Binary signing for macOS

[dignifiedquire]

No description provided.

[dignifiedquire]

@jbenet how long do you think this will take you? Is it realistic to get this done for 1.0?

[jbenet]

i'm not sure. i'll look into it, but this week is basically shot for me. if you need it this week, then no. next week is likely. then there's apple's review process. i think it's much faster now, but it used to take a week or something.

[dignifiedquire]

That's fine, I'll do the prerelease unsigned this week and want to wait at least one week anyway before the real release.

[dignifiedquire]

Ref electron/packager#163

[olizilla]

Happy to say we're getting a first pass on "signed releases for macOS" in to the next release, in significantly less than 4 years after the initial proposal.

Of note, it is tricky. There are a bunch of hoops you have to jump through on the Apple Developer portal and more on the local keychain handling, and more again to wire it up to CI.

Disclaimer: this is my first go-round with this, but the output has created an electron-builder created .dmg that can be installed on macOS with just the "this app came from the internet warning" and not the "you cant install this app becuase it is from the unknown" warning... so i'm reasonably happy with the results. And yes, this is about the worst admin flow I have ever seen. I think xcode is supposed to hide some of this from you, but we didn't come this far to open up that thing.

with an apple team account created, and you as the team agent...

• You need to be the Apple Developer "Team Agent" to create certificates.
• There can be only one Team Agent, having the admin role wont do.
• You must have 2 factor auth enabled on your apple ID.
• With all that in place, log in to https://developer.apple.com and click "Certificates, IDs & Profiles"
• Choose "macOS" from the drop down in the top left that initially says "iOS, tvOS, watchOS"
• Hit the plus in the top right to start the cert creation flow. You need to do this twice for both Developer ID Application and Developer ID Installer. You can use the same CSR for both.

1	2	3	4
Pick Developer ID to create certs for distribution outside of the app store	Pick Developer ID Application. You will need to do this again for Developer ID Installer too.	blurb about creating a CSR	Go create your CSR, as described below

• You create Certificate Signing Request via your local Keychain Access app to create certificates.
  • keychain access > certificate assistant > Request a certificate from a certificate authority

- Fill out the details. should match your apple ID, and you should be your team agent. - Leave CA email address blank and "choose save to disk"

- Upload the CSR file you just created to the apple developer portal - You must create both a `Developer Installer` and a `Developer Application` certifcate, and download them to your local keychain. - You have to access them via the "My Certificates" filter, to enable the "export as .p12" option. If you navigate to them via another filter or search, that export option is not available. You better be the team agent if you want that to work. If all the planets are aligned you should be able to export them as a combined, encrypted `.p12` file like so

Then follow the steps in https://www.electron.build/code-signing#travis-appveyor-and-other-ci-servers to wire it up for CI

To sign app on build server you need to set CSC_LINK, CSC_KEY_PASSWORD:

• Export certificate. Consider to not use special characters (for bash) in the password because “values are not escaped when your builds are executed”.
• Encode file to base64 (macOS: base64 -i yourFile.p12 -o envValue.txt, Linux: base64 yourFile.p12 > envValue.txt).

Thanks to @jesseclay for sticking with me on this advenure!

[olizilla]

I figured this out from a mix of

• https://www.electron.build/code-signing
• https://medium.com/@jondot/shipping-electron-apps-to-mac-app-store-with-electron-builder-e960d46148ec
• fumbling in the dark

[hacdias]

Binary signing is set up and working. The next version will have macOS signed binaries.