stake-house / wagyu-key-gen

GNU General Public License v3.0
61 stars 44 forks source link

Add code signing for macOS release #125

Open remyroy opened 2 years ago

remyroy commented 2 years ago

I think this is a good starting point: https://developer.apple.com/support/code-signing/

remyroy commented 2 years ago

Colfax will not be able to explore this. We'll need to find someone else to do this.

valefar-on-discord commented 8 months ago

Both Remy and myself tried to create apple developer accounts and both were blocked for unknown reasons preventing much progress on this.

alexpeterson91 commented 8 months ago

I've done it successfully on my fork for gnosis chain. It's not really possible to make it work with CI due to several required variables and other things that just don't work with it (unless you are simply building the whole thing on Xcode as a fresh project) and is a weird process but I have signed installers, signed dmgs and signed apps. Let me know if you want any help I have a whole file with my attempts failures and finally successes. Make sure to add a provisioning profile and hardened-runtime enabled and like 1-2 other params in a .plist file without hardened runtime you cannot get it signed notarized and staple the notorization from apples automated notorize system.

Let me know if you want any help since I've done it with Wagyu already lots of trial and error but I got it done and likely can help you out.

alexpeterson91 commented 8 months ago

need to add a few yarn dev dependencies as well, and also run it all on Mac OS

Note: once an app is notarized it is available in apples server for all macs WITH INTERNET to see it as legitimately signed. if they are not online, they can't verify it has been greenlighted by Apple and will need to bypass the "unidentified developer" warnings, unless you staple the notarization to the distributed software which then allows offline computers (as should be with Wagyu) to verify signature offline.

yarn add @electron/notorize yarn add @electron/notarize --dev yarn add @electron/osx-sign --dev

make sure to have as few entitlements as possible, this worked for me

entitlements.mac.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
  </dict>
</plist>

(seeing the latest docs right now im pretty sure you can now remove the disable library validation entitlement at least for the latest versions of MacOS, new since November last year, i did mine in August, so some of my info may be outdated like this)

You need to have different certs for different types of packages, for a flat installer .pkg you need an A developerID_installer.cer for the prebuilt binaries .zip/.app you need a developerID_application.cer for both you need to create a CertificateSigningRequest to upload to apple to get the certs. For flat package installers need yarn electron-osx-flat

and to submit for notarization you must use the mac command built into Xcode (and Xcode CLI tools): xcrun notarytool example command includes your apple developer ID, you application specific password, your TeamID and the file you want to notarize xcrun notarytool submit Gnosis\ Wagyu\ Key\ Gen-1.0.0-mac.zip --apple-id "voss@visnovalabs.io" --team-id "B3VDM3LG5K" --password "xxxx-xxxx-xxxx-xxxx" --wait its an automated process only takes a couple mins if that, it will output a logID from the submission that you can verify by running the following, replaced with your log submissionID xcrun notarytool log 2f9b03c6-6aa0-4d8e-adf5-54fb2a7506df --apple-id "voss@visnovalabs.io" --team-id "B3VDM3LG5K" --password "xxxx-xxxx-xxxx-xxxx" developer_log.json to view the full log and see if there were any errors notarizing, if not then move onto to staple the notarization to the app using xcrun stapler staple "Wagyu Key Gen.app"

DMGs are the hardest since you cannot notarize and staple the image file but you can with the app inside and it is recognized by the system. but they also have a ton of fun things to play with, custom backgrounds, custom sizes, add shortcut to /Applications really anything. have to use a few other tools for that but its not that hard still (i.e Ive used this before

create-dmg --volname "Gnosis Wagyu Key Gen" --volicon ../build/icon.icns --app-drop-link 30 30 --no-internet-enable --codesign --notarize "Gnosis Wagyu Keygen.dmg" mac/
spctl -a -v "Gnosis Wagyu Keygen.dmg"

to add the application, the icon, location, applications shortcut, and verifies internet is not enabled for extra protection also tries to code sign.

Sorry these steps are out of order and not complete but theres a whole process thats confusing and not like normal code signing for windows and linux systems, but its not that hard so long as you follow the instructions. Ill try and put together s new one for myself with all commands in a row not just my entire bash history from when i was testing it and eventually figured it out by the end.

Info is from https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution & https://developer.apple.com/documentation/security/code_signing_services along with some other things i just googled. But yeah its a bit confusing but not that hard to be done, but very hard to impossible to automate the process entirely via CI unless its all on XCode.