|
mac: Enable autoupdate by sign and notarize via github action
Signed and notarized binaries are the precondition for autoupdates on
mac. Additionally Gatekeeper on 10.15+ is happy and allows to open the
app instead of blocking it.
The notarize step is added unconditionally, as it only emits a warning if
the notarization API key is not set, but it does not break the build.
This is an upstreaming of https://github.com/csett86/jitsi-meet-electron
where it worked since March 2020.
On CI, only sign if not triggered by pull request, as these will fail (as secrets
are not available to pull request builds).
The required github secrets (signing key, cert and notarize API login, password and team id) are:
Signing
Open the Keychain Access app. Export all certificates (Developer ID Certificate) related to your app into a single file (e.g. certs.p12) and set a strong password.
Base64-encode your certificates using the following command: base64 -i certs.p12 -o encoded.txt
In the GitHub repository, go to Settings → Secrets and add the following two variables:
mac_certs: Your base64 encoded certificates, i.e. the content of the encoded.txt file you created before
mac_certs_password: The password you set when exporting the certificates
Notarization
Create an app-specific password for your apple id: https://support.apple.com/de-de/HT204397
In the GitHub repository, go to Settings → Secrets and add the following three variables:
apple_id: your apple id
apple_id_password: the just created app-specific password for your apple id
team_id: your team short name: https://github.com/electron/electron-notarize#notes-on-your-team-short-name
Co-authored-by: Saúl Ibarra Corretgé <s@saghul.net>
|
