|
1 | | -# CODESIGNING |
| 1 | +# Code Signing |
2 | 2 |
|
3 | | -To sign Processing on Mac OS we need a Apple Developer account and involves two steps: |
| 3 | +Code signing is a way for a computer to verify that the software it runs comes from a trusted source and hasn’t been altered. |
4 | 4 |
|
5 | | -Signing the Processing.app and the included JRE |
| 5 | +Official releases of Processing are signed by our automated build process. If you only ever want to download and use Processing, you should not have to worry about code signing. |
6 | 6 |
|
7 | | -This happens either by running `ant macos-dist` or in the Github actions |
| 7 | +However, if you want to share your own custom builds of Processing with someone else, you might need to sign the code with your own certificates. |
8 | 8 |
|
9 | | -## Setup Github Actions |
10 | | -To setup the Github Actions you need to be the role Account Holder on your Apple Developer team. |
| 9 | +## macOS |
11 | 10 |
|
12 | | -### Application Signing |
13 | | -We start by creating a .p12 file following the tutorial on the CodeSigning Action |
14 | | -https://github.com/Apple-Actions/import-codesign-certs |
| 11 | +Code signing is especially important for macOS, as Apple blocks unsigned software from running on their system. If you build Processing locally and share the executable with someone else, you will need to sign your code. |
15 | 12 |
|
16 | | -Currently this consists of following this tutorial with one step altered below: |
| 13 | +### Pre-requisites |
| 14 | +1. Access to a computer running macOS (Apple only allows macOS certificates to be created on a Mac) |
| 15 | +2. An Apple Developer account (https://developer.apple.com) |
| 16 | +3. A recent version of Xcode |
| 17 | +5. The "Account Holder" role on your Apple Developer team (needed for setting up the GitHub action) |
17 | 18 |
|
18 | | -https://calvium.com/how-to-make-a-p12-file/ |
| 19 | +### macOS Code Signing with GitHub Actions |
19 | 20 |
|
20 | | -In the create new certificate section, select `Developer ID Application` this allows the certificate to distribute outside the Mac App Store |
| 21 | +We need to sign the `Processing.app` executable itself, as well as the included Java Runtime Environment (JRE). |
21 | 22 |
|
22 | | -Then take the certificate generated by the tutorial above and copy it to your clipboard as |
| 23 | +For this we will use the [import-codesign-certs](https://github.com/Apple-Actions/import-codesign-certs) GitHub Action. |
| 24 | + |
| 25 | +#### Create Your Local Signing Certificates |
| 26 | + |
| 27 | +Open Xcode and log in with your Apple Developer account if you aren't already. |
| 28 | + |
| 29 | +Still in Xcode, navigate to **Preferences**. Go to the **Accounts** tab, select your user account, and click **Manage Certificates**. Then, click the **+** button and select **macOS Developer ID**. |
| 30 | + |
| 31 | +#### Create a `.p12` file |
| 32 | +A `.p12` file contains your signing certificates, which will be used to prove that the app comes from you. |
| 33 | + |
| 34 | +To create your `.p12` file, follow [this tutorial](https://calvium.com/how-to-make-a-p12-file/) with the following step altered: |
| 35 | + |
| 36 | +In the **create new certificate** section, do NOT select `iOS distribution` but instead select `Developer ID Application`. This allows the certificate to be used to distribute an app outside of the Mac App Store. |
| 37 | + |
| 38 | +Make sure to create a strong password when prompted. If possible, save the password in a password manager. You will need it in the next step. |
| 39 | + |
| 40 | +#### Upload your Signing Certificates to GitHub |
| 41 | + |
| 42 | +In a terminal window, navigate to the location of the `.p12` file you generated in the previous step. |
| 43 | + |
| 44 | +Copy the file to your clipboard using the following command: |
23 | 45 | ```bash |
24 | 46 | $ base64 -i CertificateFile.p12 | pbcopy |
25 | 47 | ``` |
| 48 | +In your Github Repository, create a secret called `CERTIFICATES_P12` and paste the content of your clipboard into it. |
| 49 | + |
| 50 | +Create another secret called `CERTIFICATES_P12_PASSWORD` and save your `.p12` password into it. |
26 | 51 |
|
27 | | -and set the secrets `CERTIFICATES_P12` and `CERTIFICATES_P12_PASSWORD` into the Github Repository. |
| 52 | +The GitHub Action should now be set up to sign Processing and the JRE. |
28 | 53 |
|
29 | | -This will allow the action to sign Processing and the JRE |
30 | 54 | ### Notarisation |
| 55 | +Notarization is a security process required by Apple for macOS software. It means that the software has been checked by Apple to ensure it doesn’t contain malicious code. This is an additional step, different from code signing. |
31 | 56 |
|
32 | | -To prevent the *this application is not recognised by Mac OS* error we need to setup the Github Action to upload the release to Apple for Notarisation |
| 57 | +When a macOS application is notarized, Apple reviews it and issues a “stamp of approval.” This lets macOS users run the software without warnings or blocks. Without notarization, macOS might prevent the software from opening or display a security warning, even if the software is safe. |
33 | 58 |
|
34 | | -Go to https://developer.apple.com/account to find the team id in the membership details section and apply it to the `PROCESSING_TEAM_ID` secret |
| 59 | +To prevent the *this application is not recognised by Mac OS* error we will setup the Github Action to submit the release to Apple for Notarisation. |
35 | 60 |
|
36 | | -Enter an apple id email in the `PROCESSING_APPLE_ID` secret, this account does **not** need to have an Account Holder role, ideally it is not anyone's personal apple id as the password to the apple id will be included into the repositories secrets. |
| 61 | +Go to https://developer.apple.com/account to find the team ID in the membership details section and save that ID to the `PROCESSING_TEAM_ID` secret. |
37 | 62 |
|
38 | | -Follow these instructions https://support.apple.com/en-us/102654 to setup an app-specific password for the apple id and enter that as `PROCESSING_APP_PASSWORD` |
| 63 | +Enter an Apple ID email in the `PROCESSING_APPLE_ID` secret, this account does **not** need to have an Account Holder role, ideally it is not anyone's personal Apple ID, as the password to the Apple ID will be included into the repositories secrets. |
| 64 | + |
| 65 | +Follow these instructions https://support.apple.com/en-us/102654 to setup an app-specific password for the Apple ID and enter that as `PROCESSING_APP_PASSWORD` |
39 | 66 |
|
40 | 67 | ### Release |
41 | 68 |
|
42 | | -Finally create a release to test the signing actions |
43 | | -## Sign locally |
| 69 | +Finally create a GitHub release to test the signing and notarization actions. |
| 70 | + |
| 71 | +### Sign locally |
44 | 72 |
|
45 | | -- Be on a MacOS computer |
46 | | -- Be logged into your Apple ID |
| 73 | +Alternatively, or if you don't want to use the Github Action, you can sign and notarize your build of Processing locally using `ant macos-dist ` |
| 74 | + |
| 75 | +#### Pre-requisites |
| 76 | +- Use a computer running macOS |
| 77 | +- Have an Apple Developer account |
| 78 | +- Make sure you are logged into your Apple ID |
47 | 79 | - Setup and Log into XCode |
48 | | -- cd into the repository |
| 80 | + |
| 81 | +#### Code Sign with `ant macos-dist ` |
| 82 | + |
| 83 | +In a terminal window, `cd` into the repository then run the following command: |
49 | 84 |
|
50 | 85 | ```bash |
51 | 86 | $ PROCESSING_TEAM_ID=... PROCESSING_APPLE_ID=... PROCESSING_APP_PASSWORD=... ant macos-dist |
52 | 87 | ``` |
| 88 | + |
| 89 | +Where `...` are replaced with your credentials. |
0 commit comments