Skip to content
Build Rust CLI -> .app -> .dmg -> Notarize

Fixing apple signing #27

Sign in to view logs

Fixing apple signing

Fixing apple signing #27

Workflow file for this run

.github/workflows/build.yml at 901920b
name: "Build Rust CLI -> .app -> .dmg -> Notarize"
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
# If you want auto-release on tags, also add:
# tags:
# - 'v*.*.*'
jobs:
build-macos-dmg:
name: "Build, .app, Notarize macOS"
runs-on: macos-latest
steps:
# 1) Check out code
- name: Check out code
uses: actions/checkout@v3
# 2) Install Rust
- name: Set up Rust
uses: dtolnay/rust-toolchain@v1
with:
toolchain: stable
# 3) Build CLI in release mode
- name: Cargo build
run: cargo build --release
# 4) Import Developer ID certificate + AppleWWDRCAG3 intermediate
- name: Install Code Signing Certificate
run: |
echo "$APPLE_CERT" | base64 --decode > signing.p12
security create-keychain -p "" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "" build.keychain
# Download & import Apple WWDR intermediate certificate
curl -O https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
security import AppleWWDRCAG3.cer -k build.keychain
# Now import your Developer ID .p12
security import signing.p12 -k build.keychain -P "$APPLE_CERT_PASS" -T /usr/bin/codesign
# Ensure codesign can read the private key
security set-key-partition-list -S apple-tool:,apple: -s -k "" build.keychain
env:
APPLE_CERT: ${{ secrets.APPLE_CERT }}
APPLE_CERT_PASS: ${{ secrets.APPLE_CERT_PASS }}
# 5) Create .app folder + minimal Info.plist (on one line)
- name: Create .app bundle
run: |
mkdir -p QuickPass.app/Contents/MacOS
cp target/release/QuickPass QuickPass.app/Contents/MacOS/
cp .github/workflows/Info.plist QuickPass.app/Contents/Info.plist
# 6) Code sign only the .app (no --deep)
- name: Code Sign .app
run: |
codesign --force --options runtime \
--sign "Developer ID Application: Jacob Kanfer (M7SN262HK4)" \
QuickPass.app
# 7) Debug-check the signed .app
- name: Debug Signed .app
run: |
echo "=== codesign -dv --verbose=4 ==="
codesign -dv --verbose=4 QuickPass.app
echo "=== spctl -a -vvv QuickPass.app ==="
spctl -a -vvv QuickPass.app || true
# 8) Make .dmg using HFS+ (skip code signing the .dmg)
- name: Create .dmg
run: |
mv QuickPass.app target/release/
cd target/release
mkdir QuickPassDmgContent
mv QuickPass.app QuickPassDmgContent/
hdiutil create QuickPass.dmg \
-volname "QuickPass" \
-srcfolder "QuickPassDmgContent" \
-fs HFS+ \
-ov
# 9) Notarize the .dmg, capturing logs if "Invalid"
- name: Notarize .dmg
if: env.APPLE_APP_SPECIFIC_PASSWORD
run: |
cd target/release
# Submit for notarization, capturing entire output
xcrun notarytool submit QuickPass.dmg \
--apple-id "$APPLE_ID" \
--team-id "$APPLE_TEAM_ID" \
--password "$APPLE_APP_SPECIFIC_PASSWORD" \
--wait 2>&1 | tee notarytool-submit.txt
echo "=== Submission raw output: ==="
cat notarytool-submit.txt
# Extract ONLY the first occurrence of " id:" line
SUBMISSION_ID=$(grep '^ id:' notarytool-submit.txt | head -n1 | sed 's/.*id: //')
echo "Extracted SUBMISSION_ID=${SUBMISSION_ID}"
# Grab the last status line
STATUS=$(grep 'status:' notarytool-submit.txt | tail -n1 | sed 's/.*status: //')
echo "Extracted Notary Status=$STATUS"
if [ "$STATUS" = "Accepted" ]; then
echo "Stapling .dmg..."
xcrun stapler staple QuickPass.dmg
else
echo "Notarization invalid. Fetching logs with SUBMISSION_ID=${SUBMISSION_ID}..."
xcrun notarytool log "$SUBMISSION_ID" \
--apple-id "$APPLE_ID" \
--team-id "$APPLE_TEAM_ID" \
--password "$APPLE_APP_SPECIFIC_PASSWORD" \
2>&1 | tee notarytool-log.txt
echo "=== Detailed Notary Log: ==="
cat notarytool-log.txt
exit 1
fi
env:
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
# 10) Upload final .dmg
- name: Upload notarized .dmg
uses: actions/upload-artifact@v4
with:
name: QuickPass-macOS-dmg
path: target/release/QuickPass.dmg
overwrite: true