Skip to content

macOS code signing

Jump to bottom
Christophe Fergeau edited this page Nov 30, 2022 · 1 revision

This document lists the step I took to codesign the crc installer

  • make out/macos-universal/crc-macos-installer.tar
  • take the tarball to the macOS machine which will sign the installer
  • unpack the tarball
  • set CODESIGN_IDENTITY and PRODUCTSIGN_IDENTITY to match the certificates you'll be using. In my case: export PRODUCTSIGN_IDENTITY="Developer ID Installer: Christophe Fergeau (GSP9DR7D3R)" and export CODESIGN_IDENTITY="Developer ID Application: Christophe Fergeau (GSP9DR7D3R)"
  • run packaging/package.sh ./packaging, this will generate a signed packaging/crc-macos-installer.pkg file
  • this file can now be notarized with xcrun notarytool submit --apple-id [email protected] --team-id GSP9DR7D3R --wait ./packaging/crc-macos-installer.pkg. I used an application-specific password for this step instead of my main Apple ID password. --wait is optional, xcrun notarytool info and xcrun notarytool log can be used to monitor the progress.
  • Once the notarization reports Accepted, you can run xcrun stapler staple ./packaging/crc-macos-installer.pkg to attach the result to the installer

spctl --assess -vv --type install ./packaging/crc-macos-installer.pkg can be used to check the signature and notarization of the .pkg file.

crc - Github

Clone this wiki locally