Comment by embedding-shape

1 day ago

From the top of my head, unlocking the keychain, finding the right identity, notarizing two parts, the binary itself and the .dmg that the .app ships in and some other stuff I'm sure. Can do a deeper look in a bit when I can. Most of the hassle is because it's 100% unattended and I had to do stuff to avoid GUI-prompts for passwords/unlocks, and that the Forgejo Runner has a different security context.

3 comments

embedding-shape

Reply
latexr  7 hours ago

> unlocking the keychain, finding the right identity

You don’t need to do that, you can give options to the CLI to define what profile to use.

> Most of the hassle is because it's 100% unattended and I had to do stuff to avoid GUI-prompts for passwords/unlocks

I have a shell function to which I point my code and it compiles, signs, and notarises it without any more intervention, GUI or password prompts, and I’m pretty sure signing and notarising are literally two lines.

Unfortunately I’m not at my computer now or I’d paste them, but from your description that script is definitely too long.

  • saagarjha  6 hours ago

    I assume you're using notarytool but I doubt that it will work unless you have your keychain unlocked

hamandcheese  1 day ago

This matches my experience. Keychain + fully unattended increases the complexity and adds a bunch of landmines that need to be dodged (e.g. GUI prompts like you mentioned).