-
-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add code signing for macOS release #125
Comments
Colfax will not be able to explore this. We'll need to find someone else to do this. |
Both Remy and myself tried to create apple developer accounts and both were blocked for unknown reasons preventing much progress on this. |
I've done it successfully on my fork for gnosis chain. It's not really possible to make it work with CI due to several required variables and other things that just don't work with it (unless you are simply building the whole thing on Xcode as a fresh project) and is a weird process but I have signed installers, signed dmgs and signed apps. Let me know if you want any help I have a whole file with my attempts failures and finally successes. Make sure to add a provisioning profile and hardened-runtime enabled and like 1-2 other params in a .plist file without hardened runtime you cannot get it signed notarized and staple the notorization from apples automated notorize system. Let me know if you want any help since I've done it with Wagyu already lots of trial and error but I got it done and likely can help you out. |
need to add a few yarn dev dependencies as well, and also run it all on Mac OS Note: once an app is notarized it is available in apples server for all macs WITH INTERNET to see it as legitimately signed. if they are not online, they can't verify it has been greenlighted by Apple and will need to bypass the "unidentified developer" warnings, unless you staple the notarization to the distributed software which then allows offline computers (as should be with Wagyu) to verify signature offline. yarn add @electron/notorize make sure to have as few entitlements as possible, this worked for me
(seeing the latest docs right now im pretty sure you can now remove the disable library validation entitlement at least for the latest versions of MacOS, new since November last year, i did mine in August, so some of my info may be outdated like this) You need to have different certs for different types of packages, for a flat installer and to submit for notarization you must use the mac command built into Xcode (and Xcode CLI tools): DMGs are the hardest since you cannot notarize and staple the image file but you can with the app inside and it is recognized by the system. but they also have a ton of fun things to play with, custom backgrounds, custom sizes, add shortcut to /Applications really anything. have to use a few other tools for that but its not that hard still (i.e Ive used this before
to add the application, the icon, location, applications shortcut, and verifies internet is not enabled for extra protection also tries to code sign. Sorry these steps are out of order and not complete but theres a whole process thats confusing and not like normal code signing for windows and linux systems, but its not that hard so long as you follow the instructions. Ill try and put together s new one for myself with all commands in a row not just my entire bash history from when i was testing it and eventually figured it out by the end. Info is from https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution & |
I think this is a good starting point: https://developer.apple.com/support/code-signing/
The text was updated successfully, but these errors were encountered: