Skip to content

Set up signed, notarized macOS packaging#4

Open
seankearon wants to merge 3 commits into
mainfrom
feature/macos-packaging
Open

Set up signed, notarized macOS packaging#4
seankearon wants to merge 3 commits into
mainfrom
feature/macos-packaging

Conversation

@seankearon

Copy link
Copy Markdown
Owner

Sets up the Fido.parcel project so the app installs cleanly on macOS — proper icon, code signing, and Apple notarization — built on a macOS CI runner.

Changes

  • IconAppIcon now points at assets/png/fido-icon-1024.png (was a Windows .ico, which can't produce a proper Mac icon). Parcel auto-generates the .icns from it.
  • Bundle identifiercom.shineforms.fido (was the placeholder com.CompanyName.Fido).
  • Signing + notarization — switched from AdHoc to a Developer ID + Apple notary setup. All five credentials are referenced by env-var name only; nothing secret is committed.
  • Version leak fixVersion was wired to PARCEL_LICENSE_KEY, which would have stamped the Avalonia licence key into the bundle Info.plist and shipped it to users. Now reads FIDO_VERSION.
  • .github/workflows/release-macos.yml — new job that builds on macos-latest (Native AOT can't cross-compile, which is why packing failed on Windows), signs, notarizes, and attaches the .dmg to the release. Triggers on a v* tag or manual dispatch.
  • build.md — full "Packaging the macOS app" section: every required secret and step-by-step Developer ID certificate creation.
  • .gitignore — ignore stray assets/*.log pack logs.

Before this can run

Add these 6 repository secrets (see build.md for how to obtain each):

PARCEL_LICENSE_KEY, APPLE_DEVELOPER_ID_P12_BASE64, APPLE_DEVELOPER_ID_P12_PASSWORD, APPLE_NOTARY_APPLE_ID, APPLE_NOTARY_PASSWORD, APPLE_TEAM_ID

Then push a v* tag (or run the workflow manually) to produce a notarized .dmg. Once notarized, macOS shows Shine Forms as the verified developer.

Notes

  • Could not test the pack locally — this was developed on Windows, where AOT cross-compile to macOS is impossible. It runs for real on the Mac CI runner.
  • Currently builds osx-arm64 only; add -r osx-x64 to the workflow to also cover Intel Macs.

🤖 Generated with Claude Code

seankearon and others added 3 commits June 23, 2026 16:43
Configure src/Fido.parcel and add a macOS release workflow so the app
installs cleanly on macOS (no Gatekeeper warnings):

- Icon: point AppIcon at the 1024px PNG (was a Windows .ico) so Parcel
  generates a proper .icns for the bundle.
- Bundle identifier: com.shineforms.fido (was the placeholder).
- Signing/notarization: switch from AdHoc to Developer ID + Apple notary,
  with all credentials referenced by env-var name only (nothing committed).
- Fix Version wiring: it referenced PARCEL_LICENSE_KEY, which would have
  leaked the Avalonia licence key into the bundle Info.plist; now FIDO_VERSION.
- Add .github/workflows/release-macos.yml: builds on macos-latest (Native AOT
  can't cross-compile), signs, notarizes, attaches the .dmg to the release.
- Document the release process and required secrets in build.md.
- Ignore stray Parcel pack logs (assets/*.log).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Notarization rejected every binary with "not signed with a valid
Developer ID certificate" even though rcodesign signed successfully.
Parcel signs via rcodesign, which embeds only the certificates present
in the .p12 (unlike Apple's codesign, it won't pull the intermediate
from a keychain). A Keychain-exported .p12 typically omits the
"Developer ID Certification Authority" intermediate, so the signature
can't chain to the Apple root and notarization fails.

Rebuild the decoded .p12 to include Apple's full chain (Developer ID
G2/G1 intermediates + Apple Root CA) before handing it to Parcel, and
fail fast with the cert subject if the leaf isn't a Developer ID
Application cert (a wrong cert type can't be fixed in CI). Document the
requirement and a local inspection command in build.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant