Files
clipbored/docs/RELEASE.md
Akshay Kolli 4c1c6b2f37 WIP
2026-06-30 01:12:19 -07:00

2.0 KiB

Release Guide

This guide covers the local release build, optional Developer ID signing, and optional notarization flow.

Local Validation

Run:

./scripts/check.sh

This runs the unit test suite, builds build/ClipBored.app, applies an ad-hoc hardened-runtime signature, enforces size gates, and verifies the app signature.

Local Archive

Run:

./scripts/release-macos-app.sh

Without signing credentials, this creates:

build/ClipBored.app
build/ClipBored.zip

The app remains ad-hoc signed and is suitable for local validation only.

Developer ID Signing

Set a Developer ID Application identity:

export DEVELOPER_ID_APPLICATION="Developer ID Application: Example, Inc. (TEAMID)"
./scripts/release-macos-app.sh

The script rebuilds the app, re-signs it with hardened runtime and timestamping, verifies the signature, and writes build/ClipBored.zip.

Notarization

Preferred: configure a notarytool keychain profile once:

xcrun notarytool store-credentials "clipbored-notary" \
  --apple-id "developer@example.com" \
  --team-id "TEAMID" \
  --password "app-specific-password"

Then run:

export DEVELOPER_ID_APPLICATION="Developer ID Application: Example, Inc. (TEAMID)"
export NOTARYTOOL_PROFILE="clipbored-notary"
./scripts/release-macos-app.sh

Alternative environment-only notarization:

export DEVELOPER_ID_APPLICATION="Developer ID Application: Example, Inc. (TEAMID)"
export APPLE_ID="developer@example.com"
export APPLE_TEAM_ID="TEAMID"
export APPLE_APP_SPECIFIC_PASSWORD="app-specific-password"
./scripts/release-macos-app.sh

When notarization succeeds, the script staples the ticket to build/ClipBored.app, validates the staple, and recreates build/ClipBored.zip.

Final Manual Checks

Before publishing, run the checklist in SMOKE_TEST.md, then confirm:

codesign --verify --deep --strict --verbose=2 build/ClipBored.app
xcrun stapler validate build/ClipBored.app
spctl --assess --type execute --verbose=4 build/ClipBored.app