Gon is a tool to manage code signing without Apples Xcode app withing the Apple Developer portal. There are alreay a good explanation in the project repo. To verify here the step by step procedure
- Download and install the program with brew:
$ brew tap mitchellh/gon
$ brew install mitchellh/gon/gon
- Signup on the Apple Developer Programm Purchase is around $50 per year
- Create a "Developer ID Application" certificate on the Certificate page
- Import the certificate on your Mac by download
correct installation of the cert will looks like this
% security find-identity -v
1) FCA2B1F866A1B8FAF0CD020534DAD6AC2E0F0E8 "Developer ID Application: Frank Kloeker (R13RWZX6LF)"
2) BDBECC4C7B1DAEDA57791C1BFBFACC238D9FA62C "2721230f-3d26-4c58-9a06-62f60447a271-MDMIdentity"
2 valid identities found
- Go to AppleID and login with your AppleID (free to sign up). Navigate to "App-Specific Passwords" and create a new password (hint: AppleID will generate the password for you if you apply a description for the password and the password self. Your password will NOT the application password and application password is NOT your AppleID password!)
- Generate a
config.json
file where all information comes together:
{
"source" : ["/Users/ec2-user/bin/helm"],
"bundle_id" : "de.mcsps.helm",
"apple_id": {
"username" : "[email protected]",
"password": "@env:APP_PASSWORD"
},
"sign" :{
"application_identity": "R13RWZX6LF"
},
"dmg" :{
"output_path": "helm.dmg",
"volume_name": "Helm"
},
"zip" :{
"output_path" : "helm.zip"
}
}
In the example we will sign the binary helm
with our developer key. For that we have our username, the app specific password as environment variable, the developer cert id, and the location for the output of zip
and dmg
file. bundle_id
is the identifier for app developement and should contain a domain name which your owned.
- Start the signiging process
% gon config.json
==> ✏️ Signing files...
Code signing successful
==> 📦 Creating Zip archive...
Zip archive created with signed files
==> 📦 Creating dmg...
This will open Finder windows momentarily.
Dmg file created: helm.dmg
Signing dmg...
Dmg created and signed
==> 🍎 Notarizing...
Files will be notarized concurrently to optimize queue wait
Path: helm.zip
Path: helm.dmg
[helm.dmg] Submitting file for notarization...
[helm.dmg] Submitted. Request UUID: 74b63757-a6b8-4c61-9f4a-8bf741bbf6b2
[helm.dmg] Waiting for results from Apple. This can take minutes to hours.
[helm.zip] Submitting file for notarization...
[helm.dmg] Status: in progress
[helm.zip] Submitted. Request UUID: 5aa71bfc-5d9d-4301-8b56-70deb5256685
[helm.zip] Waiting for results from Apple. This can take minutes to hours.
[helm.zip] Status: in progress
[helm.dmg] Status: success
[helm.dmg] File notarized!
[helm.dmg] Stapling...
[helm.dmg] File notarized and stapled!
[helm.zip] Status: success
[helm.zip] File notarized!
Notarization complete! Notarized files:
- helm.zip (notarized)
- helm.dmg (notarized and stapled)
Thats it! helm binary is now signed with our key as the binary itself, the zip file, and the dmg file for other installation methods
Ref: