From ca50342558fcbfbc3f4904ab3dda51e88108626c Mon Sep 17 00:00:00 2001
From: Leon Mika <lmika@lmika.org>
Date: Wed, 12 Nov 2025 10:49:28 +0000
Subject: [PATCH] Item annotations and fix notarisation (#5)

- Added methods for item notarisation

Reviewed-on: https://lmika.dev/cmd/dynamo-browse/pulls/5
Co-authored-by: Leon Mika <lmika@lmika.org>
Co-committed-by: Leon Mika <lmika@lmika.org>
---
 .forgejo/workflows/release.yaml |  8 ++++++
 _certs/.gitignore               |  6 ++++
 _certs/README.md                | 50 +++++++++++++++++++++++++++++++++
 macos.goreleaser.yml            | 15 ++++++++++
 4 files changed, 79 insertions(+)
 create mode 100644 _certs/.gitignore
 create mode 100644 _certs/README.md

diff --git a/.forgejo/workflows/release.yaml b/.forgejo/workflows/release.yaml
index 6e12737..1282205 100644
--- a/.forgejo/workflows/release.yaml
+++ b/.forgejo/workflows/release.yaml
@@ -79,6 +79,9 @@ jobs:
         uses: actions/setup-go@v3
         with:
           go-version: 1.25
+      - name: Setup Dependencies
+        run: |
+          brew install gpg
       - name: Configure
         run: |
           git config --global url."https://${{ secrets.GO_MODULES_TOKEN }}:x-oauth-basic@github.com/lmika".insteadOf "https://github.com/lmika"
@@ -91,6 +94,11 @@ jobs:
         env:
           GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HOMEBREW_TAP_PRIVATE_KEY: ${{ secrets.HOMEBREW_TAP_PRIVATE_KEY }}
+          MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }}
+          MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }}
+          MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }}
+          MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
+          MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
 
 #  release-linux:
 #    needs: build
diff --git a/_certs/.gitignore b/_certs/.gitignore
new file mode 100644
index 0000000..27fdaaf
--- /dev/null
+++ b/_certs/.gitignore
@@ -0,0 +1,6 @@
+*.key
+*.p8
+*.certSigningRequest
+*.cer
+*.p12
+*.txt
\ No newline at end of file
diff --git a/_certs/README.md b/_certs/README.md
new file mode 100644
index 0000000..2d7fbab
--- /dev/null
+++ b/_certs/README.md
@@ -0,0 +1,50 @@
+# Certs
+
+These hold the certificates for MacOS notarisation. As such they are not checked into the repository.
+
+List of files is as follows:
+
+- ALDsigning.key : private key
+- csr3072ALDSigning.certSigningRequest : certificate signing request
+- developerID_application.p12 : signed certificate
+- keyStore.p12 : pkcs12 keystore holding both the certificate and private key
+- AthKey_UD4...p8 : private key granting API access to AppStore connect
+
+## Producing These Files
+
+To produce the keys, run the following command:
+
+```bash
+# create the private key. It must be RSA 2048
+$ openssl genrsa -out ALDsigning.key 2048
+
+# create the CSR
+$ openssl req -new -key ALDsigning.key -out csr3072ALDSigning.certSigningRequest -subj "/emailAddress=lmika@lmika.org, CN=dev.lmika.dynamo-browse, C=IE"
+```
+
+These are based on [these instructions](https://developer.apple.com/help/account/certificates/create-a-certificate-signing-request).
+The instructions are incorrect though. They claim that the key lenght should be 3096, but AppStore connect only supports 2048.
+
+Then, upload the CSR to AppStore Connect, choosing the "Developer ID Application" certificate type. If successful,
+you will be given a signed certificate, which will have the filename `developerID_application.signing.cer`.
+
+Then, produce a PKCS12 (.p12) file by running the following command ([source](https://stackoverflow.com/questions/21141215/creating-a-p12-file)):
+
+```bash
+openssl pkcs12 -export -out keyStore.p12 -inkey ALDsigning.key -in developerID_application.signing.cer
+```
+
+## Getting the .p8 file
+
+To download the .p8 file, go to the [Apple Developer Portal](https://appstoreconnect.apple.com/access/integrations/api/new),
+and download a new API key for AppStore Connect. The role of the new key should be "Developer".
+
+## Configuring the CI/CD secrets
+
+The following secrets correspond to the given secrets:
+
+- `MACOS_SIGN_P12`: base64 of keyStore.p12
+- `MACOS_SIGN_PASSWORD` the p12 password
+- `MACOS_NOTARY_ISSUER_ID`: see the UUID on this page: https://appstoreconnect.apple.com/access/integrations/api
+- `MACOS_NOTARY_KEY_ID`: the ID of the .p8 file - `U4....`
+- `MACOS_NOTARY_KEY`: base64 of the .p8 file
\ No newline at end of file
diff --git a/macos.goreleaser.yml b/macos.goreleaser.yml
index bfb5bfa..b442d4b 100644
--- a/macos.goreleaser.yml
+++ b/macos.goreleaser.yml
@@ -10,6 +10,21 @@ builds:
     main: ./cmd/dynamo-browse/.
     binary: dynamo-browse
 
+notarize:
+  macos:
+    - enabled: true
+      ids:
+        - dynamo-browse
+      sign:
+        certificate: "{{.Env.MACOS_SIGN_P12}}"
+        password: "{{.Env.MACOS_SIGN_PASSWORD}}"
+      notarize:
+        issuer_id: "{{.Env.MACOS_NOTARY_ISSUER_ID}}"
+        key_id: "{{.Env.MACOS_NOTARY_KEY_ID}}"
+        key: "{{.Env.MACOS_NOTARY_KEY}}"
+        wait: true
+        timeout: 20m
+
 archives:
   - id: tgz
     wrap_in_directory: false