dynamo-browse/_certs

Certs

These hold the certificates for MacOS notarisation. As such they are not checked into the repository.

List of files is as follows:

• ALDsigning.key : private key
• csr3072ALDSigning.certSigningRequest : certificate signing request
• developerID_application.p12 : signed certificate
• keyStore.p12 : pkcs12 keystore holding both the certificate and private key
• AthKey_UD4...p8 : private key granting API access to AppStore connect

Producing These Files

To produce the keys, run the following command:

# create the private key. It must be RSA 2048
$ openssl genrsa -out ALDsigning.key 2048

# create the CSR
$ openssl req -new -key ALDsigning.key -out csr3072ALDSigning.certSigningRequest -subj "/emailAddress=lmika@lmika.org, CN=dev.lmika.dynamo-browse, C=IE"

These are based on these instructions. The instructions are incorrect though. They claim that the key lenght should be 3096, but AppStore connect only supports 2048.

Then, upload the CSR to AppStore Connect, choosing the "Developer ID Application" certificate type. If successful, you will be given a signed certificate, which will have the filename developerID_application.signing.cer.

Then, produce a PKCS12 (.p12) file by running the following command (source):

openssl pkcs12 -export -out keyStore.p12 -inkey ALDsigning.key -in developerID_application.signing.cer

Getting the .p8 file

To download the .p8 file, go to the Apple Developer Portal, and download a new API key for AppStore Connect. The role of the new key should be "Developer".

Configuring the CI/CD secrets

The following secrets correspond to the given secrets:

• MACOS_SIGN_P12: base64 of keyStore.p12
• MACOS_SIGN_PASSWORD the p12 password
• MACOS_NOTARY_ISSUER_ID: see the UUID on this page: https://appstoreconnect.apple.com/access/integrations/api
• MACOS_NOTARY_KEY_ID: the ID of the .p8 file - U4....
• MACOS_NOTARY_KEY: base64 of the .p8 file