dynamo-browse/_certs/README.md

# Certs

These hold the certificates for MacOS notarisation. As such they are not checked into the repository.

List of files is as follows:

- ALDsigning.key : private key
- csr3072ALDSigning.certSigningRequest : certificate signing request
- developerID_application.p12 : signed certificate
- keyStore.p12 : pkcs12 keystore holding both the certificate and private key
- AthKey_UD4...p8 : private key granting API access to AppStore connect

## Producing These Files

To produce the keys, run the following command:

```bash
# create the private key. It must be RSA 2048
$ openssl genrsa -out ALDsigning.key 2048

# create the CSR
$ openssl req -new -key ALDsigning.key -out csr3072ALDSigning.certSigningRequest -subj "/emailAddress=lmika@lmika.org, CN=dev.lmika.dynamo-browse, C=IE"
```

These are based on [these instructions](https://developer.apple.com/help/account/certificates/create-a-certificate-signing-request).
The instructions are incorrect though. They claim that the key lenght should be 3096, but AppStore connect only supports 2048.

Then, upload the CSR to AppStore Connect, choosing the "Developer ID Application" certificate type. If successful,
you will be given a signed certificate, which will have the filename `developerID_application.signing.cer`.

Then, produce a PKCS12 (.p12) file by running the following command ([source](https://stackoverflow.com/questions/21141215/creating-a-p12-file)):

```bash
openssl pkcs12 -export -out keyStore.p12 -inkey ALDsigning.key -in developerID_application.signing.cer
```

## Getting the .p8 file

To download the .p8 file, go to the [Apple Developer Portal](https://appstoreconnect.apple.com/access/integrations/api/new),
and download a new API key for AppStore Connect. The role of the new key should be "Developer".

## Configuring the CI/CD secrets

The following secrets correspond to the given secrets:

- `MACOS_SIGN_P12`: base64 of keyStore.p12
- `MACOS_SIGN_PASSWORD` the p12 password
- `MACOS_NOTARY_ISSUER_ID`: see the UUID on this page: https://appstoreconnect.apple.com/access/integrations/api
- `MACOS_NOTARY_KEY_ID`: the ID of the .p8 file - `U4....`
- `MACOS_NOTARY_KEY`: base64 of the .p8 file
Item annotations and fix notarisation (#5) - Added methods for item notarisation Reviewed-on: https://lmika.dev/cmd/dynamo-browse/pulls/5 Co-authored-by: Leon Mika <lmika@lmika.org> Co-committed-by: Leon Mika <lmika@lmika.org> 2025-11-12 10:49:28 +00:00			`# Certs`

			`These hold the certificates for MacOS notarisation. As such they are not checked into the repository.`

			`List of files is as follows:`

			`- ALDsigning.key : private key`
			`- csr3072ALDSigning.certSigningRequest : certificate signing request`
			`- developerID_application.p12 : signed certificate`
			`- keyStore.p12 : pkcs12 keystore holding both the certificate and private key`
			`- AthKey_UD4...p8 : private key granting API access to AppStore connect`

			`## Producing These Files`

			`To produce the keys, run the following command:`

			```bash
			`# create the private key. It must be RSA 2048`
			`$ openssl genrsa -out ALDsigning.key 2048`

			`# create the CSR`
			`$ openssl req -new -key ALDsigning.key -out csr3072ALDSigning.certSigningRequest -subj "/emailAddress=lmika@lmika.org, CN=dev.lmika.dynamo-browse, C=IE"`
			```

			`These are based on [these instructions](https://developer.apple.com/help/account/certificates/create-a-certificate-signing-request).`
			`The instructions are incorrect though. They claim that the key lenght should be 3096, but AppStore connect only supports 2048.`

			`Then, upload the CSR to AppStore Connect, choosing the "Developer ID Application" certificate type. If successful,`
			you will be given a signed certificate, which will have the filename `developerID_application.signing.cer`.

			`Then, produce a PKCS12 (.p12) file by running the following command ([source](https://stackoverflow.com/questions/21141215/creating-a-p12-file)):`

			```bash
			`openssl pkcs12 -export -out keyStore.p12 -inkey ALDsigning.key -in developerID_application.signing.cer`
			```

			`## Getting the .p8 file`

			`To download the .p8 file, go to the [Apple Developer Portal](https://appstoreconnect.apple.com/access/integrations/api/new),`
			`and download a new API key for AppStore Connect. The role of the new key should be "Developer".`

			`## Configuring the CI/CD secrets`

			`The following secrets correspond to the given secrets:`

			- `MACOS_SIGN_P12`: base64 of keyStore.p12
			- `MACOS_SIGN_PASSWORD` the p12 password
			- `MACOS_NOTARY_ISSUER_ID`: see the UUID on this page: https://appstoreconnect.apple.com/access/integrations/api
			- `MACOS_NOTARY_KEY_ID`: the ID of the .p8 file - `U4....`
			- `MACOS_NOTARY_KEY`: base64 of the .p8 file