对 macOS 应用进行代码签名
This guide provides information on code signing and notarization for macOS applications.
If you are not utilizing GitHub Actions to perform builds of OSX DMGs, you will need to ensure the environment variable CI=true exists. For more information refer to tauri-apps/tauri#592.
Requirements
- macOS 10.13.6 or later
- Xcode 10 or later
- An Apple Developer account enrolled in the Apple Developer Program
For more details please read the developer article on notarizing macOS software before distribution.
tl;dr
The Tauri code signing and notarization process is configured through the following environment variables:
APPLE_SIGNING_IDENTITY: the name of the keychain entry that contains the signing certificate.APPLE_CERTIFICATE: base64 string of the.p12certificate, exported from the keychain. Useful if you don't have the certificate on the keychain (e.g., CI machines).APPLE_CERTIFICATE_PASSWORD: the password for the.p12certificate.APPLE_IDandAPPLE_PASSWORD: your Apple account email and an app-specific password. Only required to notarize the app.APPLE_API_ISSUERandAPPLE_API_KEY: authentication with an App Store Connect API key instead of the Apple ID. Only required if you notarize the app.APPLE_PROVIDER_SHORT_NAME: Team provider short name. If your Apple ID is connected to multiple teams, you have to specify the provider short name of the team you want to use to notarize your app. You can list your account providers usingxcrun altool --list-providers -u "AC_USERNAME" -p "AC_PASSWORD"as explained in the notarization workflow.
Signing Tauri apps
The first step to signing a macOS application is getting a signing certificate from the Apple Developer Program.
创建签名证书
To create a new signing certificate, you must generate a Certificate Signing Request (CSR) file from your Mac computer. Create a certificate signing request describes creating a CSR.
On your Apple Developer account, navigate to the Certificates, IDs & Profiles page and click on the Create a certificate button to open the interface to create a new certificate. Choose the appropriate certificate type (Apple Distribution to submit apps to the App Store, and Developer ID Application to ship apps outside the App Store). Upload your CSR, and the certificate will be created.
Only the Apple Developer Account Holder can create Developer ID Application certificates. But it can be associated with a different Apple ID by creating a CSR with a different user email address.
下载证书
On the Certificates, IDs & Profiles page, click on the certificate you want to use and click on the Download button. It saves a .cer file that installs the certificate on the keychain once opened. The name of the keychain entry represents the signing identity, which can also be found by executing security find-identity -v -p codesigning.
A signing certificate is only valid if associated with your Apple ID. An invalid certificate won't be listed on the Keychain Access > My Certificates tab or the security find-identity -v -p codesigning output. If the certificate does not download to the correct location, make sure the "login" option is selected in Keychain Access under "Default Keychains" when downloading the .cer file.
Signing the Tauri application
The signing configuration is provided to the Tauri bundler via environment variables. You need to configure the certificate to use and an optional authentication configuration to notarize the application.
Certificate environment variables
APPLE_SIGNING_IDENTITY: this is thesigning identitywe highlighted above. It must be defined to sign apps both locally and on CI machines.
Additionally, to simplify the code signing process on CI, Tauri can install the certificate on the keychain for you if you define the APPLE_CERTIFICATE and APPLE_CERTIFICATE_PASSWORD environment variables.
- Open the
Keychain Accessapp to login > My Certificates and find your certificate's keychain entry. - Expand the entry, double-click on the key item, and select
Export "$KEYNAME". - Select the path to save the
.p12file and define the exported certificate password. - Convert the
.p12file to base64 running the following script on the terminal:openssl base64 -in /path/to/certificate.p12 -out certificate-base64.txt. - Set the contents of the
certificate-base64.txtfile to theAPPLE_CERTIFICATEenvironment variable. - Set the certificate password to the
APPLE_CERTIFICATE_PASSWORDenvironment variable.
Authentication environment variables
These variables are only required to notarize the application.
Notarization is required when using a Developer ID Application certificate.
APPLE_IDandAPPLE_PASSWORD: to authenticate with your Apple ID, set theAPPLE_IDto your Apple account email (example:export APPLE_ID=tauri@icloud.com) and theAPPLE_PASSWORDto an app-specific password for the Apple account.APPLE_API_ISSUERandAPPLE_API_KEY: alternatively, you can authenticate using an App Store Connect API key. Open the App Store Connect's Users and Access page, select theKeystab, click on theAddbutton and select a name and theDeveloperaccess. TheAPPLE_API_ISSUER(Issuer ID) is presented above the keys table, and theAPPLE_API_KEYis the value on theKey IDcolumn on that table. You also need to download the private key, which can only be done once and is only visible after a page reload (the button is shown on the table row for the newly created key). The private key file must be saved on./private_keys,~/private_keys,~/.private_keysor~/.appstoreconnect/private_keys, as stated on thexcrun altool --helpcommand.
构建应用程序
The Tauri bundler automatically signs and notarizes your application with all these environment variables set when running the tauri build command.
示例
The following example uses GitHub Actions to sign an application using the Tauri action.
We first define the environment variables we listed above as Secrets on GitHub.
You can view this guide to learn about GitHub secrets.
Once we have established the GitHub Secrets, we create a GitHub publish workflow in .github/workflows/main.yml:
name: 'publish'
on:
push:
branches:
- release
jobs:
publish-tauri:
permissions:
contents: write
strategy:
fail-fast: false
matrix:
platform: [macos-latest]
runs-on: ${{ matrix.platform }}
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Rust setup
uses: dtolnay/rust-toolchain@stable
- name: Rust cache
uses: swatinem/rust-cache@v2
with:
workspaces: './src-tauri -> target'
- name: Sync node version and setup cache
uses: actions/setup-node@v3
with:
node-version: 'lts/*'
cache: 'yarn' # Set this to npm, yarn or pnpm.
- name: Install frontend dependencies
# If you don't have `beforeBuildCommand` configured you may want to build your frontend here too.
run: yarn install # Change this to npm, yarn or pnpm.
- name: Build the app
uses: tauri-apps/tauri-action@v0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ENABLE_CODE_SIGNING: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
with:
tagName: app-v__VERSION__ # the action automatically replaces \_\_VERSION\_\_ with the app version
releaseName: 'App v__VERSION__'
releaseBody: 'See the assets to download this version and install.'
releaseDraft: true
prerelease: false
The workflow pulls the secrets from GitHub and defines them as environment variables before building the application using the Tauri action. The output is a GitHub release with the signed and notarized macOS application.