git
+[submodule "LRUCache"]
+	path = LRUCache
+	url = https://github.com/nicklockwood/LRUCache.git
+[submodule "Motion"]
+	path = Motion
+	url = https://github.com/b3ll/Motion.git
+[submodule "reeeed"]
+	path = reeeed
+	url = https://github.com/nate-parrott/reeeed.git
+[submodule "swift-atomics"]
+	path = swift-atomics
+	url = https://github.com/apple/swift-atomics.git
+[submodule "swift-numerics"]
+	path = swift-numerics
+	url = https://github.com/apple/swift-numerics.git