cmd/dynamo-browse
1
0
Fork 0
Code Issues Pull requests Projects Releases 2 Packages Wiki Activity Actions

Enabled Notarisatio
Some checks failed
Release / Build (push) Successful in 3m49s
Details
Release / Release MacOS (push) Failing after 2m1s
Details
ci / Build (push) Successful in 3m33s
Details
Release / Site (push) Successful in 1m53s
Details

Browse source
This commit is contained in:
Leon Mika 2025-11-11 22:31:03 +11:00
parent 7718c0a0b8
commit a5cd4835f0
4 changed files with 79 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
_certs/.gitignore vendored Normal file
View file

@ -0,0 +1,6 @@
*.key
*.p8
*.certSigningRequest
*.cer
*.p12
*.txt

50
_certs/README.md Normal file
View file

@ -0,0 +1,50 @@
# Certs
These hold the certificates for MacOS notarisation. As such they are not checked into the repository.
List of files is as follows:
- ALDsigning.key : private key
- csr3072ALDSigning.certSigningRequest : certificate signing request
- developerID_application.p12 : signed certificate
- keyStore.p12 : pkcs12 keystore holding both the certificate and private key
- AthKey_UD4...p8 : private key granting API access to AppStore connect
## Producing These Files
To produce the keys, run the following command:
```bash
# create the private key. It must be RSA 2048
$ openssl genrsa -out ALDsigning.key 2048
# create the CSR
$ openssl req -new -key ALDsigning.key -out csr3072ALDSigning.certSigningRequest -subj "/emailAddress=lmika@lmika.org, CN=dev.lmika.dynamo-browse, C=IE"
```
These are based on [these instructions](https://developer.apple.com/help/account/certificates/create-a-certificate-signing-request).
The instructions are incorrect though. They claim that the key lenght should be 3096, but AppStore connect only supports 2048.
Then, upload the CSR to AppStore Connect, choosing the "Developer ID Application" certificate type. If successful,
you will be given a signed certificate, which will have the filename `developerID_application.signing.cer`.
Then, produce a PKCS12 (.p12) file by running the following command ([source](https://stackoverflow.com/questions/21141215/creating-a-p12-file)):
```bash
openssl pkcs12 -export -out keyStore.p12 -inkey ALDsigning.key -in developerID_application.signing.cer
```
## Getting the .p8 file
To download the .p8 file, go to the [Apple Developer Portal](https://appstoreconnect.apple.com/access/integrations/api/new),
and download a new API key for AppStore Connect. The role of the new key should be "Developer".
## Configuring the CI/CD secrets
The following secrets correspond to the given secrets:
- `MACOS_SIGN_P12`: base64 of keyStore.p12
- `MACOS_SIGN_PASSWORD` the p12 password
- `MACOS_NOTARY_ISSUER_ID`: see the UUID on this page: https://appstoreconnect.apple.com/access/integrations/api
- `MACOS_NOTARY_KEY_ID`: the ID of the .p8 file - `U4....`
- `MACOS_NOTARY_KEY`: base64 of the .p8 file