go/goreleaser
go/goreleaser
1
0
Fork 0
mirror of https://github.com/goreleaser/goreleaser.git synced 2025-01-28 04:44:34 +02:00
Code Issues Releases Activity
goreleaser/www/docs/customization/notarize.md
Carlos Alexandro Becker 3cd2e07c68
feat: notarize macos binaries (#4774) 
this includes anchore/quill as a pipe to sign and notarize macos
binaries

TODO:

- [x] find a way to test this
- [x] docs
- [x] maybe get someone from anchore to take a look?

---------

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
2024-04-19 22:27:50 -03:00

2.7 KiB
Raw Blame History

Notarize macOS binaries

Since v1.26

GoReleaser can sign & notarize macOS binaries (and Universal Binaries) using anchore/quill.

To use it, you'll need:

  • An Apple Developer Account ($99/year).
  • A certificate from said account. It should be of "Developer ID Installer" type. This will give you a .cer file. You'll need to import it into KeyChain.app, and then export it as a .p12 file. It'll will have a password.
  • An App Store Connect API key. This will give you a .p8 file.

So you should end up with:

  1. a Certificates.p12 file and the password to open it
  2. a ApiKey_AAABBBCCC.p8 file

Read the commented configuration excerpt below to learn how to use these files.

# .goreleaser.yaml
notarize:
  macos:
    - # Whether this configuration is enabled or not.
      #
      # Default: false
      # Templates: allowed
      enabled: '{{ isEnvSet "MACOS_SIGN_P12 }}'

      # IDs to use to filter the built binaries.
      #
      # Default: Project Name
      ids:
        - build1
        - build2

      # Before notarizing, we need to sign the binary.
      # This blocks defines the configuration for doing so.
      sign:
        # The .p12 certificate file path or its base64'd contents.
        certificate: "{{.Env.MACOS_SIGN_P12}}"

        # The password to be used to open the certificate.
        password: "{{.Env.MACOS_SIGN_PASSWORD}}"

      # Then, we notarize the binaries.
      notarize:
        # The issuer ID.
        # Its the UUID you see when creating the App Store Connect key.
        issuer_id: "{{.Env.MACOS_NOTARY_ISSUER_ID}}"

        # Key ID.
        # You can see it in the list of App Store Connect Keys.
        # It will also be in the ApiKey filename.
        key_id: "{{.Env.MACOS_NOTARY_KEY_ID}}"

        # The .p8 key file path or its base64'd contents.
        key: "{{.Env.MACOS_NOTARY_KEY}}"

        # Whether to wait for the notarization to finish.
        # Not recommended, as it could take a really long time.
        wait: true

        # Timeout for the notarization.
        # Beware of the overall `--timeout` time.
        # This only has any effect if `wait` is true.
        #
        # Default: 10m
        timeout: 20m

!!! tip

Learn more about the [name template engine](/customization/templates/).

!!! tip "base64"

To base64 a file, you run this:

```bash
base64 -w0 < ./Certificates.p12
base64 -w0 < ./ApiKey_AAABBBCCC.p8
```