ci(desktop): mac code-signing + App Store Connect API-key notarization#30
Merged
Conversation
Switch the macOS desktop release notarization path from the Apple ID + app-specific password method to the App Store Connect API key method, which is more robust (no 2FA, no password expiry) and reuses the notary key already provisioned for the org's Apple Developer account. The signing step now reads APPLE_NOTARY_API_KEY_P8_BASE64, APPLE_NOTARY_KEY_ID, and APPLE_NOTARY_ISSUER_ID, decodes the .p8 to a temp file, and exports APPLE_API_KEY/APPLE_API_KEY_ID/APPLE_API_ISSUER, which electron-builder (>=24) consumes to notarize via notarytool. The existing unsigned-draft fallback behavior is preserved.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does
Switches the macOS desktop release notarization path from Apple ID + app-specific password to the App Store Connect API key method. The
Configure optional signing secretsstep now readsAPPLE_NOTARY_API_KEY_P8_BASE64,APPLE_NOTARY_KEY_ID, andAPPLE_NOTARY_ISSUER_ID, materializes the.p8to a temp file, and exportsAPPLE_API_KEY/APPLE_API_KEY_ID/APPLE_API_ISSUER— which electron-builder (>=24) consumes to notarize vianotarytool. The existing unsigned-draft fallback (allow_unsigned_artifactsfor dry-run / draft) is preserved.Why it's needed
The App Store Connect API key method is more robust than Apple ID + app-specific password (no 2FA prompts, no password expiry) and is what electron-builder >=24 natively consumes. It reuses the notary key already provisioned for the org's Apple Developer account (team
NF4574S59H). The same change has been validated end-to-end on the upstream qwen-code desktop pipeline (sign + notarize green on a dry-run).Secrets (configured in repo)
MAC_CSC_LINK,MAC_CSC_KEY_PASSWORD,APPLE_TEAM_ID,APPLE_NOTARY_API_KEY_P8_BASE64,APPLE_NOTARY_KEY_ID,APPLE_NOTARY_ISSUER_ID(same Apple team / Developer ID cert / notary key as qwen-code).Scope
Workflow-only. The build helpers
build-dmg.sh/scripts/build/darwin.tsare intentionally left untouched here — theirNOTARIZEdead-code cleanup flows in via the upstream qwen-code desktop sync to avoid sync conflicts; neither runs in CI (the build job calls electron-builder directly viadist:mac:no-publish).Verification
End-to-end signing + notarization to be validated via a
dry_run=trueDesktop Release run on this branch onceMAC_CSC_KEY_PASSWORDis set.