-
Notifications
You must be signed in to change notification settings - Fork 0
Code signing setup guide
A guide on how to set-up the required secrets for code-signing the installer.
There are currently 14 secrets in-use, which can be grouped into 3 groups.
These are used to upload the installer binaries to our infra to be released publicly.
-
RELEASE_USER- username for infra -
RELEASE_PASSWORD- password for infra
Both of these are obtained by asking whoever is managing the infrastructure for them to be provided to you.
To obtain most of these, access to the main account for the apple development team is required. (has “Account Holder” permissions)
-
TEAM_ID- The team ID, found the apple developer account page, under membership details.Locate your Team ID - Manage your team - Account - Help - Apple Developer
-
USERNAME- The Apple ID email for the account holder -
PASSWORD- An app-specific password for the account holder Apple ID. Can be created on https://appleid.apple.com/account/homeSign in to apps with your Apple ID using app-specific passwords - Apple Support
-
KEYCHAIN_PASSWORD- A password used by the CI keychain, should be a strong and long, randomly-generated password. (eq.openssl rand -hex 64) -
P12_PASSWORD- The password of the signing certificate file. Should also be a strong, randomly-generated password. (eq.openssl rand -hex 64) -
IDENTITY- The identity of the certificate to use for the signing. (It’s SHA-1 hash) (When you have the certificate in your keychain, you can runsecurity find-identityto list all valid certificates and see their identities) -
BUILD_CERTIFICATE_BASE64- base-64 encoded certificate file.
Obtaining TEAM_ID, USERNAME, PASSWORD, KEYCHAIN_PASSWORD and P12_PASSWORD is trivial, either by it being already-known, easy to generate, or following the linked official guides. Create these first and make sure to save P12_PASSWORD for later, as it will be used when setting-up the certificate. After the certificate is set-up, you no longer need or should keep this locally.
Obtaining the certificate and properly encoding it can be done by following the following steps:
-
Create a Developer ID Application certificate from the developer account’s Certificates, Identifiers & Profiles page.
Create Developer ID certificates - Create certificates - Account - Help - Apple Developer
-
After following the guide, you should have the certificate in your keychain. Locate it there, right-click it and select
Export “<name>”… -
When prompted to input a password input the password you generated for the
P12_PASSWORDsecret. You will also then be prompted to enter your system password to export it.Note: The following steps assume that the certificate was exported to the default file name
Certificates.p12if you used a different file name, use that instead. -
Open terminal in the folder where the certificate was exported to.
-
Run the command
base64 -i Certificates.p12 -
The output of the command is the
BUILD_CERTIFICATE_BASE64secret. -
To easily find the
IDENTITYof the certificate, runsecurity find-identity. -
After all the secrets are set-up and you have tested that code-signing works, securely erase the certificates file from you disk and remove the certificate from your keychain
If signing fails for some reason, you can use the following command to get more details:
xcrun notarytool log <submission-uuid> --apple-id <apple-id-email> --team-id <team-id>
The submission uuid can be found in the logs of the CI.
We use a Digicert certificate and they have a guide on how to set-up the code-signing.
Install client tools for standard keypair signing on GitHub
The guide also explains all the secrets used and how to obtain them.