fix: pass APPLE_SIGNING_IDENTITY to Tauri for proper code signing

fix: notarize only DMG file instead of .app bundle
feat: add Apple code signing and notarization for macOS builds
2026-01-06 12:31:28 -08:00 · 2025-12-31 17:56:16 +01:00 · 2025-12-31 17:30:48 +01:00 · 2025-12-31 17:06:14 +01:00
4 changed files with 125 additions and 7 deletions
--- a/.github/workflows/build-artifacts.yml
+++ b/.github/workflows/build-artifacts.yml
@@ -184,10 +184,38 @@ jobs:
            os: macos-latest
    runs-on: ${{ matrix.os }}
    env:
-      APPLE_SIGNING_IDENTITY: "-"
+      APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+      APPLE_ID: ${{ secrets.APPLE_ID }}
+      APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+      APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
    steps:
      - uses: actions/checkout@v4

+      - name: Import Apple Developer Certificate
+        env:
+          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+        run: |
+          # Create a temporary keychain
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          KEYCHAIN_PASSWORD=$(openssl rand -base64 32)
+
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+          # Import certificate
+          echo -n "$APPLE_CERTIFICATE" | base64 --decode > certificate.p12
+          security import certificate.p12 -k "$KEYCHAIN_PATH" -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+          # Verify certificate
+          security find-identity -v -p codesigning "$KEYCHAIN_PATH"
+
+          # Set as default keychain
+          security default-keychain -s "$KEYCHAIN_PATH"
+
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
@@ -241,6 +269,39 @@ jobs:
            ditto -c -k --sequesterRsrc --keepParent "$app" "$CARGO_TARGET_DIR/release/bundle/macos/${base}-${{ matrix.arch }}.app.zip"
          done

+      - name: Notarize and staple DMG
+        shell: bash
+        env:
+          CARGO_TARGET_DIR: src-tauri/target/${{ matrix.target }}
+        run: |
+          set -euo pipefail
+
+          # Find the DMG file
+          DMG_FILE=$(find "$CARGO_TARGET_DIR/release/bundle/dmg/" -name "*.dmg" -type f | head -n 1)
+
+          if [[ -z "$DMG_FILE" ]]; then
+            echo "No DMG file found"
+            exit 1
+          fi
+
+          echo "Notarizing: $DMG_FILE"
+
+          # Submit DMG for notarization
+          xcrun notarytool submit "$DMG_FILE" \
+            --apple-id "$APPLE_ID" \
+            --password "$APPLE_ID_PASSWORD" \
+            --team-id "$APPLE_TEAM_ID" \
+            --wait \
+            --output-format json
+
+          # Staple the notarization ticket to DMG
+          xcrun stapler staple "$DMG_FILE"
+
+          # Verify stapling
+          xcrun stapler validate -v "$DMG_FILE"
+
+          echo "Notarization completed successfully"
+
      - name: Upload artifacts
        uses: actions/upload-artifact@v4
        with:
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -306,12 +306,39 @@ jobs:
    permissions:
      contents: write
    env:
-      # Ad-hoc signing: allows app to run after "xattr -cr" on macOS
-      APPLE_SIGNING_IDENTITY: "-"
+      APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+      APPLE_ID: ${{ secrets.APPLE_ID }}
+      APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+      APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}

    steps:
      - uses: actions/checkout@v4

+      - name: Import Apple Developer Certificate
+        env:
+          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+        run: |
+          # Create a temporary keychain
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          KEYCHAIN_PASSWORD=$(openssl rand -base64 32)
+
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+          # Import certificate
+          echo -n "$APPLE_CERTIFICATE" | base64 --decode > certificate.p12
+          security import certificate.p12 -k "$KEYCHAIN_PATH" -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+          # Verify certificate
+          security find-identity -v -p codesigning "$KEYCHAIN_PATH"
+
+          # Set as default keychain
+          security default-keychain -s "$KEYCHAIN_PATH"
+
      - name: Set version from release tag
        shell: bash
        run: |
@@ -397,6 +424,39 @@ jobs:
            mv "$sig" "$CARGO_TARGET_DIR/release/bundle/macos/${base}-${{ matrix.arch }}.tar.gz.sig"
          done

+      - name: Notarize and staple DMG
+        shell: bash
+        env:
+          CARGO_TARGET_DIR: src-tauri/target/${{ matrix.target }}
+        run: |
+          set -euo pipefail
+
+          # Find the DMG file
+          DMG_FILE=$(find "$CARGO_TARGET_DIR/release/bundle/dmg/" -name "*.dmg" -type f | head -n 1)
+
+          if [[ -z "$DMG_FILE" ]]; then
+            echo "No DMG file found"
+            exit 1
+          fi
+
+          echo "Notarizing: $DMG_FILE"
+
+          # Submit DMG for notarization
+          xcrun notarytool submit "$DMG_FILE" \
+            --apple-id "$APPLE_ID" \
+            --password "$APPLE_ID_PASSWORD" \
+            --team-id "$APPLE_TEAM_ID" \
+            --wait \
+            --output-format json
+
+          # Staple the notarization ticket to DMG
+          xcrun stapler staple "$DMG_FILE"
+
+          # Verify stapling
+          xcrun stapler validate -v "$DMG_FILE"
+
+          echo "Notarization completed successfully"
+
      - name: Upload macOS artifacts to GitHub Release
        uses: ncipollo/release-action@v1
        with:
--- a/README.md
+++ b/README.md
@@ -40,10 +40,6 @@ Prebuilt binaries are available for all supported platforms.
 | Intel & Apple Silicon | x64 & ARM64 | x64 & ARM64 |
 | <code>.dmg</code> / <code>.app.zip</code> | <code>.exe</code> / <code>.msi</code> | <code>.deb</code> / <code>.AppImage</code> |

-**macOS: First Launch**
-
-On first launch, macOS may block the application because it is not signed. If this happens, open **System Settings → Privacy & Security** and click **Open Anyway** next to *Armbian Imager was blocked*. This only needs to be done once.
-
 ## How It Works

 1. **Select Manufacturer** — Choose from 70+ supported SBC manufacturers or load a custom image
--- a/src-tauri/tauri.conf.json
+++ b/src-tauri/tauri.conf.json
@@ -48,6 +48,7 @@
    "longDescription": "Armbian Imager is a utility for flashing Armbian OS images to SD cards and USB drives for single board computers.",
    "macOS": {
      "entitlements": "./entitlements.plist",
+      "signingIdentity": null,
      "minimumSystemVersion": "10.15",
      "dmg": {
        "background": "./dmg-background.png",
Author	SHA1	Message	Date
SuperKali	d63d047a0f	fix: pass APPLE_SIGNING_IDENTITY to Tauri for proper code signing	2025-12-31 17:56:16 +01:00
SuperKali	4b9f5289f7	fix: notarize only DMG file instead of .app bundle	2025-12-31 17:30:48 +01:00
SuperKali	840509ec0c	feat: add Apple code signing and notarization for macOS builds	2025-12-31 17:06:14 +01:00