Add build process instructions

[ArisBee]

Hello Max,

Could you please provide a new build with the validity window feature?

I've tried to build the software from source, but I could only get the Agent compiled with Notorization not the Host app itself. I believe there are some custom steps to build this app that are not working out of the box. Could you perhaps add a BUILD.md document with all the required steps to build this application from source in Xcode? I'm sure that would also help this project's community.

Best,

[maxgoedjen]

FWIW I just set up nightly builds (last night) here: https://github.com/maxgoedjen/secretive/actions/workflows/nightly.yml If you select a build, you can grab the download from the "Artifacts" section.

For most people I wouldn't advise doing a local build unless they're specifically writing something – basically the way the macOS Keychain/SEP model works is it's tied to the developer ID, and if you build locally, it will only show secrets created by that developer ID (ie, you'd have a separate list of secrets than the production app).

Probably still a good idea to have a build.md regardless, but if you're just interested in testing out that feature, I'd recommend using the nightly.

[ArisBee]

Thank you, this nightly build is exactly what I was looking for.

I had more in mind that if anything happens to the main GitHub project, stop being maintained or get compromised by an attacker, I could set a service account to automate the build so my company can continue using the app.

Regardless, a detailed build.md would be great to onboard new contributors.

[maxgoedjen]

@ArisBee would you mind testing out some steps for me? I think this is all that should be required, but I want to make sure that I've covered everything (and I don't have a not-already-configured Mac to verify against).

In "Signing (Debug)" section:

• Rename the Secretive target's bundle ID from com.maxgoedjen.Secretive.Host to com.YOURORGNAME.Secretive.Host
• Change the Secretive target's team to your team.
• Rename the SecretAgent target's bundle ID from com.maxgoedjen.Secretive.SecretAgent to com.YOURORGNAME.Secretive.SecretAgent
• Change the SecretAgent's target's team to your team.

I think that's all your should need to do to get a debug build running. Note you won't see your secrets from the production build.

[ArisBee]

@maxgoedjen I've already done the above, but it only enables to run the application locally, not on someone's else machine.

For instance, in this PR

• We changed the development team to our own
• We changed the app id to our own (both for the Agent and the Host)
• We changed the signing style to Automatic (so certificates and Provisioning Profiles are generated automatically)

-> With these changes, it’s possible to create an archive from Xcode (Generic Xcode Archive) containing both Agent and Host, but it’s only possible to open locally

So we did the below changes:

• On the Secretive target: SKIP_INSTALL = YES
• With this change, Xcode recognizes the Archive as MacOS app, allowing to sign the app for distribution outside the App Store (using a Developer ID certificate), so it can be installed on other devices.
• The problem is, now only the Agent binary is part of the archive.

It’s probably possible to set up the Xcode project and/or archiving steps such that we can sign using a Developer ID certificate, and it still contains both apps, but the team and I are not familiar enough with macOS project configuration to figure that one out. I suppose you have resolved this for your own release script, could you perhaps explain what we need to change in the above steps?

[maxgoedjen]

@ArisBee ah, missed that this was release-focused. Honestly I have all of that stuff set up in actions https://github.com/maxgoedjen/secretive/blob/main/.github/workflows/release.yml – I never run that locally.

In the situation where someone needs to take over the project, I suppose I'd mostly need to detail how all those env vars are set?

[ArisBee]

@maxgoedjen Yes that would help if you could detail how to set these variables somewhere. It's a bit challenging to get a working release out of the box at the moment.