Get an Apple developer certificate

[simonw]

Part of #20

[simonw]

My main AppleID is still associated with a UK developer account which expired in 2015 - and when I tried to submit the form with a request to update my address I got a 404 error!

So I created a brand new AppleID with my US address (details in my 1Password) and spent $99 enrolling that new ID in the Apple Developer program.

It says it could take up to 48 hours for that to be processed, so I can't create a certificate with it until that happens.

[simonw]

Account is active! Next step: figure out which of these I need: https://developer.apple.com/account/resources/certificates/add

[simonw]

For the first release I'm ignoring the Mac App Store entirely, so the Electron docs say I need: https://github.com/electron/electron-osx-sign/wiki/1.-Getting-Started#certificates

• Developer ID Application
• Developer ID Installer

[simonw]

Since I plan to distribute as a zip file and not a DMG (see #33) maybe I don't need the Installer one?

[simonw]

I'm going to use that form to create a "Developer ID Application" certificate.

It wants a certificate signing request:

https://help.apple.com/developer-account/#/devbfa00fef7

1. Launch Keychain Access located in /Applications/Utilities.
2. Choose Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.
3. In the Certificate Assistant dialog, enter an email address in the User Email Address field.
4. In the Common Name field, enter a name for the key (for example, Gita Kumar Dev Key).
5. Leave the CA Email Address field empty.
6. Choose "Saved to disk", and click Continue.

[simonw]

I saved it to /Users/simon/Dropbox/DatasetteDesktopCertificates/CertificateSigningRequest.certSigningRequest

[simonw]

Saved that certificate to developerID_application.cer in that folder.

[simonw]

I'm deliberately NOT importing the certificate into Keychain, because I want to figure out how to use it in a GitHub Actions workflow exclusively using the command-line.

[simonw]

ls -lah developerID_application.cer 
-rw-r--r--@ 1 simon  staff   1.4K Sep  3 11:43 developerID_application.cer

GitHub secrets are limited to 64KB so this will work fine. I'll probably base64 encode it.

This outputs the base64 for that file:

openssl base64 -in developerID_application.cer

[simonw]

I think I may need to use CertificateSigningRequest.certSigningRequest to create something based on developerID_application.cer.

All of the instructions out there such as https://stackoverflow.com/a/28962937/6083 encourage using the Keychain Access application to do this, but I don't want to! I'll continue trying to figure out how to do it on the command-line. I may have to give up and use the GUI though.

[simonw]

https://stackoverflow.com/questions/21141215/creating-a-p12-file looks relevant but I'm now wary that I didn't select any kind of private key when I got Keychain Access to create the CSR for me - so I think it hid those details.

https://stackoverflow.com/a/28962937/6083 says:

This will create and save your certSigningRequest file (CSR) to your hard drive. A public and private key will also be created in Keychain Access with the Common Name entered.

So I'm going to stop going down this rabbit hole and just use Keychain Acess to create the p12 file I need, following those Stack Overflow instructions.

[simonw]

I double-clicked developerID_application.cer and got this:

I clicked "Add".

I think I need to export two files as one. I found this option in the "Certificates" pane in Keychain Access:

Then it asked me for a place to save the file - I decided on a file name of Developer-ID-Application-Certificates.p12

Then it asked me for a password - I generated a random one and stored it in 1Password item called "Password for Developer-ID-Application-Certificates.p12"

It asked for my login keychain password:

[simonw]

I now have a 3KB Developer-ID-Application-Certificates.p12 file.

[simonw]

OK, this looks like it might be working!

datasette-app % CSC_KEY_PASSWORD=... CSC_LINK=/Users/simon/Dropbox/DatasetteDesktopCertificates/Developer-ID-Application-Certificates.p12 npm run dist

> [email protected] dist
> electron-builder --publish never

  • electron-builder  version=22.11.7 os=19.6.0
  • loaded configuration  file=package.json ("build" field)
  • writing effective config  file=dist/builder-effective-config.yaml
  • packaging       platform=darwin arch=x64 electron=13.3.0 appOutDir=dist/mac
  • signing         file=dist/mac/Datasette.app identityName=Developer ID Application: Simon Willison (762G34JSDR) identityHash=4CBAE9A14BAE09B41C3F24895927698FB1F9A970 provisioningProfile=none
  • building        target=macOS zip arch=x64 file=dist/Datasette-0.1.0-mac.zip
  • building        target=DMG arch=x64 file=dist/Datasette-0.1.0.dmg

[simonw]

Having run that I ran this:

cd dist/mac
ditto -c -k --keepParent Datasette.app Datasette.app.zip

This gave me a Datasette.app.zip file which, hopefully, is signed! I need to copy it to another Mac and see what happens.

[simonw]

It looks like this works too:

datasette-app % CSC_KEY_PASSWORD=... \
  CSC_LINK=$(openssl base64 -in /Users/simon/Dropbox/DatasetteDesktopCertificates/Developer-ID-Application-Certificates.p12) \
  npm run dist

So I can stash the base64 of that file in a GitHub Actions secret and use it directly from the command-line.

[simonw]

I added CSC_KEY_PASSWORD and CSC_LINK secrets to this repo - the CSC_LINK one is the pasted output of openssl base64 -in /Users/simon/Dropbox/DatasetteDesktopCertificates/Developer-ID-Application-Certificates.p12.

[simonw]

Let's see what happens!

[simonw]

That workflow run is here: https://github.com/simonw/datasette-app/runs/3509435955

Looks like it's doing the right thing:

> electron-builder --publish never

  • electron-builder  version=22.11.7 os=19.6.0
  • loaded configuration  file=package.json ("build" field)
  • packaging       platform=darwin arch=x64 electron=13.3.0 appOutDir=dist/mac
  • downloading     url=https://github.com/electron/electron/releases/download/v13.3.0/electron-v13.3.0-darwin-x64.zip size=79 MB parts=6
  • downloaded      url=https://github.com/electron/electron/releases/download/v13.3.0/electron-v13.3.0-darwin-x64.zip duration=813ms
  • signing         file=dist/mac/Datasette.app identityName=Developer ID Application: Simon Willison (762G34JSDR) identityHash=4CBAE9A14BAE09B41C3F24895927698FB1F9A970 provisioningProfile=none
  • building        target=macOS zip arch=x64 file=dist/Datasette-0.1.0-mac.zip
  • building        target=DMG arch=x64 file=dist/Datasette-0.1.0.dmg

[simonw]

I downloaded the zip file artifact from that build to a different computer running macOS Mojave 10.14.6, unzipped it, and tried to open it. When I tried that it sat on "Verifying..." for a little while and then said:

[simonw]

I tried again with "Right click -> Open" which gave me this:

After clicking that the Electron app opened with the loading spinner, and the terminal confired that ~/.datasette-app/venv had been created - but the spinner kept on running for a long time. And then it worked!

[simonw]

I'm going to call this done, and move on to a new issue for notarizing.

[simonw]

Turned this all into a TIL: https://til.simonwillison.net/electron/sign-notarize-electron-macos