dynamic greet on dashboard, desktop ci/cd

Author: markokraemer

.github/workflows/desktop-build.yml

@@ -44,16 +44,70 @@ jobs:
         working-directory: apps/desktop
         run: npm ci
 
+      - name: Import Apple Code Signing Certificate
+        if: ${{ env.APPLE_CERTIFICATE_P12 != '' }}
+        env:
+          APPLE_CERTIFICATE_P12: ${{ secrets.APPLE_CERTIFICATE_P12 }}
+        run: |
+          # Create temporary keychain
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          KEYCHAIN_PASSWORD=$(openssl rand -base64 32)
+          
+          # Create keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          
+          # Import certificate
+          echo "${{ secrets.APPLE_CERTIFICATE_P12 }}" | base64 --decode > certificate.p12
+          security import certificate.p12 \
+            -k "$KEYCHAIN_PATH" \
+            -P "${{ secrets.APPLE_CERTIFICATE_PASSWORD }}" \
+            -T /usr/bin/codesign \
+            -T /usr/bin/productsign
+          
+          # Set keychain for codesign
+          security list-keychain -d user -s "$KEYCHAIN_PATH"
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          
+          # Clean up
+          rm certificate.p12
+          
+          echo "✅ Certificate imported successfully"
+
       - name: Build macOS app (${{ matrix.arch }})
         working-directory: apps/desktop
         run: npm run build:mac -- --${{ matrix.arch }}
         env:
-          # Skip notarization in CI (requires Apple Developer credentials)
-          CSC_IDENTITY_AUTO_DISCOVERY: false
+          # Use proper signing if certificate is available
+          CSC_LINK: ${{ secrets.APPLE_CERTIFICATE_P12 }}
+          CSC_KEY_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
 
-      - name: Ad-hoc code sign the app
+      - name: Notarize app (if credentials available)
+        if: ${{ env.APPLE_ID != '' }}
         working-directory: apps/desktop
+        env:
+          APPLE_ID: ${{ secrets.APPLE_ID }}
         run: |
+          echo "🔔 Notarizing app with Apple..."
+          
+          # electron-builder handles notarization automatically if credentials are set
+          # The build step above already notarized it
+          
+          echo "✅ Notarization complete (if credentials were valid)"
+
+      - name: Ad-hoc code sign (fallback if no certificate)
+        if: ${{ env.APPLE_CERTIFICATE_P12 == '' }}
+        working-directory: apps/desktop
+        env:
+          APPLE_CERTIFICATE_P12: ${{ secrets.APPLE_CERTIFICATE_P12 }}
+        run: |
+          echo "⚠️  No Apple certificate found, using ad-hoc signing"
+          echo "   Users will need to right-click > Open on first launch"
+          
           # Find the .app bundle
           APP_PATH=$(find dist/mac*/ -name "*.app" -type d | head -1)
           
@@ -66,26 +120,12 @@ jobs:
             # Ad-hoc sign with hardened runtime
             codesign --force --deep --sign - \
               --options runtime \
-              --entitlements <(cat <<EOF
-          <?xml version="1.0" encoding="UTF-8"?>
-          <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-          <plist version="1.0">
-          <dict>
-            <key>com.apple.security.cs.allow-jit</key>
-            <true/>
-            <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
-            <true/>
-            <key>com.apple.security.cs.disable-library-validation</key>
-            <true/>
-          </dict>
-          </plist>
-          EOF
-          ) "$APP_PATH"
+              "$APP_PATH"
             
             # Verify signature
             codesign --verify --verbose "$APP_PATH"
             
-            echo "✅ App signed successfully"
+            echo "✅ App signed successfully (ad-hoc)"
           else
             echo "⚠️  Warning: Could not find .app bundle"
             ls -R dist/

apps/desktop/.env.example

@@ -0,0 +1,20 @@
+# Apple Code Signing & Notarization
+# Copy this file to .env and fill in your values
+
+# Path to your exported P12 certificate file
+CSC_LINK="./certs/Kortix-Signing.p12"
+
+# Password for the P12 certificate
+CSC_KEY_PASSWORD="your_p12_password_here"
+
+# Your Apple ID email
+APPLE_ID="you@example.com"
+
+# App-specific password from appleid.apple.com
+APPLE_APP_SPECIFIC_PASSWORD="abcd-efgh-ijkl-mnop"
+
+# Your Apple Team ID (10 characters)
+APPLE_TEAM_ID="AB12CD34EF"
+
+# Optional: Build for specific architecture
+# ARCH=arm64  # or x64 or universal

apps/desktop/.gitignore

@@ -2,3 +2,7 @@ node_modules/
 dist/
 *.log
 .DS_Store
+.env
+*.p12
+*.pem
+*.cer

apps/desktop/README.md

@@ -21,9 +21,10 @@ npm start
 Build for your platform:
 
 ```bash
-npm run build:mac      # macOS
-npm run build:win      # Windows
-npm run build:linux    # Linux
+npm run build:mac          # macOS (with signing if .env exists)
+npm run build:mac:unsigned # macOS (quick, no signing)
+npm run build:win          # Windows
+npm run build:linux        # Linux
 ```
 
 Or build for all platforms:
@@ -32,6 +33,8 @@ Or build for all platforms:
 npm run build
 ```
 
+**Note:** For signed macOS builds, create a `.env` file with Apple credentials (see `LOCAL-BUILD.md`).
+
 ## Configuration
 
 Set `APP_URL` environment variable to load a different URL:
@@ -42,6 +45,10 @@ APP_URL=http://localhost:3000 npm start
 
 By default, it loads `https://kortix.com/`.
 
+## Installation
+
+For end users, see [INSTALLATION.md](./INSTALLATION.md) for detailed installation instructions including how to bypass macOS Gatekeeper on first launch.
+
 ## Deep Linking
 
 The app registers the `kortix://` protocol for magic link authentication:
@@ -53,3 +60,12 @@ The app registers the `kortix://` protocol for magic link authentication:
 5. App handles auth callback and logs user in
 
 The protocol is automatically registered when the app is installed.
+
+## Code Signing Status
+
+The CI/CD builds use **ad-hoc code signing** which means:
+- ✅ App is properly signed and not "damaged"
+- ⚠️ Not notarized with Apple (requires paid developer account)
+- 📝 Users must right-click → Open on first launch (macOS only)
+
+For production notarization, add Apple Developer credentials to GitHub Secrets.

apps/desktop/assets/AppIcon.png

@@ -0,0 +1,103 @@
+#!/usr/bin/env node
+
+/**
+ * Local build script with code signing
+ * Loads credentials from .env file
+ */
+
+require('dotenv').config();
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+
+console.log('🔨 Starting signed build...\n');
+
+// Check if .env exists
+if (!fs.existsSync('.env')) {
+  console.log('⚠️  No .env file found');
+  console.log('📝 Copy .env.example to .env and fill in your Apple credentials');
+  console.log('   Or run: npm run build:mac:unsigned (for quick testing)\n');
+  process.exit(1);
+}
+
+// Check required environment variables
+const required = [
+  'CSC_LINK',
+  'CSC_KEY_PASSWORD',
+  'APPLE_ID',
+  'APPLE_APP_SPECIFIC_PASSWORD',
+  'APPLE_TEAM_ID'
+];
+
+const missing = required.filter(key => !process.env[key]);
+
+if (missing.length > 0) {
+  console.log('❌ Missing required environment variables:');
+  missing.forEach(key => console.log(`   - ${key}`));
+  console.log('\n📝 Please add them to your .env file\n');
+  process.exit(1);
+}
+
+// Check if certificate file exists
+const certPath = process.env.CSC_LINK;
+if (!certPath) {
+  console.log('❌ CSC_LINK environment variable is not set');
+  process.exit(1);
+}
+
+if (certPath.startsWith('./') || certPath.startsWith('../')) {
+  const fullPath = path.resolve(__dirname, certPath);
+  if (!fs.existsSync(fullPath)) {
+    console.log(`❌ Certificate file not found: ${fullPath}`);
+    console.log('📝 Make sure CSC_LINK points to your .p12 file\n');
+    process.exit(1);
+  }
+}
+
+console.log('✅ Environment variables loaded');
+console.log('✅ Certificate found');
+console.log('\n🔨 Building with code signing and notarization...');
+console.log('   This may take 5-10 minutes (notarization is slow)\n');
+
+// Determine architecture
+const arch = process.env.ARCH || 'universal';
+const archFlag = arch === 'universal' ? '' : `--${arch}`;
+
+try {
+  // Resolve certificate path to absolute if relative
+  const resolvedCertPath = certPath.startsWith('./') || certPath.startsWith('../')
+    ? path.resolve(__dirname, certPath)
+    : certPath;
+
+  // Run electron-builder with signing
+  execSync(`electron-builder --mac ${archFlag}`, {
+    stdio: 'inherit',
+    env: {
+      ...process.env,
+      // Ensure certificate path is absolute
+      CSC_LINK: resolvedCertPath
+    }
+  });
+
+  console.log('\n✅ Build complete!');
+  console.log('📦 Output: dist/\n');
+  
+  // List output files
+  const distPath = path.join(__dirname, 'dist');
+  if (fs.existsSync(distPath)) {
+    const files = fs.readdirSync(distPath)
+      .filter(f => f.endsWith('.dmg') || f.endsWith('.zip'))
+      .map(f => `   ${f}`)
+      .join('\n');
+    
+    if (files) {
+      console.log('📦 Built files:');
+      console.log(files);
+      console.log('');
+    }
+  }
+
+} catch (error) {
+  console.error('\n❌ Build failed:', error.message);
+  process.exit(1);
+}

apps/desktop/assets/icon.icns

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.cs.allow-jit</key>
+	<true/>
+	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+	<true/>
+	<key>com.apple.security.cs.disable-library-validation</key>
+	<true/>
+	<key>com.apple.security.cs.allow-dyld-environment-variables</key>
+	<true/>
+</dict>
+</plist>
+