2.0 KiB
Release Guide
This guide covers the local release build, optional Developer ID signing, and optional notarization flow.
Local Validation
Run:
./scripts/check.sh
This runs the unit test suite, builds build/ClipBored.app, applies an ad-hoc hardened-runtime signature, enforces size gates, and verifies the app signature.
Local Archive
Run:
./scripts/release-macos-app.sh
Without signing credentials, this creates:
build/ClipBored.app
build/ClipBored.zip
The app remains ad-hoc signed and is suitable for local validation only.
Developer ID Signing
Set a Developer ID Application identity:
export DEVELOPER_ID_APPLICATION="Developer ID Application: Example, Inc. (TEAMID)"
./scripts/release-macos-app.sh
The script rebuilds the app, re-signs it with hardened runtime and timestamping, verifies the signature, and writes build/ClipBored.zip.
Notarization
Preferred: configure a notarytool keychain profile once:
xcrun notarytool store-credentials "clipbored-notary" \
--apple-id "developer@example.com" \
--team-id "TEAMID" \
--password "app-specific-password"
Then run:
export DEVELOPER_ID_APPLICATION="Developer ID Application: Example, Inc. (TEAMID)"
export NOTARYTOOL_PROFILE="clipbored-notary"
./scripts/release-macos-app.sh
Alternative environment-only notarization:
export DEVELOPER_ID_APPLICATION="Developer ID Application: Example, Inc. (TEAMID)"
export APPLE_ID="developer@example.com"
export APPLE_TEAM_ID="TEAMID"
export APPLE_APP_SPECIFIC_PASSWORD="app-specific-password"
./scripts/release-macos-app.sh
When notarization succeeds, the script staples the ticket to build/ClipBored.app, validates the staple, and recreates build/ClipBored.zip.
Final Manual Checks
Before publishing, run the checklist in SMOKE_TEST.md, then confirm:
codesign --verify --deep --strict --verbose=2 build/ClipBored.app
xcrun stapler validate build/ClipBored.app
spctl --assess --type execute --verbose=4 build/ClipBored.app