macOS 代码签名

macOS 上需要代码签名，以允许你的应用在 Apple App Store 中列出，并防止从浏览器下载时出现警告，即你的应用已损坏且无法启动。

¥Code signing is required on macOS to allow your application to be listed in the Apple App Store and to prevent a warning that your application is broken and can not be started, when downloaded from the browser.

先决条件

¥Prerequisites

macOS 上的代码签名需要一个 Apple 开发者账户，该账户要么是付费的（每年 99 美元），要么是免费计划。你还需要一台执行代码签名的 Apple 设备。这是签名过程所必需的，也是 Apple 的条款和条件所要求的。

¥Code signing on macOS requires an Apple Developer account which is either paid (99$ per year) or on the free plan. You also need an Apple device where you perform the code signing. This is required by the signing process and due to Apple’s Terms and Conditions.

:::note 注意

请注意，使用免费的 Apple 开发者账户时，你将无法公证你的应用，并且在打开应用时仍会显示为未经验证。

¥Note when using a free Apple Developer account, you will not be able to notarize your application and it will still show up as not verified when opening the app.

:::

签名

¥Signing

要为 macOS 设置代码签名，你必须创建 Apple 代码签名证书并将其安装到 Mac 计算密钥钥串或将其导出以用于 CI/CD 平台。

¥To setup code signing for macOS you must create an Apple code signing certificate and install it to your Mac computer keychain or export it to be used in CI/CD platforms.

创建签名证书

¥Creating a signing certificate

要创建新的签名证书，你必须从 Mac 计算机生成证书签名请求 (CSR) 文件。有关更多信息，请参阅创建证书签名请求。

¥To create a new signing certificate, you must generate a Certificate Signing Request (CSR) file from your Mac computer. See creating a certificate signing request to learn how to create the CSR for code signing.

在你的 Apple 开发者账户上，导航到证书、ID 和配置文件页面并单击 Create a certificate 按钮以打开创建新证书的界面。选择适当的证书类型（Apple Distribution 用于将应用提交到 App Store，Developer ID Application 用于将应用发送到 App Store 之外）。上传你的 CSR，证书将被创建。

¥On your Apple Developer account, navigate to the Certificates, IDs & Profiles page and click on the Create a certificate button to open the interface to create a new certificate. Choose the appropriate certificate type (Apple Distribution to submit apps to the App Store, and Developer ID Application to ship apps outside the App Store). Upload your CSR, and the certificate will be created.

:::note 注意

只有 Apple Developer Account Holder 才能创建 Developer ID 应用证书。但是，可以通过创建具有不同用户电子邮件地址的 CSR 将其与不同的 Apple ID 关联。

¥Only the Apple Developer Account Holder can create Developer ID Application certificates. But it can be associated with a different Apple ID by creating a CSR with a different user email address.

:::

正在下载证书

¥Downloading the certificate

在证书、ID 和配置文件页面上，单击要使用的证书，然后单击 Download 按钮。它会保存一个 .cer 文件，该文件一旦打开就会将证书安装在密钥串上。

¥On the Certificates, IDs & Profiles page, click on the certificate you want to use and click on the Download button. It saves a .cer file that installs the certificate on the keychain once opened.

配置 Tauri

¥Configuring Tauri

你可以将 Tauri 配置为在本地计算机上构建 macOS 应用或使用 CI/CD 平台时使用你的证书。

¥You can configure Tauri to use your certificate when building macOS apps on your local machine or when using CI/CD platforms.

本地签名

¥Signing locally

在 Mac 电脑密钥串中安装证书后，你可以配置 Tauri 以使用它进行代码签名。

¥With the certificate installed in your Mac computer keychain, you can configure Tauri to use it for code signing.

证书的密钥串条目的名称代表 signing identity，也可以通过执行以下命令找到：

¥The name of the certificate’s keychain entry represents the signing identity, which can also be found by executing:

security find-identity -v -p codesigning

此身份可以在 tauri.conf.json > bundle > macOS > signingIdentity 配置选项中或通过 APPLE_SIGNING_IDENTITY 环境变量提供。

¥This identity can be provided in the tauri.conf.json > bundle > macOS > signingIdentity configuration option or via the APPLE_SIGNING_IDENTITY environment variable.

:::note 注意

签名证书仅与你的 Apple ID 关联时才有效。无效证书不会列在 Keychain Access > My Certifications 选项卡或 security find-identity -v -p codesigning 输出中。如果证书未下载到正确的位置，请确保在下载 .cer 文件时在 “默认密钥串” 下的 Keychain Access 中选择了 “login” 选项。

¥A signing certificate is only valid if associated with your Apple ID. An invalid certificate won’t be listed on the Keychain Access > My Certificates tab or the security find-identity -v -p codesigning output. If the certificate does not download to the correct location, make sure the “login” option is selected in Keychain Access under “Default Keychains” when downloading the .cer file.

:::

在 CI/CD 平台中签名

¥Signing in CI/CD platforms

要在 CI/CD 平台中使用证书，你必须将证书导出为 base64 字符串并配置 APPLE_CERTIFICATE 和 APPLE_CERTIFICATE_PASSWORD 环境变量：

¥To use the certificate in CI/CD platforms, you must export the certificate to a base64 string and configure the APPLE_CERTIFICATE and APPLE_CERTIFICATE_PASSWORD environment variables:

打开 Keychain Access 应用，单击登录密钥串中的我的证书选项卡并找到你的证书条目。

¥Open the Keychain Access app, click the My Certificates tab in the login keychain and find your certificate’s entry.
展开条目，右键单击关键项，然后选择 Export "$KEYNAME"。

¥Expand the entry, right-click on the key item, and select Export "$KEYNAME".
选择保存证书的 .p12 文件的路径并为导出的证书定义密码。

¥Select the path to save the certificate’s .p12 file and define a password for the exported certificate.
在终端上运行以下脚本将 .p12 文件转换为 base64：

¥Convert the .p12 file to base64 running the following script on the terminal:

openssl base64 -in /path/to/certificate.p12 -out certificate-base64.txt

将 certificate-base64.txt 文件的内容设置为 APPLE_CERTIFICATE 环境变量。

¥Set the contents of the certificate-base64.txt file to the APPLE_CERTIFICATE environment variable.
将证书密码设置为 APPLE_CERTIFICATE_PASSWORD 环境变量。

¥Set the certificate password to the APPLE_CERTIFICATE_PASSWORD environment variable.

Example GitHub Actions configuration

所需密钥：

¥Required secrets:

APPLE_ID - 你的 Apple ID 电子邮件

¥APPLE_ID - Your Apple ID email
APPLE_ID_PASSWORD - 你的 Apple ID 密码

¥APPLE_ID_PASSWORD - Your Apple ID password
APPLE_CERTIFICATE - base64 编码的 .p12 文件

¥APPLE_CERTIFICATE - The base64 encoded .p12 file
APPLE_CERTIFICATE_PASSWORD - 导出的 .p12 文件的密码

¥APPLE_CERTIFICATE_PASSWORD - The password for your exported .p12 file
KEYCHAIN_PASSWORD - 密钥串的密码

¥KEYCHAIN_PASSWORD - The password for your keychain

查看官方 GitHub 指南以了解如何设置秘密。

¥Check out the official GitHub guide to learn how to set up secrets.

name: 'build'

on:
  push:
    branches:
      - main

jobs:
  build-macos:
    needs: prepare
    strategy:
      matrix:
        include:
          - args: '--target aarch64-apple-darwin'
            arch: 'silicon'
          - args: '--target x86_64-apple-darwin'
            arch: 'intel'
    runs-on: macos-latest
    env:
      APPLE_ID: ${{ secrets.APPLE_ID }}
      APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
    steps:
      - name: Import Apple Developer Certificate
        env:
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
        run: |
          echo $APPLE_CERTIFICATE | base64 --decode > certificate.p12
          security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
          security default-keychain -s build.keychain
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
          security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
          security find-identity -v -p codesigning build.keychain
      - name: Verify Certificate
        run: |
          CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Apple Development")
          CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}')
          echo "CERT_ID=$CERT_ID" >> $GITHUB_ENV
          echo "Certificate imported."
      - uses: tauri-apps/tauri-action@v0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
          APPLE_SIGNING_IDENTITY: ${{ env.CERT_ID }}
        with:
          args: ${{ matrix.args }}

公证

¥Notarization

要公证你的应用，你必须提供 Tauri 向 Apple 进行身份验证的凭据：

¥To notarize your application, you must provide credentials for Tauri to authenticate with Apple:

APPLE_API_ISSUER、APPLE_API_KEY 和 APPLE_API_KEY_PATH：使用 App Store Connect API 密钥进行身份验证

¥APPLE_API_ISSUER, APPLE_API_KEY and APPLE_API_KEY_PATH: authenticate using an App Store Connect API key

打开 App Store Connect 的用户和访问页面，选择集成选项卡，单击添加按钮并选择名称和开发者访问权限。APPLE_API_ISSUER（发行者 ID）显示在密钥表上方，APPLE_API_KEY 是该表上密钥 ID 列的值。你还需要下载私钥，该操作只能执行一次，并且仅在页面重新加载后可见（按钮显示在新创建密钥的表格行上）。私钥文件路径必须通过 APPLE_API_KEY_PATH 环境变量设置。

¥Open the App Store Connect’s Users and Access page, select the Integrations tab, click on the Add button and select a name and the Developer access. The APPLE_API_ISSUER (Issuer ID) is presented above the keys table, and the APPLE_API_KEY is the value on the Key ID column on that table. You also need to download the private key, which can only be done once and is only visible after a page reload (the button is shown on the table row for the newly created key). The private key file path must be set via the APPLE_API_KEY_PATH environment variable.
APPLE_ID、APPLE_PASSWORD 和 APPLE_TEAM_ID：使用你的 Apple ID 进行身份验证

¥APPLE_ID, APPLE_PASSWORD and APPLE_TEAM_ID: authenticate using your Apple ID

或者，要使用你的 Apple ID 进行身份验证，请将 APPLE_ID 设置为你的 Apple 账户电子邮件，并将 APPLE_PASSWORD 设置为 Apple 账户的应用专用密码。

¥Alternatively, to authenticate with your Apple ID, set the APPLE_ID to your Apple account email and the APPLE_PASSWORD to an app-specific password for the Apple account.

:::note 注意

使用开发者 ID 应用证书时需要公证。

¥Notarization is required when using a Developer ID Application certificate.

:::