feat(desktop): Developer ID signing + notarization for macOS release#3619
Merged
Conversation
Replace the ad-hoc codesign in desktop-build.sh with a real Developer ID Application signature (hardened runtime + entitlements + timestamp), notarize the .app and the .dmg via notarytool, and staple the tickets, so a downloaded build opens with no Gatekeeper prompt. Gated on HAS_APPLE_CERT (derived from the APPLE_* secrets in release-desktop.yml): with no secrets the build falls back to ad-hoc signing, leaving fork and local builds unaffected. The workflow imports the cert into a throwaway keychain and stages the notarization key. Add build/darwin/entitlements.plist (hardened-runtime carve-outs for the Go + WKWebView runtime) and un-ignore it in desktop/.gitignore, since unlike Info.plist it is not regenerated by wails build.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Replace the ad-hoc macOS
codesignwith a real Developer ID Application signature + notarization, so a downloaded desktop build opens with no Gatekeeper "is damaged / unidentified developer" prompt.Changes
scripts/desktop-build.sh— whenHAS_APPLE_CERTis set, sign the.appwith Developer ID (hardened runtime + entitlements + secure timestamp), notarize the.appand the.dmgvianotarytool --wait, thenstapler staplethe tickets. Without it, fall back to the existing ad-hoc signing..github/workflows/release-desktop.yml— new macOS-only "Import Apple signing certificate" step (imports the.p12into a throwaway keychain, stages the.p8notarization key); the build step derivesHAS_APPLE_CERTfrom the fiveAPPLE_*secrets and injects the notarization env.desktop/build/darwin/entitlements.plist— new. Hardened-runtime entitlements (JIT / unsigned-executable-memory / library-validation carve-outs the Go + WKWebView runtime needs to notarize).desktop/.gitignore— un-ignore the entitlements file. UnlikeInfo.plistit is not regenerated bywails build, so it must live in git.Gating / safety
HAS_APPLE_CERTis true only when all five secrets (APPLE_CERT_P12,APPLE_CERT_PASSWORD,APPLE_API_KEY_P8,APPLE_API_KEY_ID,APPLE_API_ISSUER_ID) are present. With none set — forks, local builds — the build ad-hoc signs exactly as before. No behavior change without secrets.Verification
bash -n scripts/desktop-build.shpasses; workflow YAML parses; the ad-hoc fallback path is intact.desktop-v*tag (or a localHAS_APPLE_CERT=truesmoke test); it is not exercised by this PR's CI.