Document repository secrets and variables for code signing.

neilcsmith-net · neilcsmith-net · commit 2b939c3a5659 · 2026-01-07T17:24:44.000Z
diff --git a/README.md b/README.md
@@ -23,10 +23,49 @@ verified against the hashes provided in the `build.properties` file.
 At the end of the workflow run, each built installer can be found in a zip file
 on the workflow output page.
 
-## Current build limitations
+## Code signing and secrets
+
+The workflow will optionally sign Windows and macOS installers during the build
+if the relevant repository secrets and variables have been defined. Signing is
+triggered by the presence of certain variables (marked) - all related secrets
+must then be defined.
+
+### Variables
+
+- `APP_CERT_ID` : the name of the Apple Developer Application Certificate passed
+  in to `codesign` during the macOS installer build. Presence of this variable
+  triggers signing, and all other related macOS variables and secrets must be
+  added.
+- `AZURE_CERT_PROFILE_NAME` : the name of the certificate profile used by the
+  Azure Trusted Signing action during the Windows installer build. Presence of
+  this variable triggers signing, and all other related Windows secrets must be
+  added.
+- `INST_CERT_ID` : the name of the Apple Developer Installer Certificate passed
+  in to `pkgbuild` during the macOS installer build.
 
-The Windows installer must currently be downloaded and code signed locally.
-Optional support for signing in the workflow will be added at a later date.
+### Secrets
+
+- `APP_CERT_BASE64` : the Apple Developer Application Certificate exported as
+  base64 (see related [GitHub documentation][github-macos]). Required for macOS
+  installer signing.
+- `APP_CERT_PASSWORD` : password for the Apple Developer Application Certificate.
+  Required for macOS installer signing.
+- `AZURE_CLIENT_ID` : the `azure-client-id` parameter for the Azure Trusted
+  Signing action. Required for Windows installer signing.
+- `AZURE_CLIENT_SECRET` : the `azure-client-secret` parameter for the Azure
+  Trusted Signing action. Required for Windows installer signing.
+- `AZURE_CODE_SIGNING_NAME` : the `trusted-signing-account-name` parameter for
+  the Azure Trusted Signing action. Required for Windows installer signing.
+- `AZURE_ENDPOINT` : the `endpoint` parameter for the Azure Trusted Signing
+  action. Required for Windows installer signing.
+- `AZURE_TENANT_ID` : the `azure-tenant-id` parameter for the Azure Trusted
+  Signing action. Required for Windows installer signing.
+- `INST_CERT_BASE64` : the Apple Developer Installer Certificate exported as
+  base64. Required for macOS installer signing.
+- `INST_CERT_PASSWORD` : password for the Apple Developer Installer Certificate.
+  Required for macOS installer signing.
+
+## Current build limitations
 
 The macOS packages will be code signed in the build if the relevant secrets and
 ID variables are added to the GitHub repository. For public distribution the
@@ -44,3 +83,5 @@ Apache, Apache NetBeans and the Apache NetBeans logo are trademarks or registere
 trademarks of the Apache Software Foundation. Java and OpenJDK are registered
 trademarks of Oracle and/or its affiliates. All other trademarks are the property
 of their respective holders and used here only for identification purposes.
+
+[github-macos]: https://docs.github.com/en/actions/how-tos/deploy/deploy-to-third-party-platforms/sign-xcode-applications
