@jbenet how long do you think this will take you? Is it realistic to get this done for 1.0?
i'm not sure. i'll look into it, but this week is basically shot for me. if you need it this week, then no. next week is likely. then there's apple's review process. i think it's much faster now, but it used to take a week or something.
That's fine, I'll do the prerelease unsigned this week and want to wait at least one week anyway before the real release.
Happy to say we're getting a first pass on "signed releases for macOS" in to the next release, in significantly less than 4 years after the initial proposal.
Of note, it is tricky. There are a bunch of hoops you have to jump through on the Apple Developer portal and more on the local keychain handling, and more again to wire it up to CI.
Disclaimer: this is my first go-round with this, but the output has created an electron-builder created .dmg that can be installed on macOS with just the "this app came from the internet warning" and not the "you cant install this app becuase it is from the unknown" warning... so i'm reasonably happy with the results. And yes, this is about the worst admin flow I have ever seen. I think xcode is supposed to hide some of this from you, but we didn't come this far to open up that thing.
_with an apple team account created, and you as the team agent..._
| 1 | 2 | 3 | 4 |
|---|---|---|---|
|
|
|
| 
| Pick Developer ID to create certs for distribution outside of the app store | Pick Developer ID Application. You will need to do this again for Developer ID Installer too. | blurb about creating a CSR | Go create your CSR, as described below |


Developer Installer and a Developer Application certifcate, and download them to your local keychain..p12 file like so
Then follow the steps in https://www.electron.build/code-signing#travis-appveyor-and-other-ci-servers to wire it up for CI
To sign app on build server you need to set CSC_LINK, CSC_KEY_PASSWORD:
- Export certificate. Consider to not use special characters (for bash) in the password because “values are not escaped when your builds are executed”.
- Encode file to base64 (macOS:
base64 -i yourFile.p12 -o envValue.txt, Linux:base64 yourFile.p12 > envValue.txt).
Thanks to @jesseclay for sticking with me on this advenure!
I figured this out from a mix of
Binary signing is set up and working. The next version will have macOS signed binaries.
Most helpful comment
Happy to say we're getting a first pass on "signed releases for macOS" in to the next release, in significantly less than 4 years after the initial proposal.
Of note, it is tricky. There are a bunch of hoops you have to jump through on the Apple Developer portal and more on the local keychain handling, and more again to wire it up to CI.
Disclaimer: this is my first go-round with this, but the output has created an electron-builder created .dmg that can be installed on macOS with just the "this app came from the internet warning" and not the "you cant install this app becuase it is from the unknown" warning... so i'm reasonably happy with the results. And yes, this is about the worst admin flow I have ever seen. I think xcode is supposed to hide some of this from you, but we didn't come this far to open up that thing.
_with an apple team account created, and you as the team agent..._
| 1 | 2 | 3 | 4 |
|
|
| 
|---|---|---|---|
|
| Pick Developer ID to create certs for distribution outside of the app store | Pick Developer ID Application. You will need to do this again for Developer ID Installer too. | blurb about creating a CSR | Go create your CSR, as described below |
Developer Installerand aDeveloper Applicationcertifcate, and download them to your local keychain..p12file like soThen follow the steps in https://www.electron.build/code-signing#travis-appveyor-and-other-ci-servers to wire it up for CI
Thanks to @jesseclay for sticking with me on this advenure!