Skip to content

build(mac): 📦 Add Apple Developer code signing support #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jorben merged 1 commit into from
Feb 11, 2026
Merged

build(mac): 📦 Add Apple Developer code signing support #22

jorben merged 1 commit into from
Feb 11, 2026
+23 −1

Conversation

@jorben
Copy link
Collaborator

@jorben jorben commented Feb 10, 2026

Summary

  • Add macOS entitlements plist for Electron hardened runtime (JIT, unsigned memory, library validation, network client)
  • Configure electron-builder with code signing settings (hardenedRuntime, entitlements, forceCodeSigning: false)
  • Pass CSC_LINK / CSC_KEY_PASSWORD environment variables in CI for automatic signing

Changes

File Change
build/entitlements.mac.plist New — hardened runtime entitlements for Electron
package.json Add signing fields to build.mac section
.github/workflows/release.yml Pass certificate secrets to build step

Motivation

macOS builds are currently unsigned, causing users to see "unidentified developer" Gatekeeper warnings on download. This PR adds Apple Developer ID code signing support so that signed DMGs can be distributed without security prompts.

The approach uses electron-builder's built-in CSC_LINK / CSC_KEY_PASSWORD mechanism, which handles keychain management internally — keeping the CI config minimal and reliable.

forceCodeSigning: false ensures contributors and forks without Apple certificates can still build unsigned artifacts without errors.

Test Plan

  • Signed build (CI): Push a pre-release tag with APPLE_CERTIFICATE and APPLE_CERTIFICATE_PASSWORD secrets configured → verify signing output in Actions log
  • Unsigned build (local): CSC_IDENTITY_AUTO_DISCOVERY=false npm run build:mac → build succeeds without certificate
  • Fork build: Fork without secrets can build macOS DMG without errors
  • Entitlements: codesign -d --entitlements :- release/mac-arm64/MarkPDFdown.app shows all 4 entitlements

Required GitHub Secrets

Secret Description
APPLE_CERTIFICATE Base64-encoded .p12 Developer ID Application certificate
APPLE_CERTIFICATE_PASSWORD Password for the .p12 file

🤖 Generated with Claude Code

@jorben @claude
build(mac): 📦 add Apple Developer code signing support
8f60d37 
- Add entitlements plist with hardened runtime permissions (JIT,
  unsigned memory, library validation, network client)
- Configure electron-builder for code signing with hardened runtime
- Pass CSC_LINK/CSC_KEY_PASSWORD to CI build for automatic signing
- Set forceCodeSigning: false so unsigned builds still succeed

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jorben jorben merged commit 8e4de58 into master Feb 11, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jorben