83 lines
2.0 KiB
Markdown
83 lines
2.0 KiB
Markdown
|
|
# Release Guide
|
||
|
|
|
||
|
|
This guide covers the local release build, optional Developer ID signing, and optional notarization flow.
|
||
|
|
|
||
|
|
## Local Validation
|
||
|
|
|
||
|
|
Run:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
./scripts/check.sh
|
||
|
|
```
|
||
|
|
|
||
|
|
This runs the unit test suite, builds `build/ClipBored.app`, applies an ad-hoc hardened-runtime signature, enforces size gates, and verifies the app signature.
|
||
|
|
|
||
|
|
## Local Archive
|
||
|
|
|
||
|
|
Run:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
./scripts/release-macos-app.sh
|
||
|
|
```
|
||
|
|
|
||
|
|
Without signing credentials, this creates:
|
||
|
|
|
||
|
|
```text
|
||
|
|
build/ClipBored.app
|
||
|
|
build/ClipBored.zip
|
||
|
|
```
|
||
|
|
|
||
|
|
The app remains ad-hoc signed and is suitable for local validation only.
|
||
|
|
|
||
|
|
## Developer ID Signing
|
||
|
|
|
||
|
|
Set a Developer ID Application identity:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
export DEVELOPER_ID_APPLICATION="Developer ID Application: Example, Inc. (TEAMID)"
|
||
|
|
./scripts/release-macos-app.sh
|
||
|
|
```
|
||
|
|
|
||
|
|
The script rebuilds the app, re-signs it with hardened runtime and timestamping, verifies the signature, and writes `build/ClipBored.zip`.
|
||
|
|
|
||
|
|
## Notarization
|
||
|
|
|
||
|
|
Preferred: configure a notarytool keychain profile once:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
xcrun notarytool store-credentials "clipbored-notary" \
|
||
|
|
--apple-id "developer@example.com" \
|
||
|
|
--team-id "TEAMID" \
|
||
|
|
--password "app-specific-password"
|
||
|
|
```
|
||
|
|
|
||
|
|
Then run:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
export DEVELOPER_ID_APPLICATION="Developer ID Application: Example, Inc. (TEAMID)"
|
||
|
|
export NOTARYTOOL_PROFILE="clipbored-notary"
|
||
|
|
./scripts/release-macos-app.sh
|
||
|
|
```
|
||
|
|
|
||
|
|
Alternative environment-only notarization:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
export DEVELOPER_ID_APPLICATION="Developer ID Application: Example, Inc. (TEAMID)"
|
||
|
|
export APPLE_ID="developer@example.com"
|
||
|
|
export APPLE_TEAM_ID="TEAMID"
|
||
|
|
export APPLE_APP_SPECIFIC_PASSWORD="app-specific-password"
|
||
|
|
./scripts/release-macos-app.sh
|
||
|
|
```
|
||
|
|
|
||
|
|
When notarization succeeds, the script staples the ticket to `build/ClipBored.app`, validates the staple, and recreates `build/ClipBored.zip`.
|
||
|
|
|
||
|
|
## Final Manual Checks
|
||
|
|
|
||
|
|
Before publishing, run the checklist in [SMOKE_TEST.md](SMOKE_TEST.md), then confirm:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
codesign --verify --deep --strict --verbose=2 build/ClipBored.app
|
||
|
|
xcrun stapler validate build/ClipBored.app
|
||
|
|
spctl --assess --type execute --verbose=4 build/ClipBored.app
|
||
|
|
```
|