HOW-TO-codesign.txt

Code signing is not integrated into the build script. At the Broad Institute we do something like ...


## Java executable jar file distribution

Pass in 'signjar.alias' and 'signjar.storepass' as mvn command line args. Use the jarsigner command
to verify the signature, and the manually copy the file into a dist folder for upload as a release
artifact.

For example for the 1.2.7 release ...

  mvn -Dsignjar.keystore=${HOME}/.gp_build/genepattern-codesign.jks -Dsignjar.alias=codesign -Dsignjar.storepass=********
  jarsigner -verify target/visualizerLauncher-1.2.7-full.jar 
  mkdirs dist
  cp -rp target/visualizerLauncher-1.2.7-full.jar dist/visualizerLauncher-1.2.7.jar 

## Mac OS X distribution

1) create a zip file
   cd target/visualizerLauncher-1.2.7
   zip -r VisualizerLauncher.app.zip VisualizerLauncher.app

2) copy it to remote server
    scp VisualizerLauncher.app.zip <user>@<host>:~/visualizer-launcher

3) sign the code
    This is now a manual process and requires a Mac.  Prequisite steps (one-time only):
    a) Obtain the signing certificate and private key password from BITS
    b) Install this to your Mac keychain (see private email for instructions)
    
    Signing steps (every release).  
    a) Download VisualizerLauncher.app.zip to your local Mac from the CI server
    b) Open a Terminal on your Mac, then:
       cd ~/Downloads
       mkdir sign
       cp VisualizerLauncher.app.zip sign
       cd sign
       unzip VisualizerLauncher.app.zip
       chmod u+x VisualizerLauncher.app/Contents/MacOS/JavaAppLauncher  # ... only if necessary
       codesign --deep --force --sign "Developer ID Application: THE BROAD INSTITUTE INC" VisualizerLauncher.app
       # At this point, MacOS will prompt for userid + password for Keychain Access, after which it will sign the app.
       # ... after that:
       rm VisualizerLauncher.app.zip
       zip -r VisualizerLauncher.app.zip VisualizerLauncher.app.zip

4) upload this to GitHub release