-
Notifications
You must be signed in to change notification settings - Fork 240
macOS code signing
Christophe Fergeau edited this page Nov 30, 2022
·
1 revision
This document lists the step I took to codesign the crc installer
make out/macos-universal/crc-macos-installer.tar
- take the tarball to the macOS machine which will sign the installer
- unpack the tarball
- set
CODESIGN_IDENTITY
andPRODUCTSIGN_IDENTITY
to match the certificates you'll be using. In my case:export PRODUCTSIGN_IDENTITY="Developer ID Installer: Christophe Fergeau (GSP9DR7D3R)"
andexport CODESIGN_IDENTITY="Developer ID Application: Christophe Fergeau (GSP9DR7D3R)"
- run
packaging/package.sh ./packaging
, this will generate a signedpackaging/crc-macos-installer.pkg
file - this file can now be notarized with
xcrun notarytool submit --apple-id apple@crc.dev --team-id GSP9DR7D3R --wait ./packaging/crc-macos-installer.pkg
. I used an application-specific password for this step instead of my main Apple ID password.--wait
is optional,xcrun notarytool info
andxcrun notarytool log
can be used to monitor the progress. - Once the notarization reports
Accepted
, you can runxcrun stapler staple ./packaging/crc-macos-installer.pkg
to attach the result to the installer
spctl --assess -vv --type install ./packaging/crc-macos-installer.pkg
can be used to check the signature and notarization of the .pkg file.