ci(desktop): mac code-signing + App Store Connect API-key notarization (#5013)
Some checks are pending
Qwen Code CI / Classify PR (push) Waiting to run
Qwen Code CI / Lint (push) Blocked by required conditions
Qwen Code CI / Test (macos-latest, Node 22.x) (push) Blocked by required conditions
Qwen Code CI / Test (ubuntu-latest, Node 22.x) (push) Blocked by required conditions
Qwen Code CI / Test (windows-latest, Node 22.x) (push) Blocked by required conditions
Qwen Code CI / Post Coverage Comment (push) Blocked by required conditions
Qwen Code CI / CodeQL (push) Blocked by required conditions
E2E Tests / E2E Test (Linux) - sandbox:docker (push) Waiting to run
E2E Tests / E2E Test (Linux) - sandbox:none (push) Waiting to run
E2E Tests / E2E Test - macOS (push) Waiting to run

* chore(desktop): drop dead NOTARIZE env flag from mac signing paths

electron-builder (>=24) auto-notarizes via notarytool whenever APPLE_ID,
APPLE_APP_SPECIFIC_PASSWORD, and APPLE_TEAM_ID are present in the env. The
NOTARIZE=true flag set in the release workflow, build-dmg.sh, and
scripts/build/darwin.ts was never read by electron-builder, and the
build-dmg.sh comment claiming it enabled notarization was misleading.
Remove the no-op and document the actual auto-detection behavior.

* ci(desktop): notarize via App Store Connect API key instead of Apple ID

Switch the macOS desktop release notarization path from the Apple ID +
app-specific password method to the App Store Connect API key method,
which is more robust (no 2FA, no password expiry) and reuses the notary
key already provisioned for the org.

The signing step now reads APPLE_NOTARY_API_KEY_P8_BASE64,
APPLE_NOTARY_KEY_ID, and APPLE_NOTARY_ISSUER_ID, decodes the .p8 to a
temp file, and exports APPLE_API_KEY/APPLE_API_KEY_ID/APPLE_API_ISSUER,
which electron-builder (>=24) consumes to notarize via notarytool.
Published mac releases now require those notary secrets plus
APPLE_TEAM_ID.
This commit is contained in:
顾盼 2026-06-12 13:14:43 +08:00 committed by GitHub
parent 2cfa32f785
commit 963fc543d1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 24 additions and 15 deletions

View file

@ -377,8 +377,9 @@ jobs:
shell: 'bash'
env:
IS_DRY_RUN: '${{ inputs.dry_run }}'
APPLE_APP_SPECIFIC_PASSWORD_SECRET: '${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}'
APPLE_ID_SECRET: '${{ secrets.APPLE_ID }}'
APPLE_NOTARY_API_KEY_P8_BASE64_SECRET: '${{ secrets.APPLE_NOTARY_API_KEY_P8_BASE64 }}'
APPLE_NOTARY_KEY_ID_SECRET: '${{ secrets.APPLE_NOTARY_KEY_ID }}'
APPLE_NOTARY_ISSUER_ID_SECRET: '${{ secrets.APPLE_NOTARY_ISSUER_ID }}'
APPLE_TEAM_ID_SECRET: '${{ secrets.APPLE_TEAM_ID }}'
MAC_CSC_KEY_PASSWORD_SECRET: '${{ secrets.MAC_CSC_KEY_PASSWORD }}'
MAC_CSC_LINK_SECRET: '${{ secrets.MAC_CSC_LINK }}'
@ -424,17 +425,25 @@ jobs:
fi
if [ "$IS_DRY_RUN" = "false" ]; then
if [ -z "$APPLE_ID_SECRET" ] || [ -z "$APPLE_APP_SPECIFIC_PASSWORD_SECRET" ] || [ -z "$APPLE_TEAM_ID_SECRET" ]; then
echo "::error::Published macOS desktop releases require APPLE_ID, APPLE_APP_SPECIFIC_PASSWORD, and APPLE_TEAM_ID for notarization."
if [ -z "$APPLE_NOTARY_API_KEY_P8_BASE64_SECRET" ] || [ -z "$APPLE_NOTARY_KEY_ID_SECRET" ] || [ -z "$APPLE_NOTARY_ISSUER_ID_SECRET" ] || [ -z "$APPLE_TEAM_ID_SECRET" ]; then
echo "::error::Published macOS desktop releases require APPLE_NOTARY_API_KEY_P8_BASE64, APPLE_NOTARY_KEY_ID, APPLE_NOTARY_ISSUER_ID, and APPLE_TEAM_ID for notarization."
exit 1
fi
append_env "NOTARIZE" "true"
fi
# Materialize the App Store Connect API key (.p8) so electron-builder
# (>=24) notarizes via notarytool. It reads APPLE_API_KEY (a path to
# the .p8 file), APPLE_API_KEY_ID, and APPLE_API_ISSUER from the env.
if [ -n "$APPLE_NOTARY_API_KEY_P8_BASE64_SECRET" ] && [ -n "$APPLE_NOTARY_KEY_ID_SECRET" ] && [ -n "$APPLE_NOTARY_ISSUER_ID_SECRET" ]; then
api_key_path="${RUNNER_TEMP}/apple-notary-key.p8"
printf '%s' "$APPLE_NOTARY_API_KEY_P8_BASE64_SECRET" | base64 --decode > "$api_key_path"
append_env "APPLE_API_KEY" "$api_key_path"
append_env "APPLE_API_KEY_ID" "$APPLE_NOTARY_KEY_ID_SECRET"
append_env "APPLE_API_ISSUER" "$APPLE_NOTARY_ISSUER_ID_SECRET"
fi
append_env "CSC_LINK" "$mac_csc_link"
append_env "CSC_KEY_PASSWORD" "$mac_csc_key_password"
append_env "APPLE_ID" "$APPLE_ID_SECRET"
append_env "APPLE_APP_SPECIFIC_PASSWORD" "$APPLE_APP_SPECIFIC_PASSWORD_SECRET"
append_env "APPLE_TEAM_ID" "$APPLE_TEAM_ID_SECRET"
echo "CSC_IDENTITY_AUTO_DISCOVERY=true" >> "$GITHUB_ENV"
else

View file

@ -150,17 +150,15 @@ if [ -n "$APPLE_SIGNING_IDENTITY" ]; then
export CSC_NAME="$CSC_NAME_CLEAN"
fi
# Add notarization if all credentials are available
# Add notarization if all credentials are available.
# electron-builder (>=24) auto-notarizes via notarytool whenever APPLE_ID,
# APPLE_APP_SPECIFIC_PASSWORD, and APPLE_TEAM_ID are present in the env.
# No `notarize:` config block or NOTARIZE flag is required (or read).
if [ -n "$APPLE_ID" ] && [ -n "$APPLE_TEAM_ID" ] && [ -n "$APPLE_APP_SPECIFIC_PASSWORD" ]; then
echo "Notarization enabled"
export APPLE_ID="$APPLE_ID"
export APPLE_TEAM_ID="$APPLE_TEAM_ID"
export APPLE_APP_SPECIFIC_PASSWORD="$APPLE_APP_SPECIFIC_PASSWORD"
# Enable notarization in electron-builder by setting env vars
# The electron-builder.yml has notarize section commented out,
# but we can enable it via environment
export NOTARIZE=true
fi
# Run electron-builder

View file

@ -32,14 +32,16 @@ export async function packageDarwin(config: BuildConfig): Promise<string> {
process.env.CSC_NAME = cscName;
}
// Add notarization if all credentials are available
// Add notarization if all credentials are available.
// electron-builder auto-notarizes via notarytool when APPLE_ID,
// APPLE_APP_SPECIFIC_PASSWORD, and APPLE_TEAM_ID are present in the env;
// no `notarize:` config block or NOTARIZE flag is required (or read).
if (
process.env.APPLE_ID &&
process.env.APPLE_TEAM_ID &&
process.env.APPLE_APP_SPECIFIC_PASSWORD
) {
console.log(' Notarization enabled');
process.env.NOTARIZE = 'true';
}
// Run electron-builder