mirror of
https://github.com/johannesjo/super-productivity.git
synced 2026-07-17 16:37:43 +00:00
- Remove outdated feature requests from .github/CONTRIBUTING.md (GitLab support already exists) and add commit message format section - Improve PR template with type-of-change checkboxes and checklist - Update commit guideline links in README and CONTRIBUTING.md to reference the project's own format instead of external angular.js docs - Add "only edit en.json" rule to TRANSLATING.md and clarify workflow - Update add-new-integration.md provider list to match codebase (add Trello, ClickUp, Linear, Azure DevOps, Nextcloud Deck; note GitHub plugin migration; fix type name to BuiltInIssueProviderKey) - Add cross-references between mac certificate docs and remove 240-line duplicate section from update-mac-certificates.md - Clean up update-android-app.md (specify npm version args, collapse deprecated workflow, translate German UI labels to English) - Add context to howto-refresh-snap-credentials.md - Fix fine-grained token note in github-access-token-instructions.md - Fix absolute URL to relative path in gitlab-access-token-instructions.md - Fix grammar in i18n-script-usage.md - Add status headers to all 19 long-term plan files (Planned, Completed, Archived with reason, Investigation Complete) - Fix broken relative link in hybrid-manifest-architecture.md - Delete supersync-scenarios-simplified.md (duplicate of supersync-scenarios.md; known issues already covered there) - Rename vector-clock-pruning-research.md to vector-clock-history-and-alternatives.md for clarity
6.2 KiB
6.2 KiB
Update macOS certificates for electron-builder
Related macOS docs:
- build-and-publish-notes.md -- Build/publish workflow (screenshots, iOS, Windows signing)
- mac-app-store-code-signing-guide.md -- Code signing setup and troubleshooting
Mac access required! The instructions below refresh every asset used by the GitHub Actions/macOS runners for Mac App Store (MAS) and direct-download (DMG) builds.
Certificates
1. Clean up old material
⚠️ Note: Deleting old certificates also removes their private keys. If you don’t have the private key backed up, generate a new CSR before creating new certificates (so maybe we should not delete the certificates too early?).
- In https://developer.apple.com/account/resources/certificates/list, revoke the expiring certificates so they cannot be downloaded again by accident.
- Remove the matching identities from your local keychain (
Keychain Access → My Certificates-open -a "Keychain Access") so you do not export the wrong private key later.
2. Create a fresh CSR (once)
- Open Keychain Access → Certificate Assistant → Request a Certificate From a Certificate Authority…
- Enter the Apple ID email tied to the team, select “Saved to disk”, and pick a location for
mac-dev-team.csr. - Repeat only if you need a CSR for a different Apple ID/team.
3. Generate the required certificates
Create the following certificates in the developer portal, using the CSR from step 2:
- Apple Development – used for local development/debug builds.
- Apple Distribution (Apple renamed “Mac App Distribution”) – used to sign the MAS app.
- Mac Installer Distribution – used to sign the MAS
.pkgthat is uploaded via Transporter. - Developer ID Application – used to sign the notarized DMG build.
- Developer ID Installer – used if you ship a signed installer
.pkgfor DMG distribution (still required by electron-builder whendist:mac:dlruns). Download each resulting.cerfile and note the exact label Apple shows so you can cross-check in CI logs later.
4. Install and export as PKCS#12
- Double-click every downloaded
.cerso it lands inside the login keychain under “My Certificates”. You should now see each certificate with a disclosure triangle that reveals the paired private key—if the triangle is missing, delete the cert and regenerate it so the private key attaches properly. - Multi-select the identities listed above (adjust if you only target MAS or only Developer ID), right-click → Export Items…, save as
all-certs.p12, and choose a strong password (this password becomes theMAC_CERTS_PASSWORD). Confirm the repeated macOS password prompts.- Alternatively, run:
security export -k ~/Library/Keychains/login.keychain-db \ -t identities -f pkcs12 -P "$MAC_CERTS_PASSWORD" \ -o all-certs.p12
- Alternatively, run:
- Verify you can re-import
all-certs.p12onto another Mac before proceeding.
5. Prepare CI secrets
- Base64 the exported file:
base64 -i all-certs.p12 -o all-certs.b64. - Update the GitHub Actions secret
MAC_CERTSwith the contents ofall-certs.b64and the secretMAC_CERTS_PASSWORDwith the password chosen above. - Map those secrets to electron-builder’s expectations inside your workflow, for example:
UseCSC_LINK: ${{ secrets.MAC_CERTS }} CSC_KEY_PASSWORD: ${{ secrets.MAC_CERTS_PASSWORD }} CSC_IDENTITY_AUTO_DISCOVERY: trueCSC_INSTALLER_LINK/CSC_INSTALLER_KEY_PASSWORDif you decide to store installer identities separately. - If you prefer keeping separate secrets, repeat the export step per certificate and upload them with names such as
MAC_DISTRIBUTION_CERT, but the current workflow expects a single bundle. Whatever approach you choose, ensure the CI job imports the PKCS#12 into an unlocked keychain before invoking electron-builder.
Provisioning profiles
Important: create/refresh profiles after the new certificates exist, otherwise downloading the profile will still pull the revoked certs.
- Go to https://developer.apple.com/account/resources/profiles/list.
- Create two new profiles:
- Type “Mac App Store” → select the
Apple Distributioncertificate → choose the MAS App ID → download asmas.provisionprofile. - Type “Developer ID Application” → select the
Developer ID Applicationcertificate → choose the same App ID → download asdl.provisionprofile(optional for most Developer ID apps, but we keep it to satisfy older tooling and entitlements checks).
- Type “Mac App Store” → select the
- Move the files into
tools/mac-profiles/mas.provisionprofileandtools/mac-profiles/dl.provisionprofile(keep the exact filenames so the build scripts pick them up). If you skip the Developer ID profile, removetools/mac-profiles/dl.provisionprofileand clear theDL_PROVISION_PROFILEsecret so CI doesn’t look for it. - Base64-encode them for CI:
base64 -i tools/mac-profiles/dl.provisionprofile -o dmg-profile.b64 base64 -i tools/mac-profiles/mas.provisionprofile -o mas-profile.b64 - Update the GitHub secrets
DL_PROVISION_PROFILE(dmg) andMAS_PROVISION_PROFILE(store) with the encoded strings and ensure the workflows pass them to electron-builder (e.g.,build.mac.provisioningProfile). Remember to keep hardened runtime enabled (build.mac.hardenedRuntime=true) and entitlements aligned for notarization.
See also:
- https://www.electron.build/code-signing.html
- https://www.electronjs.org/docs/tutorial/mac-app-store-submission-guide
Build the DMG locally
- Create or refresh an app-specific password at https://appleid.apple.com/account/manage (use the same Apple ID as notarization).
- Confirm your scripts use
xcrun notarytool(Apple blockedaltooluploads as of 2023‑11‑01). electron-builder defaults tonotarytoolwhen it detects Xcode 14+, so avoid overriding that behavior. - Run:
APPLEID="you@example.com" \ APPLEIDPASS="app-specific-password" \ rm -Rf app-builds && npm run build && npm run dist:mac:dl - The script signs, notarizes (via
notarytool), and staples the DMG using the new certificates and provisioning profiles. Validate withspctl --assess -vv --type install path/to/app.