Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign & noatarize MacOS binaries? #1892

Open
JasonGross opened this issue May 7, 2024 · 0 comments
Open

Sign & noatarize MacOS binaries? #1892

JasonGross opened this issue May 7, 2024 · 0 comments

Comments

@JasonGross
Copy link
Collaborator

Perhaps we should sign & notarize the MacOS binaries for ease of use?

ChatGPT suggests that the steps are:

Without a Mac, you can still handle code signing and notarization using GitHub Actions. Here’s a step-by-step approach:

  1. Apple Developer Account: Ensure that you have an Apple Developer account, as you'll need certificates and credentials for signing and notarization.

  2. Create and Export Signing Certificate:

    • Use a Mac to create a Developer ID Application certificate, or obtain one from your team.
    • Export the certificate as a .p12 file.

  3. Add Secrets to GitHub:

    • Encrypt your .p12 file and add it as a GitHub Actions secret, along with the certificate password and your Apple Developer account credentials.

  4. Install and Configure xcnotary:

    • Use xcnotary, a third-party tool that supports notarizing applications via CI, which works well with GitHub Actions.
    • Install xcnotary in your GitHub Actions workflow by adding:
    - name: Install xcnotary
  run: brew install keith/formulae/xcnotary

  5. Import Certificate:

    • Import the .p12 file in your CI workflow using:
    - name: Import Signing Certificate
  env:
    P12_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
  run: |
    security create-keychain -p "" build.keychain
    security import certificate.p12 -k build.keychain -P "$P12_PASSWORD" -T /usr/bin/codesign

  6. Sign the Universal Binary:

    • After combining the architectures using lipo, sign it with:
    - name: Code Sign
  run: |
    codesign --sign "Developer ID Application: Your Name (TeamID)" --timestamp --keychain build.keychain universal_binary

  7. Notarize the Binary:

    • Use xcnotary to notarize your signed binary:
    - name: Notarize Binary
  run: |
    xcnotary notarize universal_binary --apple-id ${{ secrets.APPLE_ID }} --password ${{ secrets.APPLE_PASSWORD }} --team-id "YourTeamID"

  8. Staple the Notarization:

    • After successful notarization, apply the notarization ticket to the binary:
    - name: Staple Notarization
  run: xcrun stapler staple universal_binary

Make sure your secrets are stored securely within GitHub Actions. This setup allows you to automate signing and notarization entirely through GitHub Actions without direct access to a Mac.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JasonGross