Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add code signing for macOS release #125

Open
Tracked by #72
remyroy opened this issue Dec 16, 2021 · 4 comments
Open
Tracked by #72

Add code signing for macOS release #125

remyroy opened this issue Dec 16, 2021 · 4 comments
Labels
enhancement New feature or request

Comments

@remyroy
Copy link
Member

remyroy commented Dec 16, 2021

I think this is a good starting point: https://developer.apple.com/support/code-signing/

@remyroy remyroy added the enhancement New feature or request label Dec 16, 2021
@remyroy remyroy mentioned this issue Dec 16, 2021
16 tasks
@remyroy
Copy link
Member Author

remyroy commented Mar 2, 2022

Colfax will not be able to explore this. We'll need to find someone else to do this.

@valefar-on-discord
Copy link
Contributor

Both Remy and myself tried to create apple developer accounts and both were blocked for unknown reasons preventing much progress on this.

@alexpeterson91
Copy link
Contributor

I've done it successfully on my fork for gnosis chain. It's not really possible to make it work with CI due to several required variables and other things that just don't work with it (unless you are simply building the whole thing on Xcode as a fresh project) and is a weird process but I have signed installers, signed dmgs and signed apps. Let me know if you want any help I have a whole file with my attempts failures and finally successes. Make sure to add a provisioning profile and hardened-runtime enabled and like 1-2 other params in a .plist file without hardened runtime you cannot get it signed notarized and staple the notorization from apples automated notorize system.

Let me know if you want any help since I've done it with Wagyu already lots of trial and error but I got it done and likely can help you out.

@alexpeterson91
Copy link
Contributor

alexpeterson91 commented Mar 11, 2024

need to add a few yarn dev dependencies as well, and also run it all on Mac OS

Note: once an app is notarized it is available in apples server for all macs WITH INTERNET to see it as legitimately signed. if they are not online, they can't verify it has been greenlighted by Apple and will need to bypass the "unidentified developer" warnings, unless you staple the notarization to the distributed software which then allows offline computers (as should be with Wagyu) to verify signature offline.

yarn add @electron/notorize
yarn add @electron/notarize --dev
yarn add @electron/osx-sign --dev

make sure to have as few entitlements as possible, this worked for me

entitlements.mac.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
  </dict>
</plist>

(seeing the latest docs right now im pretty sure you can now remove the disable library validation entitlement at least for the latest versions of MacOS, new since November last year, i did mine in August, so some of my info may be outdated like this)

You need to have different certs for different types of packages, for a flat installer .pkg you need an A developerID_installer.cer for the prebuilt binaries .zip/.app you need a developerID_application.cer for both you need to create a CertificateSigningRequest to upload to apple to get the certs.
For flat package installers need yarn electron-osx-flat

and to submit for notarization you must use the mac command built into Xcode (and Xcode CLI tools): xcrun notarytool example command includes your apple developer ID, you application specific password, your TeamID and the file you want to notarize xcrun notarytool submit Gnosis\ Wagyu\ Key\ Gen-1.0.0-mac.zip --apple-id "[email protected]" --team-id "B3VDM3LG5K" --password "xxxx-xxxx-xxxx-xxxx" --wait
its an automated process only takes a couple mins if that, it will output a logID from the submission that you can verify by running the following, replaced with your log submissionID xcrun notarytool log 2f9b03c6-6aa0-4d8e-adf5-54fb2a7506df --apple-id "[email protected]" --team-id "B3VDM3LG5K" --password "xxxx-xxxx-xxxx-xxxx" developer_log.json to view the full log and see if there were any errors notarizing, if not then move onto to staple the notarization to the app using xcrun stapler staple "Wagyu Key Gen.app"

DMGs are the hardest since you cannot notarize and staple the image file but you can with the app inside and it is recognized by the system. but they also have a ton of fun things to play with, custom backgrounds, custom sizes, add shortcut to /Applications really anything. have to use a few other tools for that but its not that hard still (i.e Ive used this before

create-dmg --volname "Gnosis Wagyu Key Gen" --volicon ../build/icon.icns --app-drop-link 30 30 --no-internet-enable --codesign --notarize "Gnosis Wagyu Keygen.dmg" mac/
spctl -a -v "Gnosis Wagyu Keygen.dmg"

to add the application, the icon, location, applications shortcut, and verifies internet is not enabled for extra protection also tries to code sign.

Sorry these steps are out of order and not complete but theres a whole process thats confusing and not like normal code signing for windows and linux systems, but its not that hard so long as you follow the instructions. Ill try and put together s new one for myself with all commands in a row not just my entire bash history from when i was testing it and eventually figured it out by the end.

Info is from https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution &
https://developer.apple.com/documentation/security/code_signing_services along with some other things i just googled. But yeah its a bit confusing but not that hard to be done, but very hard to impossible to automate the process entirely via CI unless its all on XCode.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

4 participants