add creds

k11kirky · k11kirky · commit f5e6178834be · 2025-10-30T10:49:32.000-07:00
diff --git a/README.md b/README.md
@@ -32,6 +32,63 @@ pnpm run make
 pnpm run check:write       # Linting & typecheck
 ```
 
+### Liquid Glass Icon (macOS 26+)
+
+The app supports macOS liquid glass icons for a modern, layered appearance. The icon configuration is in `build/icon.icon/`.
+
+**Compiling the liquid glass icon requires Xcode** (Command Line Tools are not sufficient):
+
+```bash
+# Compile liquid glass icon (requires Xcode)
+bash scripts/compile-glass-icon.sh
+```
+
+If you don't have Xcode installed, the build will automatically fall back to the standard `.icns` icon. To enable liquid glass icons:
+
+1. Install Xcode from the App Store
+2. Run the compile script above, or
+3. Compile `Assets.car` on a machine with Xcode and commit it to the repo
+
+The `generateAssets` hook will automatically attempt to compile the icon during packaging if Xcode is available.
+
+### Environment Variables
+
+You can set these environment variables instead of entering credentials in the app:
+
+- `POSTHOG_API_KEY` - Your PostHog personal API key
+- `POSTHOG_API_HOST` - PostHog instance URL (defaults to https://us.posthog.com)
+
+## Architecture
+
+- **Electron** - Desktop app framework
+- **React** - UI framework
+- **TypeScript** - Type safety
+- **Tailwind CSS** - Styling
+- **Zustand** - State management - we should probably switch to kea
+- **Vite** - Build tool
+
+## Project Structure
+
+```
+array/
+├── src/
+│   ├── main/           # Electron main process
+│   ├── renderer/       # React app
+│   ├── api/            # API client
+│   └── shared/         # Shared types
+├── dist/               # Build output
+└── release/            # Packaged apps
+```
+
+## Keyboard Shortcuts
+
+- `↑/↓` - Navigate tasks
+- `Enter` - Open selected task
+- `⌘R` - Refresh task list
+- `⌘⇧[/]` - Switch between tabs
+- `⌘W` - Close current tab
+
+
 ### Building Distributables
 
 To create production distributables (DMG, ZIP):
@@ -69,86 +126,38 @@ Set `ELECTRON_DISABLE_AUTO_UPDATE=1` if you ever need to ship a build with auto
 
 ### macOS Code Signing & Notarization
 
-macOS builds are automatically signed (and optionally notarized) when the relevant environment variables are present. We standardise on Apple ID + app-specific password credentials for notarization:
+macOS packages are signed and notarized automatically when these environment variables are present:
 
 ```bash
-# Required for code signing
 export APPLE_CODESIGN_IDENTITY="Developer ID Application: Your Name (TEAMID)"
-
-# Notarytool authentication
 export APPLE_ID="appleid@example.com"
 export APPLE_APP_SPECIFIC_PASSWORD="xxxx-xxxx-xxxx-xxxx"
 export APPLE_TEAM_ID="TEAMID"
 ```
 
-The signing step uses hardened runtime with the entitlements in `build/entitlements.mac.plist` and will sign the DMG plus the zipped `.app`. When the notarization variables are present, packages are also notarized. Without these variables the build proceeds unsigned, which is convenient for local development.
-
-For CI releases, add the same values as GitHub Actions repository secrets:
+For CI releases, configure matching GitHub Actions secrets:
 
 - `APPLE_CODESIGN_IDENTITY`
 - `APPLE_ID`
 - `APPLE_APP_SPECIFIC_PASSWORD`
 - `APPLE_TEAM_ID`
-- `APPLE_CODESIGN_CERT_BASE64` - Base64 encoded `.p12` export of your Developer ID Application certificate
-- `APPLE_CODESIGN_CERT_PASSWORD` - Password used when exporting the `.p12`
-- `APPLE_CODESIGN_KEYCHAIN_PASSWORD` - Password for the temporary keychain created in CI
-
-The `Publish Release` workflow will automatically sign and notarize when these secrets are present.
-
-> If you prefer API-key or keychain profile credentials for notarization, the Forge configuration already supports them—add the matching env vars locally and in CI instead of the defaults above.
-
-### Liquid Glass Icon (macOS 26+)
+- `APPLE_CODESIGN_CERT_BASE64` – Base64-encoded `.p12` export of the Developer ID Application certificate (include the private key)
+- `APPLE_CODESIGN_CERT_PASSWORD` – Password used when exporting the `.p12`
+- `APPLE_CODESIGN_KEYCHAIN_PASSWORD` – Password for the temporary keychain the workflow creates on the runner
 
-The app supports macOS liquid glass icons for a modern, layered appearance. The icon configuration is in `build/icon.icon/`.
+The `Publish Release` workflow imports the certificate into a temporary keychain, signs each artifact with hardened runtime enabled (using Electron’s default entitlements), and notarizes it before upload whenever these secrets are available.
 
-**Compiling the liquid glass icon requires Xcode** (Command Line Tools are not sufficient):
+For local testing, copy `codesign.env.example` to `.env.codesign`, fill in the real values, and load it before running `pnpm run make`:
 
 ```bash
-# Compile liquid glass icon (requires Xcode)
-bash scripts/compile-glass-icon.sh
+set -a
+source .env.codesign
+set +a
+pnpm run make
 ```
 
-If you don't have Xcode installed, the build will automatically fall back to the standard `.icns` icon. To enable liquid glass icons:
-
-1. Install Xcode from the App Store
-2. Run the compile script above, or
-3. Compile `Assets.car` on a machine with Xcode and commit it to the repo
-
-The `generateAssets` hook will automatically attempt to compile the icon during packaging if Xcode is available.
-
-### Environment Variables
-
-You can set these environment variables instead of entering credentials in the app:
-
-- `POSTHOG_API_KEY` - Your PostHog personal API key
-- `POSTHOG_API_HOST` - PostHog instance URL (defaults to https://us.posthog.com)
-
-## Architecture
+Set `SKIP_NOTARIZE=1` if you need to generate signed artifacts without submitting to Apple (e.g., while debugging credentials):
 
-- **Electron** - Desktop app framework
-- **React** - UI framework
-- **TypeScript** - Type safety
-- **Tailwind CSS** - Styling
-- **Zustand** - State management - we should probably switch to kea
-- **Vite** - Build tool
-
-## Project Structure
-
-```
-array/
-├── src/
-│   ├── main/           # Electron main process
-│   ├── renderer/       # React app
-│   ├── api/            # API client
-│   └── shared/         # Shared types
-├── dist/               # Build output
-└── release/            # Packaged apps
+```bash
+SKIP_NOTARIZE=1 pnpm run make
 ```
-
-## Keyboard Shortcuts
-
-- `↑/↓` - Navigate tasks
-- `Enter` - Open selected task
-- `⌘R` - Refresh task list
-- `⌘⇧[/]` - Switch between tabs
-- `⌘W` - Close current tab
diff --git a/build/entitlements.mac.plist b/build/entitlements.mac.plist
diff --git a/codesign.env.example b/codesign.env.example
@@ -0,0 +1,11 @@
+# Developer ID signing / notarization credentials
+# Copy this file to `.env.codesign` (or similar) and fill in real values.
+
+APPLE_CODESIGN_IDENTITY="Developer ID Application: Your Name (TEAMID)"
+APPLE_ID="appleid@example.com"
+APPLE_APP_SPECIFIC_PASSWORD="xxxx-xxxx-xxxx-xxxx"
+APPLE_TEAM_ID="TEAMID"
+
+APPLE_CODESIGN_CERT_BASE64="xxx"
+APPLE_CODESIGN_CERT_PASSWORD="xxx"
+APPLE_CODESIGN_KEYCHAIN_PASSWORD="xxx"
diff --git a/forge.config.ts b/forge.config.ts
@@ -1,7 +1,6 @@
 import { execSync } from "node:child_process";
 import { cpSync, existsSync, mkdirSync, rmSync } from "node:fs";
 import path from "node:path";
-import type { SignOptions } from "@electron/osx-sign";
 import { MakerDMG } from "@electron-forge/maker-dmg";
 import { MakerZIP } from "@electron-forge/maker-zip";
 import { VitePlugin } from "@electron-forge/plugin-vite";
@@ -19,8 +18,8 @@ const appleApiIssuer = process.env.APPLE_API_ISSUER;
 const appleNotarizeKeychainProfile =
   process.env.APPLE_NOTARIZE_KEYCHAIN_PROFILE;
 const appleNotarizeKeychain = process.env.APPLE_NOTARIZE_KEYCHAIN;
-const entitlementsPath = path.resolve("build", "entitlements.mac.plist");
 const shouldSignMacApp = Boolean(appleCodesignIdentity);
+const skipNotarize = process.env.SKIP_NOTARIZE === "1";
 
 type NotaryToolCredentials =
   | {
@@ -38,39 +37,35 @@ type NotaryToolCredentials =
       keychain?: string;
     };
 
-let notaryToolCredentials: NotaryToolCredentials | undefined;
+let notarizeCredentials: NotaryToolCredentials | undefined;
 
 if (appleId && appleIdPassword && appleTeamId) {
-  notaryToolCredentials = {
-    appleId,
-    appleIdPassword,
-    teamId: appleTeamId,
+  notarizeCredentials = {
+    appleId: appleId!,
+    appleIdPassword: appleIdPassword!,
+    teamId: appleTeamId!,
   };
 } else if (appleApiKey && appleApiKeyId && appleApiIssuer) {
-  notaryToolCredentials = {
+  notarizeCredentials = {
     appleApiKey,
     appleApiKeyId,
     appleApiIssuer,
   };
 } else if (appleNotarizeKeychainProfile) {
-  notaryToolCredentials = {
+  notarizeCredentials = {
     keychainProfile: appleNotarizeKeychainProfile,
     ...(appleNotarizeKeychain ? { keychain: appleNotarizeKeychain } : {}),
   };
 }
 
 const notarizeConfig =
-  shouldSignMacApp && notaryToolCredentials ? notaryToolCredentials : undefined;
-
-// Apply custom entitlements across the app bundle during signing.
-const osxSignConfig: SignOptions | undefined = shouldSignMacApp
-  ? {
+  !skipNotarize && shouldSignMacApp && notarizeCredentials
+    ? notarizeCredentials
+    : undefined;
+const osxSignConfig = shouldSignMacApp
+  ? ({
       identity: appleCodesignIdentity!,
-      optionsForFile: () => ({
-        entitlements: entitlementsPath,
-        hardenedRuntime: true,
-      }),
-    }
+    } satisfies Record<string, unknown>)
   : undefined;
 
 function copyNativeDependency(
