4
0

signing.adoc 3.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778
  1. # macOS release signing
  2. Release builds can sign and notarize the `darwin` binaries using [quill](https://github.com/anchore/quill) via GoReleaser. This runs on the existing Linux CI runner; no macOS runner is required.
  3. Signing is **optional**. If the GitHub secrets below are not all set, GoReleaser skips macOS signing and publishes unsigned binaries (the previous behaviour).
  4. ## Prerequisites
  5. - An active [Apple Developer Program](https://developer.apple.com/programs/) membership.
  6. - A **Developer ID Application** certificate (not "Apple Development" or "Mac App Distribution").
  7. - An [App Store Connect API key](https://appstoreconnect.apple.com/access/integrations/api) with at least **Developer** access.
  8. ## One-time setup
  9. ### 1. Create the signing certificate
  10. 1. Open [Certificates, Identifiers & Profiles](https://developer.apple.com/account/resources/certificates/list).
  11. 2. Create a certificate of type **Developer ID Application**.
  12. 3. Download the `.cer` file and double-click it to add it to **Keychain Access** on a Mac.
  13. 4. In Keychain Access, export the certificate as a **Personal Information Exchange (`.p12`)** file. You will set an export password — remember it; this becomes `MACOS_SIGN_PASSWORD`.
  14. ### 2. Create the notarization API key
  15. 1. Open [App Store Connect → Users and Access → Integrations → App Store Connect API](https://appstoreconnect.apple.com/access/integrations/api).
  16. 2. Create a key with **Developer** role (or Admin).
  17. 3. Download the `.p8` file once (it cannot be downloaded again). Note the **Key ID** shown in the portal and the **Issuer ID** at the top of the API keys page.
  18. ### 3. Base64-encode the key files
  19. Run on a machine that has the files (Linux or macOS):
  20. ```sh
  21. base64 -w0 < ./Certificates.p12 # MACOS_SIGN_P12
  22. base64 -w0 < ./AuthKey_XXXXXX.p8 # MACOS_NOTARY_KEY
  23. ```
  24. On macOS without GNU coreutils, use `base64 -i file | tr -d '\n'`.
  25. ### 4. Add GitHub repository secrets
  26. In **Settings → Secrets and variables → Actions**, create:
  27. | Secret | Value |
  28. |--------|-------|
  29. | `MACOS_SIGN_P12` | Base64 contents of the `.p12` file |
  30. | `MACOS_SIGN_PASSWORD` | Password used when exporting the `.p12` |
  31. | `MACOS_NOTARY_KEY` | Base64 contents of the `.p8` file |
  32. | `MACOS_NOTARY_KEY_ID` | Key ID from App Store Connect (e.g. `ABC123DEF4`) |
  33. | `MACOS_NOTARY_ISSUER_ID` | Issuer UUID from App Store Connect |
  34. All five must be present for signing to run. Any missing secret disables signing for that release.
  35. ## Renewal
  36. | Item | Typical lifetime | What to do |
  37. |------|------------------|------------|
  38. | Developer ID Application certificate | ~5 years | Create a new certificate in the Apple portal, export a new `.p12`, update `MACOS_SIGN_P12` and `MACOS_SIGN_PASSWORD`. |
  39. | App Store Connect API key | Does not expire, but can be revoked | Create a new key if compromised or lost; update `MACOS_NOTARY_KEY`, `MACOS_NOTARY_KEY_ID`, and optionally `MACOS_NOTARY_ISSUER_ID`. |
  40. | Apple Developer Program | Annual subscription | Renew membership before it lapses; existing certificates stop working if the account is inactive. |
  41. After updating secrets, the next release on `main` (via semantic-release) will use the new credentials automatically.
  42. ## Verifying a signed release
  43. On a Mac, download a `OliveTin-darwin-*.tar.gz` release artifact and run:
  44. ```sh
  45. tar -xzf OliveTin-darwin-arm64.tar.gz
  46. spctl -a -vv -t execute OliveTin-darwin-arm64/OliveTin
  47. ```
  48. A signed and notarized binary should report `accepted` with `source=Notarized Developer ID`.
  49. ## Configuration reference
  50. - GoReleaser: `notarize.macos` in [`.goreleaser.yml`](.goreleaser.yml)
  51. - CI secrets: [`.github/workflows/build-and-release.yml`](.github/workflows/build-and-release.yml) (`release` step)
  52. - [GoReleaser notarization docs](https://goreleaser.com/customization/notarize/)