Binary signing for macOS about ipfs-desktop HOT 7 CLOSED

Happy to say we're getting a first pass on "signed releases for macOS" in to the next release, in significantly less than 4 years after the initial proposal.

Of note, it is tricky. There are a bunch of hoops you have to jump through on the Apple Developer portal and more on the local keychain handling, and more again to wire it up to CI.

Disclaimer: this is my first go-round with this, but the output has created an electron-builder created .dmg that can be installed on macOS with just the "this app came from the internet warning" and not the "you cant install this app becuase it is from the unknown" warning... so i'm reasonably happy with the results. And yes, this is about the worst admin flow I have ever seen. I think xcode is supposed to hide some of this from you, but we didn't come this far to open up that thing.

with an apple team account created, and you as the team agent...

• You need to be the Apple Developer "Team Agent" to create certificates.
• There can be only one Team Agent, having the admin role wont do.
• You must have 2 factor auth enabled on your apple ID.
• With all that in place, log in to https://developer.apple.com and click "Certificates, IDs & Profiles"
• Choose "macOS" from the drop down in the top left that initially says "iOS, tvOS, watchOS"
• Hit the plus in the top right to start the cert creation flow. You need to do this twice for both Developer ID Application and Developer ID Installer. You can use the same CSR for both.

1	2	3	4
Pick Developer ID to create certs for distribution outside of the app store	Pick Developer ID Application. You will need to do this again for Developer ID Installer too.	blurb about creating a CSR	Go create your CSR, as described below

• You create Certificate Signing Request via your local Keychain Access app to create certificates.
  • keychain access > certificate assistant > Request a certificate from a certificate authority

Then follow the steps in https://www.electron.build/code-signing#travis-appveyor-and-other-ci-servers to wire it up for CI

To sign app on build server you need to set CSC_LINK, CSC_KEY_PASSWORD:

• Export certificate. Consider to not use special characters (for bash) in the password because “values are not escaped when your builds are executed”.
• Encode file to base64 (macOS: base64 -i yourFile.p12 -o envValue.txt, Linux: base64 yourFile.p12 > envValue.txt).

Thanks to @jesseclay for sticking with me on this advenure!

from ipfs-desktop.

Binary signing is set up and working. The next version will have macOS signed binaries.

from ipfs-desktop.

@jbenet how long do you think this will take you? Is it realistic to get this done for 1.0?

from ipfs-desktop.

i'm not sure. i'll look into it, but this week is basically shot for me. if you need it this week, then no. next week is likely. then there's apple's review process. i think it's much faster now, but it used to take a week or something.

from ipfs-desktop.

That's fine, I'll do the prerelease unsigned this week and want to wait at least one week anyway before the real release.

from ipfs-desktop.

Ref electron/packager#163

from ipfs-desktop.

I figured this out from a mix of

• https://www.electron.build/code-signing
• https://medium.com/@jondot/shipping-electron-apps-to-mac-app-store-with-electron-builder-e960d46148ec
• fumbling in the dark

from ipfs-desktop.