Sign & noatarize MacOS binaries?
JasonGross opened this issue · 0 comments
Perhaps we should sign & notarize the MacOS binaries for ease of use?
ChatGPT suggests that the steps are:
Without a Mac, you can still handle code signing and notarization using GitHub Actions. Here’s a step-by-step approach:
-
Apple Developer Account: Ensure that you have an Apple Developer account, as you'll need certificates and credentials for signing and notarization.
-
Create and Export Signing Certificate:
- Use a Mac to create a Developer ID Application certificate, or obtain one from your team.
- Export the certificate as a
.p12
file.
-
Add Secrets to GitHub:
- Encrypt your
.p12
file and add it as a GitHub Actions secret, along with the certificate password and your Apple Developer account credentials.
- Encrypt your
-
Install and Configure
xcnotary
:- Use
xcnotary
, a third-party tool that supports notarizing applications via CI, which works well with GitHub Actions. - Install
xcnotary
in your GitHub Actions workflow by adding:
- name: Install xcnotary run: brew install keith/formulae/xcnotary
- Use
-
Import Certificate:
- Import the
.p12
file in your CI workflow using:
- name: Import Signing Certificate env: P12_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }} run: | security create-keychain -p "" build.keychain security import certificate.p12 -k build.keychain -P "$P12_PASSWORD" -T /usr/bin/codesign
- Import the
-
Sign the Universal Binary:
- After combining the architectures using
lipo
, sign it with:
- name: Code Sign run: | codesign --sign "Developer ID Application: Your Name (TeamID)" --timestamp --keychain build.keychain universal_binary
- After combining the architectures using
-
Notarize the Binary:
- Use
xcnotary
to notarize your signed binary:
- name: Notarize Binary run: | xcnotary notarize universal_binary --apple-id ${{ secrets.APPLE_ID }} --password ${{ secrets.APPLE_PASSWORD }} --team-id "YourTeamID"
- Use
-
Staple the Notarization:
- After successful notarization, apply the notarization ticket to the binary:
- name: Staple Notarization run: xcrun stapler staple universal_binary
Make sure your secrets are stored securely within GitHub Actions. This setup allows you to automate signing and notarization entirely through GitHub Actions without direct access to a Mac.