diff options
author | Cory Fields <cory-nospam-@coryfields.com> | 2014-11-25 19:23:18 -0500 |
---|---|---|
committer | Cory Fields <cory-nospam-@coryfields.com> | 2014-11-26 01:00:42 -0500 |
commit | 7a9cf80b19f3facabe53bf5a60fd813d7d63a6ff (patch) | |
tree | f730b66802378411a80a0af6261634ba78d077b6 /doc/README_osx.txt | |
parent | 914868a05dfcae0f766283e0065aa36762cc5abe (diff) |
docs: add/update docs for osx dmg signing
Diffstat (limited to 'doc/README_osx.txt')
-rw-r--r-- | doc/README_osx.txt | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/doc/README_osx.txt b/doc/README_osx.txt index 8831649bd8..d56234f7d9 100644 --- a/doc/README_osx.txt +++ b/doc/README_osx.txt @@ -65,3 +65,18 @@ Background images and other features can be added to DMG files by inserting a .DS_Store before creation. The easiest way to create this file is to build a DMG without one, move it to a device running OSX, customize the layout, then grab the .DS_Store file for later use. That is the approach taken here. + +As of OSX Mavericks (10.9), using an Apple-blessed key to sign binaries is a +requirement in order to satisfy the new Gatekeeper requirements. Because this +private key cannot be shared, we'll have to be a bit creative in order for the +build process to remain somewhat deterministic. Here's how it works: + +- Builders use gitian to create an unsigned release. This outputs an unsigned + dmg which users may choose to bless and run. It also outputs an unsigned app + structure in the form of a tarball, which also contains all of the tools + that have been previously (deterministically) built in order to create a + final dmg. +- The Apple keyholder uses this unsigned app to create a detached signature, + using the script that is also included there. +- Builders feed the unsigned app + detached signature back into gitian. It + uses the pre-built tools to recombine the pieces into a deterministic dmg. |