signing and notarizing

Author: thomasgeissl

.github/workflows/release-macos.yml

@@ -0,0 +1,99 @@
+# Build, sign, and notarize the macOS app. Run manually or on tag.
+# Required secrets: APPLE_CERTIFICATE, APPLE_CERTIFICATE_PASSWORD, APPLE_ID,
+#   APPLE_APP_SPECIFIC_PASSWORD, KEYCHAIN_PASSWORD
+# Optional: APPLE_TEAM_ID (defaults to DP9DFGMC65 in notarize script)
+
+name: Release macOS
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - '*'
+
+jobs:
+  release-macos:
+    runs-on: macos-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set version from tag
+        id: version
+        run: |
+          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            echo "version=${{ github.ref_name }}" >> $GITHUB_OUTPUT
+          else
+            echo "version=0.0.0" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Write version file and update app config
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          echo "$VERSION" > app/version.txt
+          sed -i.bak "s/\"version\": \"[^\"]*\"/\"version\": \"$VERSION\"/" app/package.json && rm -f app/package.json.bak
+          sed -i.bak "s/\"version\":\"[^\"]*\"/\"version\":\"$VERSION\"/" app/src-tauri/tauri.conf.json && rm -f app/src-tauri/tauri.conf.json.bak
+          sed -i.bak "s/^version = \"[^\"]*\"/version = \"$VERSION\"/" app/src-tauri/Cargo.toml && rm -f app/src-tauri/Cargo.toml.bak
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: 'npm'
+          cache-dependency-path: app/package-lock.json
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Import Apple Developer certificate
+        env:
+          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+        run: |
+          echo "$APPLE_CERTIFICATE" | base64 --decode > certificate.p12
+          security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
+          security set-keychain-settings -t 3600 -u build.keychain
+          security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
+          rm certificate.p12
+
+      - name: Get signing identity
+        id: identity
+        run: |
+          SIGNING_IDENTITY=$(security find-identity -v -p codesigning build.keychain | grep "Developer ID Application" | head -1 | sed -n 's/.*"\(.*\)".*/\1/p')
+          if [ -z "$SIGNING_IDENTITY" ]; then
+            echo "No Developer ID Application identity found in keychain"
+            security find-identity -v -p codesigning build.keychain
+            exit 1
+          fi
+          echo "identity=$SIGNING_IDENTITY" >> $GITHUB_OUTPUT
+          echo "SIGNING_IDENTITY=$SIGNING_IDENTITY" >> $GITHUB_ENV
+
+      - name: Install dependencies
+        working-directory: app
+        run: npm ci
+
+      - name: Build and sign (Tauri + re-sign with timestamp + hardened runtime)
+        working-directory: app
+        env:
+          SIGNING_IDENTITY: ${{ steps.identity.outputs.identity }}
+        run: npm run tauri:build:release
+
+      - name: Notarize
+        working-directory: app
+        env:
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+        run: npm run notarize
+
+      - name: Upload notarized app
+        uses: actions/upload-artifact@v4
+        with:
+          name: macos-notarized-app-${{ steps.version.outputs.version }}
+          path: |
+            app/src-tauri/target/release/bundle/macos/neopixel-blocks.app
+            app/version.txt

app/package-lock.json

@@ -10,12 +10,16 @@
     "lint": "eslint .",
     "preview": "vite preview",
     "serve": "npm run build && npx http-serve dist -p 80",
+    "tauri": "tauri",
     "tauri:dev": "npx tauri dev",
     "tauri:build": "npx tauri build",
+    "tauri:build:release": "npm run tauri:build && sh scripts/resign-macos.sh",
     "tauri:android:init": "npx tauri android init",
     "tauri:android:build": "tauri android build",
-    "tauri:ios:init": "npx tauri ios init",
-    "tauri:ios:build": "npx tauri ios build"
+    "tauri:ios:check": "node -e \"try{require('child_process').execSync('which pod',{stdio:'pipe'});}catch(e){console.error('\\nCocoaPods (pod) is required for Tauri iOS. Install it first:\\n  brew install cocoapods\\nor\\n  sudo gem install cocoapods\\n');process.exit(1);}\"",
+    "tauri:ios:init": "npm run tauri:ios:check && npx tauri ios init",
+    "tauri:ios:build": "npx tauri ios build",
+    "notarize": "sh scripts/notarize.sh"
   },
   "dependencies": {
     "@emotion/react": "^11.14.0",

app/package.json

@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+set -e
+
+# Notarize the built macOS app. Run after: npm run tauri:build:release
+# (tauri:build:release re-signs with timestamp + hardened runtime and removes the DMG)
+# Requires env: APPLE_ID, APPLE_APP_SPECIFIC_PASSWORD
+# Optional: APPLE_TEAM_ID (defaults to DP9DFGMC65)
+
+APPLE_TEAM_ID="${APPLE_TEAM_ID:-DP9DFGMC65}"
+BUNDLE="src-tauri/target/release/bundle"
+APP="$BUNDLE/macos/neopixel-blocks.app"
+DMG=$(echo $BUNDLE/dmg/*.dmg 2>/dev/null || true)
+
+if [ -z "$APPLE_ID" ] || [ -z "$APPLE_APP_SPECIFIC_PASSWORD" ]; then
+  echo "Set APPLE_ID and APPLE_APP_SPECIFIC_PASSWORD (app-specific password from appleid.apple.com)"
+  exit 1
+fi
+
+if [ ! -d "$BUNDLE" ]; then
+  echo "Bundle not found at $BUNDLE. Run: npm run tauri:build:release"
+  exit 1
+fi
+
+# Only notarize the .app after tauri:build:release (re-signed; DMG is removed then).
+# If DMG still exists, the .app was not re-signed — Apple will reject it.
+if [ -f "$DMG" ]; then
+  echo "DMG still present. Run: npm run tauri:build:release"
+  echo "That re-signs the app with timestamp + hardened runtime and removes the DMG. Then run npm run notarize again."
+  exit 1
+fi
+
+if [ -d "$APP" ]; then
+  ZIP="$BUNDLE/macos/neopixel-blocks.zip"
+  echo "Submitting .app for notarization (zipping)..."
+  ditto -c -k --keepParent "$APP" "$ZIP"
+  SUBMIT_OUTPUT=$(xcrun notarytool submit "$ZIP" \
+    --apple-id "$APPLE_ID" \
+    --password "$APPLE_APP_SPECIFIC_PASSWORD" \
+    --team-id "$APPLE_TEAM_ID" \
+    --wait 2>&1) || true
+  rm -f "$ZIP"
+  echo "$SUBMIT_OUTPUT"
+  if echo "$SUBMIT_OUTPUT" | grep -q "status: Invalid"; then
+    SUBMISSION_ID=$(echo "$SUBMIT_OUTPUT" | grep "id:" | head -1 | sed 's/.*id: *//' | tr -d ' ')
+    echo "Notarization failed. Fetching Apple's rejection reason..."
+    if [ -n "$SUBMISSION_ID" ]; then
+      xcrun notarytool log "$SUBMISSION_ID" \
+        --apple-id "$APPLE_ID" \
+        --password "$APPLE_APP_SPECIFIC_PASSWORD" \
+        --team-id "$APPLE_TEAM_ID" 2>&1 || true
+    fi
+    exit 1
+  fi
+  if ! echo "$SUBMIT_OUTPUT" | grep -q "status: Accepted"; then
+    echo "Unexpected notarization status. Aborting."
+    exit 1
+  fi
+  echo "Stapling notarization ticket to app..."
+  xcrun stapler staple "$APP"
+  echo "Done. Notarized: $APP"
+else
+  echo "No .app found under $BUNDLE. Run: npm run tauri:build:release"
+  exit 1
+fi

app/scripts/notarize.sh

@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+# Re-sign the macOS app binary with secure timestamp and hardened runtime
+# so it passes Apple notarization. Run after: npm run tauri:build
+# Set SIGNING_IDENTITY to your keychain identity, e.g.:
+#   security find-identity -v -p codesigning
+#   export SIGNING_IDENTITY="Developer ID Application: Your Name (TEAM_ID)"
+
+set -e
+if [ -z "$SIGNING_IDENTITY" ]; then
+  echo "SIGNING_IDENTITY not set. Find your identity with: security find-identity -v -p codesigning"
+  echo "Then run: export SIGNING_IDENTITY=\"Developer ID Application: Your Name (TEAM_ID)\""
+  exit 1
+fi
+BUNDLE="src-tauri/target/release/bundle"
+APP="$BUNDLE/macos/neopixel-blocks.app"
+BINARY="$APP/Contents/MacOS/app"
+ENTITLEMENTS="src-tauri/Entitlements.plist"
+
+if [ ! -f "$BINARY" ]; then
+  echo "Binary not found at $BINARY. Run: npm run tauri:build"
+  exit 1
+fi
+
+if ! security find-identity -v -p codesigning | grep -Fq "$SIGNING_IDENTITY"; then
+  echo "Signing identity not found in keychain: $SIGNING_IDENTITY"
+  echo ""
+  echo "List available identities:"
+  security find-identity -v -p codesigning
+  echo ""
+  echo "Use the exact string in quotes (e.g. \"Developer ID Application: ...\") and run:"
+  echo "  export SIGNING_IDENTITY=\"<your exact identity>\""
+  echo "  npm run tauri:build:release"
+  exit 1
+fi
+
+echo "Re-signing main binary with timestamp and hardened runtime..."
+if ! codesign --force --timestamp --options runtime \
+  -s "$SIGNING_IDENTITY" \
+  --entitlements "$ENTITLEMENTS" \
+  "$BINARY"; then
+  echo ""
+  echo "Resign failed. DMG was not removed. Fix SIGNING_IDENTITY/keychain and run: npm run tauri:build:release"
+  exit 1
+fi
+
+echo "Re-signing app bundle..."
+if ! codesign --force --timestamp --options runtime \
+  -s "$SIGNING_IDENTITY" \
+  "$APP"; then
+  echo ""
+  echo "Resign failed. DMG was not removed. Fix SIGNING_IDENTITY/keychain and run: npm run tauri:build:release"
+  exit 1
+fi
+
+# Remove DMG so notarize uses the re-signed .app (DMG would still contain old copy)
+rm -f "$BUNDLE/dmg/"*.dmg 2>/dev/null || true
+
+echo "Done. Run npm run notarize to submit the re-signed .app."

app/scripts/resign-macos.sh

@@ -1,4 +1,9 @@
 # Generated by Cargo
 # will have compiled files and executables
 /target/
+
+# Generated platform projects (Xcode, Android, etc.)
+/gen/
+
+# Generated schemas (if any)
 /gen/schemas

app/src-tauri/.gitignore

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.cs.allow-jit</key>
+	<true/>
+	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+	<true/>
+	<key>com.apple.security.cs.disable-library-validation</key>
+	<true/>
+</dict>
+</plist>

app/src-tauri/Entitlements.plist

@@ -32,6 +32,14 @@
       "icons/128x128@2x.png",
       "icons/icon.icns",
       "icons/icon.ico"
-    ]
+    ],
+    "macOS": {
+      "signingIdentity": null,
+      "hardenedRuntime": true,
+      "entitlements": "./Entitlements.plist"
+    },
+    "iOS": {
+      "developmentTeam": "YOUR_APPLE_TEAM_ID"
+    }
   }
-}
+}