Sign application / release to Mac App Store
Opened this issue · 15 comments
Hi,
I have an active Apple Developer Account and I would be willing to use it to sign this application and/or even release it to the Mac App Store (for free). What would your opinion about this, @yulrizka? Is there a way that I can sign the application without giving you access to my account/keys?
I also started modifying it slightly to my needs about a month ago, but haven't gotten around to actually creating a proper fork or even submitting a PR. I see that there has been a new release just recently which includes some of the changes I did as well, so I will go from there. I also added something like #8, except that I used triple tap instead (we could make it configurable).
Edit: I could use something like https://github.com/wei/pull to automatically update my fork from your repo and set up an automated build that signs the application with my developer account.
Hi Stefan, thank you for the suggestion. I can add you as a collaborator on this repository. As a collaborator you can build, sign, and upload the application to the release section.
I do like the idea of multiple tap to disable and enable the app. If you have it already feel free to create a PR.
That sounds like a good idea. I will have to figure out all that stuff about building and signing the application though, so it might take some time. Do you have some automated pipeline for building the application and creating the dmg file or are you doing it manually?
About the multiple taps to enable/disable the app: I'll use the current version as a base for my changes and see how everything works. I also still had a bug where when I disabled PTT and then changed the audio device (e.g. by plugging in headphones), it would show it as still disabled, but it wouldn't actually work. So I'll have to figure that out as well. This, too, might take some time. 😅
Mainly to build the release it's pretty straight forward. I never do a codesign before. This resource might be helpful https://successfulsoftware.net/2012/08/30/how-to-sign-your-mac-os-x-app-for-gatekeeper/
FYI to the reader, I still need help on this one
I'd still be willing to use my developer account for this, but I'm not sure when I'll find the time to look into this. The optimal case would be that someone basically prepares everything so it's as easy as possible for me to sign it (ideally all automated, which should be possible as long as we don't put it on the App Store).
Signing should be pretty straight forward if someone has an account. I've gone through the steps, pretty simple to go to the signing settings and set it to automatic and log in to your Apple ID with a paid dev subscription.
You'll need to enable hardened runtime in the capabilities section for signing so that apple can properly notarize the app. Once that is done, just create an archive, followed by uploading it for notarization. Once it is notarized it should be able to be uploaded to the releases section.
I am unsure how much of this process can be automated, and even if it can, I am unsure if automating it would be difficult due to the Apple ID credentials needing to be signed in.
The thing is that if I offer my account for this, I want to avoid any kind of manual intervention from my side, so that the release is not dependent on me being available to do all the steps.
I just found this article that could help: https://medium.com/better-programming/indie-mac-app-devops-with-github-actions-b16764a3ebe7
You're right that the Apple ID credentials are an issue, but I could imagine a workflow where I have a fork on my account which automatically updates from the main repo and performs the CI with scripts under my control. This way, I wouldn't have to worry about my credentials getting leaked.
I think that might be possible indeed. I found this github repository that does this with github action.
https://github.com/devbotsxyz/example-macos-rings/blob/master/.github/workflows/release.yml
mean while I'm also exploring a possibility to use homebrew instead.
With a script, I can trigger xcodebuild which compiles the app on the user's machine.
This way, the application does not need to be signed
meanwhile, for anyone who runs on Catalina, can you test if this works for you
First, remove PushToTalk.app in your /Applications folder. Then:
$ brew install yulrizka/tap/pushtotalk
This will build the project using xcode and once it's finished link the output (see the homebrew caveats message)
This way, user can run the app them self and don't require the app to be signed,
Here is the brew formula https://github.com/yulrizka/homebrew-tap/blob/main/Formula/pushtotalk.rb
@yulrizka can you still provide a compiled version of the app through homebrew?
As long as people know that the first time you can the app you have to right click on the app, press the option key and open, it's fine right? It can be specified specified in a disclaimer when the formula is installed.
What do you think?
I personally have little to no use of Xcode, so installing it just to build this specific package seems counter-productive.
@rnsc It doesn't work like that. Without signing, the binary can only run on the machine where the binary is compiled.
That's why the brew formula has xcode for dependency.
That is as far as I know. Last time i tested in my mac, it just refuse to run it.
@yulrizka hey, thank you for your reply, that's peculiar, because I tested locally and copied over the locally built app to a different computer in the Applications folder and I was able to run.
I just tested in a new VM right now and I was able to run the application there too.
I don't have a developer account nor do I have signing certificates available, so that's weird.
I built it through Homebrew with Xcode 12.4 on macOS Catalina.
I tested on a different MBP on macOS Catalina and in a macOS Big Sur VM.
The only difference is that I copied the application directly in /Applications, instead of having a symlink to the pushtotalk Cellar.
I'll try to test this a bit more to understand the behavior. I really like the tool btw!
@rnsc Oh. I can try to build it on my mac, and see if you can run it. If it works, then we can add it in the readme
I tried it, unfortunately mac machine that I have access to, has a security policy when building DMG. I can build the application but could not package it as a dmg any more.