From 7fdc54bff8078b34a771593e502e7874a68a21a5 Mon Sep 17 00:00:00 2001 From: ann0see <20726856+ann0see@users.noreply.github.com> Date: Sat, 7 Feb 2026 22:09:36 +0100 Subject: [PATCH 1/3] Add documentation for macOS certificate creation --- .github/workflows/autobuild.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml index 32190a7344..6efcf49de6 100644 --- a/.github/workflows/autobuild.yml +++ b/.github/workflows/autobuild.yml @@ -360,6 +360,13 @@ jobs: id: build run: ${{ matrix.config.base_command }} build env: + ## Creating certificates + # Generate the certificates from Xcode. You can Manage Certificates in Apple Accounts settings or the Apple Developer account page. + # In Xcode Settings: Right click on Developer ID Application, Mac App Distribution (does not exist, maybe also developer id application??) and Mac Installer Distribution certificates. + # Select "Export Certificate" + # Set a secure password. + # For every certificate, export it as base64 encoded string with `base64 -i certificate.p12` + # Set the certificates based on the variables below JAMULUS_BUILD_VERSION: ${{ needs.create_release.outputs.build_version }} MACOS_CERTIFICATE: ${{ secrets.MACOS_CERT }} # Base64 encoded Developer ID Application certificate. See https://help.apple.com/xcode/mac/current/#/dev154b28f09 MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERT_PWD }} # Password protecting secrets.MACOS_CERTIFICATE From e16dada93e3a0a04813491c0e530eb44997b2988 Mon Sep 17 00:00:00 2001 From: ann0see <20726856+ann0see@users.noreply.github.com> Date: Sat, 7 Feb 2026 22:09:58 +0100 Subject: [PATCH 2/3] Move secondary priority certificates --- .github/workflows/autobuild.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml index 6efcf49de6..93d8f30f24 100644 --- a/.github/workflows/autobuild.yml +++ b/.github/workflows/autobuild.yml @@ -371,12 +371,12 @@ jobs: MACOS_CERTIFICATE: ${{ secrets.MACOS_CERT }} # Base64 encoded Developer ID Application certificate. See https://help.apple.com/xcode/mac/current/#/dev154b28f09 MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERT_PWD }} # Password protecting secrets.MACOS_CERTIFICATE MACOS_CERTIFICATE_ID: ${{ secrets.MACOS_CERT_ID }} # Certificate ID of secrets.MACOS_CERTIFICATE. If unknown, import secrets.MACOS_CERT into keychain and get the hash via "security find-identity -v" - MAC_STORE_APP_CERT: ${{ secrets.MACAPP_CERT }} # Base64 encoded Mac App Distribution certificate - MAC_STORE_APP_CERT_PWD: ${{ secrets.MACAPP_CERT_PWD }} - MAC_STORE_APP_CERT_ID: ${{ secrets.MACAPP_CERT_ID }} MAC_STORE_INST_CERT: ${{ secrets.MACAPP_INST_CERT }} # Base64 encoded Mac Installer Distribution certificate MAC_STORE_INST_CERT_PWD: ${{ secrets.MACAPP_INST_CERT_PWD }} MAC_STORE_INST_CERT_ID: ${{ secrets.MACAPP_INST_CERT_ID }} + MAC_STORE_APP_CERT: ${{ secrets.MACAPP_CERT }} # Base64 encoded Mac App Distribution certificate + MAC_STORE_APP_CERT_PWD: ${{ secrets.MACAPP_CERT_PWD }} + MAC_STORE_APP_CERT_ID: ${{ secrets.MACAPP_CERT_ID }} NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }} KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} MACOS_CA_PUBLICKEY: ${{ secrets.MACOS_CA_PUBKEY }} From 5f290b274d99d4a98d6be86eea565ce4bffc24cf Mon Sep 17 00:00:00 2001 From: ann0see <20726856+ann0see@users.noreply.github.com> Date: Sat, 7 Feb 2026 22:16:20 +0100 Subject: [PATCH 3/3] Rename certificate variables --- .github/autobuild/mac.sh | 26 +++++++++++++------------- .github/workflows/autobuild.yml | 12 ++++++------ 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/autobuild/mac.sh b/.github/autobuild/mac.sh index d4ff8942f3..c80ef51b2c 100755 --- a/.github/autobuild/mac.sh +++ b/.github/autobuild/mac.sh @@ -72,16 +72,16 @@ setup() { prepare_signing() { ## Certificate types in use: - # - MACOS_CERTIFICATE - Developer ID Application - for codesigning for adhoc release + # - MACOS_CERTIFICATE_DEV_ID_APPLICATION - Developer ID Application - for codesigning for adhoc release # - MAC_STORE_APP_CERT - Mac App Distribution - codesigning for App Store submission - # - MAC_STORE_INST_CERT - Mac Installer Distribution - for signing installer pkg file for App Store submission + # - MACOS_CERTIFICATE_INST_DISTRIBUTION - Mac Installer Distribution - for signing installer pkg file for App Store submission [[ "${SIGN_IF_POSSIBLE:-0}" == "1" ]] || return 1 # Signing was requested, now check all prerequisites: - [[ -n "${MACOS_CERTIFICATE:-}" ]] || return 1 - [[ -n "${MACOS_CERTIFICATE_ID:-}" ]] || return 1 - [[ -n "${MACOS_CERTIFICATE_PWD:-}" ]] || return 1 + [[ -n "${MACOS_CERTIFICATE_DEV_ID_APPLICATION:-}" ]] || return 1 + [[ -n "${MACOS_CERTIFICATE_DEV_ID_APPLICATION_ID:-}" ]] || return 1 + [[ -n "${MACOS_CERTIFICATE_DEV_ID_APPLICATION_PWD:-}" ]] || return 1 [[ -n "${NOTARIZATION_PASSWORD:-}" ]] || return 1 [[ -n "${KEYCHAIN_PASSWORD:-}" ]] || return 1 @@ -97,7 +97,7 @@ prepare_signing() { echo "Signing was requested and all dependencies are satisfied" ## Put the certs to files - echo "${MACOS_CERTIFICATE}" | base64 --decode > macos_certificate.p12 + echo "${MACOS_CERTIFICATE_DEV_ID_APPLICATION}" | base64 --decode > macos_certificate.p12 # If set, put the CA public key into a file if [[ -n "${MACOS_CA_PUBLICKEY}" ]]; then @@ -110,7 +110,7 @@ prepare_signing() { # Remove default re-lock timeout to avoid codesign hangs: security set-keychain-settings build.keychain security unlock-keychain -p "${KEYCHAIN_PASSWORD}" build.keychain - security import macos_certificate.p12 -k build.keychain -P "${MACOS_CERTIFICATE_PWD}" -A -T /usr/bin/codesign + security import macos_certificate.p12 -k build.keychain -P "${MACOS_CERTIFICATE_DEV_ID_APPLICATION_PWD}" -A -T /usr/bin/codesign security set-key-partition-list -S apple-tool:,apple: -s -k "${KEYCHAIN_PASSWORD}" build.keychain # Tell Github Workflow that we want signing @@ -138,13 +138,13 @@ prepare_signing() { # MAC_STORE_APP_CERT already checked [[ -n "${MAC_STORE_APP_CERT_ID:-}" ]] || return 1 [[ -n "${MAC_STORE_APP_CERT_PWD:-}" ]] || return 1 - [[ -n "${MAC_STORE_INST_CERT:-}" ]] || return 1 - [[ -n "${MAC_STORE_INST_CERT_ID:-}" ]] || return 1 - [[ -n "${MAC_STORE_INST_CERT_PWD:-}" ]] || return 1 + [[ -n "${MACOS_CERTIFICATE_INST_DISTRIBUTION:-}" ]] || return 1 + [[ -n "${MACOS_CERTIFICATE_INST_DISTRIBUTION_ID:-}" ]] || return 1 + [[ -n "${MACOS_CERTIFICATE_INST_DISTRIBUTION_PWD:-}" ]] || return 1 # Put the certs to files echo "${MAC_STORE_APP_CERT}" | base64 --decode > macapp_certificate.p12 - echo "${MAC_STORE_INST_CERT}" | base64 --decode > macinst_certificate.p12 + echo "${MACOS_CERTIFICATE_INST_DISTRIBUTION}" | base64 --decode > macinst_certificate.p12 echo "App Store distribution dependencies are satisfied, proceeding..." @@ -152,7 +152,7 @@ prepare_signing() { security set-keychain-settings build.keychain security unlock-keychain -p "${KEYCHAIN_PASSWORD}" build.keychain security import macapp_certificate.p12 -k build.keychain -P "${MAC_STORE_APP_CERT_PWD}" -A -T /usr/bin/codesign - security import macinst_certificate.p12 -k build.keychain -P "${MAC_STORE_INST_CERT_PWD}" -A -T /usr/bin/productbuild + security import macinst_certificate.p12 -k build.keychain -P "${MACOS_CERTIFICATE_INST_DISTRIBUTION_PWD}" -A -T /usr/bin/productbuild security set-key-partition-list -S apple-tool:,apple: -s -k "${KEYCHAIN_PASSWORD}" build.keychain # Tell Github Workflow that we are building for store submission @@ -170,7 +170,7 @@ build_app_as_dmg_installer() { # Mac's bash version considers BUILD_ARGS unset without at least one entry: BUILD_ARGS=("") if prepare_signing; then - BUILD_ARGS=("-s" "${MACOS_CERTIFICATE_ID}" "-a" "${MAC_STORE_APP_CERT_ID}" "-i" "${MAC_STORE_INST_CERT_ID}" "-k" "${KEYCHAIN_PASSWORD}") + BUILD_ARGS=("-s" "${MACOS_CERTIFICATE_DEV_ID_APPLICATION_ID}" "-a" "${MAC_STORE_APP_CERT_ID}" "-i" "${MACOS_CERTIFICATE_INST_DISTRIBUTION_ID}" "-k" "${KEYCHAIN_PASSWORD}") fi TARGET_ARCHS="${TARGET_ARCHS}" ./mac/deploy_mac.sh "${BUILD_ARGS[@]}" } diff --git a/.github/workflows/autobuild.yml b/.github/workflows/autobuild.yml index 93d8f30f24..2e848aa003 100644 --- a/.github/workflows/autobuild.yml +++ b/.github/workflows/autobuild.yml @@ -368,12 +368,12 @@ jobs: # For every certificate, export it as base64 encoded string with `base64 -i certificate.p12` # Set the certificates based on the variables below JAMULUS_BUILD_VERSION: ${{ needs.create_release.outputs.build_version }} - MACOS_CERTIFICATE: ${{ secrets.MACOS_CERT }} # Base64 encoded Developer ID Application certificate. See https://help.apple.com/xcode/mac/current/#/dev154b28f09 - MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERT_PWD }} # Password protecting secrets.MACOS_CERTIFICATE - MACOS_CERTIFICATE_ID: ${{ secrets.MACOS_CERT_ID }} # Certificate ID of secrets.MACOS_CERTIFICATE. If unknown, import secrets.MACOS_CERT into keychain and get the hash via "security find-identity -v" - MAC_STORE_INST_CERT: ${{ secrets.MACAPP_INST_CERT }} # Base64 encoded Mac Installer Distribution certificate - MAC_STORE_INST_CERT_PWD: ${{ secrets.MACAPP_INST_CERT_PWD }} - MAC_STORE_INST_CERT_ID: ${{ secrets.MACAPP_INST_CERT_ID }} + MACOS_CERTIFICATE_DEV_ID_APPLICATION: ${{ secrets.MACOS_CERT }} # Base64 encoded Developer ID Application certificate. See https://help.apple.com/xcode/mac/current/#/dev154b28f09 + MACOS_CERTIFICATE_DEV_ID_APPLICATION_PWD: ${{ secrets.MACOS_CERT_PWD }} # Password protecting secrets.MACOS_CERTIFICATE_DEV_ID_APPLICATION + MACOS_CERTIFICATE_DEV_ID_APPLICATION_ID: ${{ secrets.MACOS_CERT_ID }} # Certificate ID of secrets.MACOS_CERTIFICATE_DEV_ID_APPLICATION. If unknown, import secrets.MACOS_CERT into keychain and get the hash via "security find-identity -v" + MACOS_CERTIFICATE_INST_DISTRIBUTION: ${{ secrets.MACAPP_INST_CERT }} # Base64 encoded Mac Installer Distribution certificate + MACOS_CERTIFICATE_INST_DISTRIBUTION_PWD: ${{ secrets.MACAPP_INST_CERT_PWD }} + MACOS_CERTIFICATE_INST_DISTRIBUTION_ID: ${{ secrets.MACAPP_INST_CERT_ID }} MAC_STORE_APP_CERT: ${{ secrets.MACAPP_CERT }} # Base64 encoded Mac App Distribution certificate MAC_STORE_APP_CERT_PWD: ${{ secrets.MACAPP_CERT_PWD }} MAC_STORE_APP_CERT_ID: ${{ secrets.MACAPP_CERT_ID }}