Is it possible to notarize the Mac build on Windows, or Gitlab CI?

[SergioAlonsoJr]

I want to notarize the Mac version, but I don't own a Mac.

Is it possible to notarize the Mac build on Windows, or Gitlab CI?

[kobaltcore]

Yes, this is possible, but a bit cumbersome. renconstruct actually ships with a notarization task that should be able to do this, but since Apple likes to change things rather frequently, this is not guaranteed to work in the future.

You can supply the relevant data for this via environment variables such as this in a Github Action:

- name: Build Project
  run: renconstruct -d -i "${{ github.workspace }}" -o "${{ github.workspace }}/../dist" -c "${{ github.workspace }}/config.yml"
  env:
    RC_APPLE_ID: ${{ secrets.RC_APPLE_ID }}
    RC_APPLE_PWD: ${{ secrets.RC_APPLE_PWD }}
    RC_SIGN_CERT: ${{ secrets.RC_SIGN_CERT }}
    RC_SIGN_CERT_PWD: ${{ secrets.RC_SIGN_CERT_PWD }}
    RC_SIGN_IDENTITY: ${{ secrets.RC_SIGN_IDENTITY }}

This requires the following:

• An Apple ID with a subscription to the Apple Developer Program (100$ a year)
• An App-Specific password for your Apple ID, generated via Apple's Account Profile website
• A signing certificate, generated via XCode or on the Developer Portal and exported as a .p12, then encoded as base64
• The password used for the certificate export
• The signing Identity, which is the hash code specified for the certificate

This is unfortunately very cumbersome to obtain, especially if you do not own a Mac to prepare these things in the first place. Once they're all in place, signing on a macOS runner should be possible though.

[SergioAlonsoJr]

@kobaltcore, can these steps work?

1. Rent a MAC and generate the necessary files
2. Transfer these files to my Windows PC
3. Run the notarization task on my Windows PC

If yes, I will do it.

[kobaltcore]

Unfortunately not quite. While the first step would work, the actual code signing and notarization will have to take place on a Mac as well.

It should, however, still be possible. The certificate can be generated without a Mac, I believe, by going through the Apple Developer Portal (which also allows you to download the necessary file). This can then be stored as a GitHub Actions Secret and used in a CI run. Since GGA supports macOS runners (only Intel atm, but still better than nothing), you should then be able to complete the notarization process via GHA, without having to own or rent a Mac yourself.

renconstruct actually ships with a notarization task built for this purpose, it will set up everything that's needed internally during the CI run. Fair warning though: I have not used that particular functionality in a while, so I'd have to re-check it to make sure it's still working.