feat: code signing (#69)

k11kirky · web-flow · commit 4965d0555ac3 · 2025-10-30T20:30:50.000-07:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -72,6 +72,13 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GH_PUBLISH_TOKEN }}
       NODE_ENV: production
       APP_VERSION: ${{ needs.determine-version.outputs.version }}
+      APPLE_CODESIGN_IDENTITY: ${{ secrets.APPLE_CODESIGN_IDENTITY }}
+      APPLE_ID: ${{ secrets.APPLE_ID }}
+      APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+      APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+      APPLE_CODESIGN_CERT_BASE64: ${{ secrets.APPLE_CODESIGN_CERT_BASE64 }}
+      APPLE_CODESIGN_CERT_PASSWORD: ${{ secrets.APPLE_CODESIGN_CERT_PASSWORD }}
+      APPLE_CODESIGN_KEYCHAIN_PASSWORD: ${{ secrets.APPLE_CODESIGN_KEYCHAIN_PASSWORD }}
     steps:
       - name: Checkout
         uses: actions/checkout@v5
@@ -88,6 +95,26 @@ jobs:
           cache: "pnpm"
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
+      - name: Import code signing certificate
+        if: env.APPLE_CODESIGN_IDENTITY != ''
+        env:
+          CERT_BASE64: ${{ env.APPLE_CODESIGN_CERT_BASE64 }}
+          CERT_PASSWORD: ${{ env.APPLE_CODESIGN_CERT_PASSWORD }}
+          KEYCHAIN_PASSWORD: ${{ env.APPLE_CODESIGN_KEYCHAIN_PASSWORD }}
+        run: |
+          if [ -z "$CERT_BASE64" ] || [ -z "$CERT_PASSWORD" ] || [ -z "$KEYCHAIN_PASSWORD" ]; then
+            echo "Missing code signing certificate secrets"
+            exit 1
+          fi
+          KEYCHAIN="$RUNNER_TEMP/codesign.keychain-db"
+          echo "$CERT_BASE64" | base64 --decode > "$RUNNER_TEMP/certificate.p12"
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN"
+          security import "$RUNNER_TEMP/certificate.p12" -k "$KEYCHAIN" -P "$CERT_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
+          security list-keychains -d user -s "$KEYCHAIN" $(security list-keychains -d user | tr -d '"')
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN"
+          rm "$RUNNER_TEMP/certificate.p12"
       - name: Verify package version
         run: |
           PACKAGE_VERSION=$(jq -r .version package.json)
diff --git a/README.md b/README.md
@@ -32,41 +32,6 @@ pnpm run make
 pnpm run check:write       # Linting & typecheck
 ```
 
-### Building Distributables
-
-To create production distributables (DMG, ZIP):
-
-```bash
-# Package the app
-pnpm package
-
-# Create distributables (DMG + ZIP)
-pnpm make
-```
-
-Output will be in:
-- `out/Array-darwin-arm64/Array.app` - Packaged app
-- `out/make/Array-*.dmg` - macOS installer
-- `out/make/zip/` - ZIP archives
-
-**Note:** Native modules for the DMG maker are automatically compiled via the `prePackage` hook. If you need to manually rebuild them, run:
-
-```bash
-pnpm build-native
-```
-
-### Auto Updates & Releases
-
-Array uses Electron's built-in `autoUpdater` pointed at the public `update.electronjs.org` service for `PostHog/Array`. Every time a non-draft GitHub release is published with the platform archives, packaged apps will automatically download and install the newest version on macOS and Windows.
-
-Publishing a new release:
-
-1. Export a GitHub token with `repo` scope as `GH_PUBLISH_TOKEN`; set both `GH_TOKEN` and `GITHUB_TOKEN` to its value locally (e.g., in `.envrc`). In GitHub, store the token as the `GH_PUBLISH_TOKEN` repository secret.
-2. Run `pnpm run make` locally to sanity check artifacts, then bump `package.json`'s version (e.g., `pnpm version patch`).
-3. Merge the version bump into `main`. The `Publish Release` GitHub Action auto-detects the new version, tags `vX.Y.Z`, runs `pnpm run publish`, and uploads the release artifacts. You can also run the workflow manually (`workflow_dispatch`) and supply a tag if you need to re-publish.
-
-Set `ELECTRON_DISABLE_AUTO_UPDATE=1` if you ever need to ship a build with auto updates disabled.
-
 ### Liquid Glass Icon (macOS 26+)
 
 The app supports macOS liquid glass icons for a modern, layered appearance. The icon configuration is in `build/icon.icon/`.
@@ -122,3 +87,77 @@ array/
 - `⌘R` - Refresh task list
 - `⌘⇧[/]` - Switch between tabs
 - `⌘W` - Close current tab
+
+
+### Building Distributables
+
+To create production distributables (DMG, ZIP):
+
+```bash
+# Package the app
+pnpm package
+
+# Create distributables (DMG + ZIP)
+pnpm make
+```
+
+Output will be in:
+- `out/Array-darwin-arm64/Array.app` - Packaged app
+- `out/make/Array-*.dmg` - macOS installer
+- `out/make/zip/` - ZIP archives
+
+**Note:** Native modules for the DMG maker are automatically compiled via the `prePackage` hook. If you need to manually rebuild them, run:
+
+```bash
+pnpm build-native
+```
+
+### Auto Updates & Releases
+
+Array uses Electron's built-in `autoUpdater` pointed at the public `update.electronjs.org` service for `PostHog/Array`. Every time a non-draft GitHub release is published with the platform archives, packaged apps will automatically download and install the newest version on macOS and Windows.
+
+Publishing a new release:
+
+1. Export a GitHub token with `repo` scope as `GH_PUBLISH_TOKEN`; set both `GH_TOKEN` and `GITHUB_TOKEN` to its value locally (e.g., in `.envrc`). In GitHub, store the token as the `GH_PUBLISH_TOKEN` repository secret.
+2. Run `pnpm run make` locally to sanity check artifacts, then bump `package.json`'s version (e.g., `pnpm version patch`).
+3. Merge the version bump into `main`. The `Publish Release` GitHub Action auto-detects the new version, tags `vX.Y.Z`, runs `pnpm run publish`, and uploads the release artifacts. You can also run the workflow manually (`workflow_dispatch`) and supply a tag if you need to re-publish.
+
+Set `ELECTRON_DISABLE_AUTO_UPDATE=1` if you ever need to ship a build with auto updates disabled.
+
+### macOS Code Signing & Notarization
+
+macOS packages are signed and notarized automatically when these environment variables are present:
+
+```bash
+export APPLE_CODESIGN_IDENTITY="Developer ID Application: Your Name (TEAMID)"
+export APPLE_ID="appleid@example.com"
+export APPLE_APP_SPECIFIC_PASSWORD="xxxx-xxxx-xxxx-xxxx"
+export APPLE_TEAM_ID="TEAMID"
+```
+
+For CI releases, configure matching GitHub Actions secrets:
+
+- `APPLE_CODESIGN_IDENTITY`
+- `APPLE_ID`
+- `APPLE_APP_SPECIFIC_PASSWORD`
+- `APPLE_TEAM_ID`
+- `APPLE_CODESIGN_CERT_BASE64` – Base64-encoded `.p12` export of the Developer ID Application certificate (include the private key)
+- `APPLE_CODESIGN_CERT_PASSWORD` – Password used when exporting the `.p12`
+- `APPLE_CODESIGN_KEYCHAIN_PASSWORD` – Password for the temporary keychain the workflow creates on the runner
+
+The `Publish Release` workflow imports the certificate into a temporary keychain, signs each artifact with hardened runtime enabled (using Electron’s default entitlements), and notarizes it before upload whenever these secrets are available.
+
+For local testing, copy `codesign.env.example` to `.env.codesign`, fill in the real values, and load it before running `pnpm run make`:
+
+```bash
+set -a
+source .env.codesign
+set +a
+pnpm run make
+```
+
+Set `SKIP_NOTARIZE=1` if you need to generate signed artifacts without submitting to Apple (e.g., while debugging credentials):
+
+```bash
+SKIP_NOTARIZE=1 pnpm run make
+```
diff --git a/codesign.env.example b/codesign.env.example
@@ -0,0 +1,11 @@
+# Developer ID signing / notarization credentials
+# Copy this file to `.env.codesign` (or similar) and fill in real values.
+
+APPLE_CODESIGN_IDENTITY="Developer ID Application: Your Name (TEAMID)"
+APPLE_ID="appleid@example.com"
+APPLE_APP_SPECIFIC_PASSWORD="xxxx-xxxx-xxxx-xxxx"
+APPLE_TEAM_ID="TEAMID"
+
+APPLE_CODESIGN_CERT_BASE64="xxx"
+APPLE_CODESIGN_CERT_PASSWORD="xxx"
+APPLE_CODESIGN_KEYCHAIN_PASSWORD="xxx"
diff --git a/forge.config.ts b/forge.config.ts
@@ -7,6 +7,67 @@ import { VitePlugin } from "@electron-forge/plugin-vite";
 import { PublisherGithub } from "@electron-forge/publisher-github";
 import type { ForgeConfig } from "@electron-forge/shared-types";
 
+const appleCodesignIdentity = process.env.APPLE_CODESIGN_IDENTITY;
+const appleTeamId = process.env.APPLE_TEAM_ID;
+const appleId = process.env.APPLE_ID;
+const appleIdPassword =
+  process.env.APPLE_APP_SPECIFIC_PASSWORD ?? process.env.APPLE_ID_PASSWORD;
+const appleApiKey = process.env.APPLE_API_KEY;
+const appleApiKeyId = process.env.APPLE_API_KEY_ID;
+const appleApiIssuer = process.env.APPLE_API_ISSUER;
+const appleNotarizeKeychainProfile =
+  process.env.APPLE_NOTARIZE_KEYCHAIN_PROFILE;
+const appleNotarizeKeychain = process.env.APPLE_NOTARIZE_KEYCHAIN;
+const shouldSignMacApp = Boolean(appleCodesignIdentity);
+const skipNotarize = process.env.SKIP_NOTARIZE === "1";
+
+type NotaryToolCredentials =
+  | {
+      appleId: string;
+      appleIdPassword: string;
+      teamId: string;
+    }
+  | {
+      appleApiKey: string;
+      appleApiKeyId: string;
+      appleApiIssuer: string;
+    }
+  | {
+      keychainProfile: string;
+      keychain?: string;
+    };
+
+let notarizeCredentials: NotaryToolCredentials | undefined;
+
+if (appleId && appleIdPassword && appleTeamId) {
+  notarizeCredentials = {
+    appleId: appleId!,
+    appleIdPassword: appleIdPassword!,
+    teamId: appleTeamId!,
+  };
+} else if (appleApiKey && appleApiKeyId && appleApiIssuer) {
+  notarizeCredentials = {
+    appleApiKey,
+    appleApiKeyId,
+    appleApiIssuer,
+  };
+} else if (appleNotarizeKeychainProfile) {
+  notarizeCredentials = {
+    keychainProfile: appleNotarizeKeychainProfile,
+    ...(appleNotarizeKeychain ? { keychain: appleNotarizeKeychain } : {}),
+  };
+}
+
+const notarizeConfig =
+  !skipNotarize && shouldSignMacApp && notarizeCredentials
+    ? notarizeCredentials
+    : undefined;
+const osxSignConfig = shouldSignMacApp
+  ? ({
+      identity: appleCodesignIdentity!,
+    } satisfies Record<string, unknown>)
+  : undefined;
+
 function copyNativeDependency(
   dependency: string,
   destinationRoot: string,
@@ -50,12 +111,30 @@ const config: ForgeConfig = {
           CFBundleIconName: "Icon",
         }
       : {},
+    ...(osxSignConfig
+      ? {
+          osxSign: osxSignConfig,
+        }
+      : {}),
+    ...(notarizeConfig
+      ? {
+          osxNotarize: notarizeConfig,
+        }
+      : {}),
   },
   rebuildConfig: {},
   makers: [
     new MakerDMG({
       icon: "./build/app-icon.icns",
       format: "ULFO",
+      ...(shouldSignMacApp
+        ? {
+            "code-sign": {
+              "signing-identity": appleCodesignIdentity!,
+              identifier: "com.posthog.array",
+            },
+          }
+        : {}),
     }),
     new MakerZIP({}, ["darwin", "linux", "win32"]),
   ],
@@ -87,6 +166,7 @@ const config: ForgeConfig = {
     },
     packageAfterCopy: async (_forgeConfig, buildPath) => {
       copyNativeDependency("node-pty", buildPath);
+      copyNativeDependency("@recallai/desktop-sdk", buildPath);
     },
   },
   publishers: [
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "array",
-  "version": "0.1.2",
+  "version": "0.1.6",
   "description": "Array - PostHog desktop task manager",
   "main": ".vite/build/index.js",
   "versionHash": "dynamic",

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "array",`
`3`		`- "version": "0.1.2",`
	`3`	`+ "version": "0.1.6",`
`4`	`4`	`"description": "Array - PostHog desktop task manager",`
`5`	`5`	`"main": ".vite/build/index.js",`
`6`	`6`	`"versionHash": "dynamic",`