Skip to content

Latest commit

 

History

History
64 lines (43 loc) · 2.34 KB

NOTARIZATION.md

File metadata and controls

64 lines (43 loc) · 2.34 KB

Steps

Follow this but be sure to use the -legacy flag in step 8.

From: https://gist.github.com/boodle/77436b2d9facb8e938ad

  1. Create a new directory; mkdir Certificate cd Certificate

  2. Generate a certificate signing request openssl req -nodes -newkey rsa:2048 -keyout gimp-apple.key -out CertificateSigningRequest.certSigningRequest

  3. With the information like so (ensure you give it a password): Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]:London Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:GNOME Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:org.gnome.gimp Email Address []:

  4. Login to developer.apple.com, go to: "Member Center" -> "Manage your certificates, App IDs, devices, and provisioning profiles." -> "Certificates" -> "Add"

  5. Go through the wizard, selecting the certificate type, and uploading the .csr.

  6. Download the .cer file, saving it to the folder created in step 1

  7. Convert the .cer file to a .pem file: openssl x509 -in gimp-apple.cer -inform DER -out gimp-apple.pem -outform PEM

7a. Generate a password for the .p12 file: openssl rand -base64 32 > password.txt

  1. Convert the .pem to a .p12: openssl pkcs12 -export -legacy -inkey gimp-apple.key -in gimp-apple.pem -out gimp-apple.p12

  2. Encode the .p12 file to base64: openssl base64 -in gimp-apple.p12 -out gimp-apple.base64

  3. Add the base 64 .p12 to circle ci as a secret environment variable: osx_crt

  4. Add the password to circle ci as a secret environment variable: osx_crt_pw

Notes

If you are using a build system like Ionic Appflow and receive an error like this one:

security: SecKeychainItemImport: MAC verification failed during PKCS12 import (wrong password?)

It's because "OpenSSL 3.x changed its default algorithm in pkcs12. Which is not compatible with embedded Security frameworks in macOS/iOS. You could alternatively use OpenSSL 1.x."

Add the -legacy flag in step 8. See here for more info. Massive thanks to i_82 and Jarrod Moldrich.

Self-hosted runner

https://circleci.com/blog/code-signing-with-runner/ https://circleci.com/docs/runner-installation-mac/