Skip to content

apple-signing.md

Latest commit

 

History

History
89 lines (59 loc) · 3 KB

apple-signing.md

File metadata and controls

89 lines (59 loc) · 3 KB

Apple Signing and Notarization

Codex Power can build a local ad-hoc DMG without Apple credentials. For a public release that opens cleanly on other Macs, Apple expects a Developer ID-signed app and a notarized DMG.

What Apple Requires

  • Apple Developer Program membership.
  • A Developer ID Application certificate.
  • Notary credentials for xcrun notarytool.

Official references:

Current Status

Run:

./Scripts/apple_signing_status.sh

It checks local signing identities, the codex-power notary profile, and the GitHub secrets needed for signed CI release artifacts. It prints secret names only, never secret values.

One-Time Local Setup

  1. Create a CSR:
./Scripts/create_developer_id_csr.sh

The script writes signing material under ~/.codex/codex-power/apple-signing/ by default.

  1. In Apple Developer, create a Developer ID Application certificate and upload the generated .certSigningRequest.

  2. Download the .cer file from Apple, then import it:

./Scripts/import_developer_id_certificate.sh ~/Downloads/developerID_application.cer

  1. Create an app-specific password for your Apple ID.

  2. Store local notarization credentials:

./Scripts/configure_notary_profile.sh

Use the app-specific password when notarytool prompts. After this, local signed/notarized builds use:

export CODEX_POWER_SIGN_IDENTITY="Developer ID Application: Your Name (TEAMID)"
export CODEX_POWER_DMG_SIGN_IDENTITY="$CODEX_POWER_SIGN_IDENTITY"
export CODEX_POWER_NOTARY_KEYCHAIN_PROFILE="codex-power"
./Scripts/package_dmg.sh

GitHub Actions Setup

After the Developer ID identity is visible in Keychain Access, run:

./Scripts/configure_github_apple_secrets.sh

That exports the local Developer ID identity to a temporary .p12, uploads it to GitHub Actions secrets, uploads the Apple ID/team/notary secrets, then deletes the temporary .p12.

The workflow uses these secrets when present:

  • APPLE_CERTIFICATE_BASE64
  • APPLE_CERTIFICATE_PASSWORD
  • APPLE_SIGNING_IDENTITY
  • APPLE_ID
  • APPLE_TEAM_ID
  • APPLE_APP_SPECIFIC_PASSWORD

Without those secrets, CI still builds an ad-hoc DMG artifact. With all secrets present, CI imports the Developer ID certificate, signs with hardened runtime, submits the DMG to Apple's notary service, staples the ticket, and uploads the notarized DMG artifact.

Blockers Codex Cannot Bypass

  • Apple Developer Program enrollment and license agreements.
  • Apple account two-factor prompts.
  • Creating or downloading the Developer ID certificate from Apple's portal.
  • Creating the Apple ID app-specific password.
  • macOS Keychain prompts when importing/exporting private keys.