You need only follow this process if the certificate is expired or we need to create a new one.
- You will need access to our https://developer.apple.com account; Apple 2FA is required for this so contact Stephen or Beyang for access.
- Follow these steps with your own name / email address to create a Certificate Signing Request file.
- From https://developer.apple.com you can create a new certificate, choose
Developer ID Applicationas the type and upload your Certificate Signing Request file. - Download the
.cerfile, double-click it. Then right-click on theDeveloper ID Application: SOURCEGRAPH INCentry -> export to create a.p12file - You will be prompted to create a password for the file.
- As part of this process, you should create 1password artifacts:
- A password entry titled
app: macOS signing .p12 password 2023-05-05 - A document titled
app: macOS signing .cer 2023-05-05with the.cerfile you downloaded - A document title
app: macOS signing .p12 2023-05-05with the.p12you created
- A password entry titled
Finally, you should base64 encode the .p12 file:
openssl base64 -in Certificates.p12 -out cert.p12.base64
- Follow these instructions from Apple.
- Create a 1password titled
app: macOS app-specific-password 2023-05-05with the username and password you created.
Tauri has documentation on how macOS code signing integrates with it. In specific, we must specify these env vars when running pnpm tauri build:
export APPLE_SIGNING_IDENTITY='Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)'
export APPLE_CERTIFICATE=`cat cert.p12.base64`
export APPLE_CERTIFICATE_PASSWORD='SECRET' # app: macOS signing .p12 password
export APPLE_ID="stephen@sourcegraph.com"
export APPLE_PASSWORD="SECRET" # app: macOS app-specific-passwordThe APPLE_SIGNING_IDENTITY value is the name of the certificate as reported by e.g. Keychain Access once imported, and should look something like what is shown above but may differ if the certificate was regenerated.