In addition to creating the DMG, we also sign the app and notarize the DMG.

To create the keys, this is what I did:

openssl genrsa -out mac-openbrush.key 2048
openssl req -nodes -key mac-openbrush.key -new -subj "/C=UK/ST=./L=Leeds/O=Icosa Gallery, Ltd" -out mac-openbrush-app.csr
openssl req -legacy -nodes -key mac-openbrush.key -new -subj "/C=UK/ST=./L=Leeds/O=Icosa Gallery, Ltd" -out mac-openbrush-install.csr

Then a Developer ID Application and Installer were created, which gave a .cer file. Converting that to a P12:

export CER="foo"  # For both cer files
export PASSWORD="TOP SECRET SOMETHING"
openssl x509 -in ${CER}.cer -inform DER -out ${CER}.pem -outform PEM
openssl pkcs12 -export -inkey mac-openbrush.key -in ${CER}.pem -out ${CER}.p12 -password pass:${PASSWORD}

Additionally, we need to create provisioning profile for Mac OS, using the certificate above.

Then upload the P12, password, etc, to the secrets. Reference: https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development (but note the different provisioning file name and the use of both certs, even though we actually only sign with the Application, not the Installer, one)

I wasn't able to get fastlane to manage these certs, which is annoying. The docs suggest that they support Developer ID types, but I couldn't figure it out.