macOS 代码签名
macOS 上需要代码签名,以允许你的应用在 Apple App Store 中列出,并防止从浏览器下载时出现警告,即你的应用已损坏且无法启动。
¥Code signing is required on macOS to allow your application to be listed in the Apple App Store and to prevent a warning that your application is broken and can not be started, when downloaded from the browser.
先决条件
¥Prerequisites
macOS 上的代码签名需要一个 Apple 开发者 账户,该账户要么是付费的(每年 99 美元),要么是免费计划。你还需要一台执行代码签名的 Apple 设备。这是签名过程所必需的,也是 Apple 的条款和条件所要求的。
¥Code signing on macOS requires an Apple Developer account which is either paid (99$ per year) or on the free plan. You also need an Apple device where you perform the code signing. This is required by the signing process and due to Apple’s Terms and Conditions.
:::note 注意
请注意,使用免费的 Apple 开发者账户时,你将无法公证你的应用,并且在打开应用时仍会显示为未经验证。
¥Note when using a free Apple Developer account, you will not be able to notarize your application and it will still show up as not verified when opening the app.
:::
签名
¥Signing
要为 macOS 设置代码签名,你必须创建 Apple 代码签名证书并将其安装到 Mac 计算密钥钥串或将其导出以用于 CI/CD 平台。
¥To setup code signing for macOS you must create an Apple code signing certificate and install it to your Mac computer keychain or export it to be used in CI/CD platforms.
创建签名证书
¥Creating a signing certificate
要创建新的签名证书,你必须从 Mac 计算机生成证书签名请求 (CSR) 文件。有关更多信息,请参阅 创建证书签名请求。
¥To create a new signing certificate, you must generate a Certificate Signing Request (CSR) file from your Mac computer. See creating a certificate signing request to learn how to create the CSR for code signing.
在你的 Apple 开发者账户上,导航到 证书、ID 和配置文件页面 并单击 Create a certificate
按钮以打开创建新证书的界面。选择适当的证书类型(Apple Distribution
用于将应用提交到 App Store,Developer ID Application
用于将应用发送到 App Store 之外)。上传你的 CSR,证书将被创建。
¥On your Apple Developer account, navigate to the Certificates, IDs & Profiles page
and click on the Create a certificate
button to open the interface to create a new certificate.
Choose the appropriate certificate type (Apple Distribution
to submit apps to the App Store, and Developer ID Application
to ship apps outside the App Store).
Upload your CSR, and the certificate will be created.
:::note 注意
只有 Apple Developer Account Holder
才能创建 Developer ID 应用证书。但是,可以通过创建具有不同用户电子邮件地址的 CSR 将其与不同的 Apple ID 关联。
¥Only the Apple Developer Account Holder
can create Developer ID Application certificates. But it can be associated with a different Apple ID by creating a CSR with a different user email address.
:::
正在下载证书
¥Downloading the certificate
在 证书、ID 和配置文件页面 上,单击要使用的证书,然后单击 Download
按钮。它会保存一个 .cer
文件,该文件一旦打开就会将证书安装在密钥串上。
¥On the Certificates, IDs & Profiles page, click on the certificate you want to use and click on the Download
button.
It saves a .cer
file that installs the certificate on the keychain once opened.
配置 Tauri
¥Configuring Tauri
你可以将 Tauri 配置为在本地计算机上构建 macOS 应用或使用 CI/CD 平台时使用你的证书。
¥You can configure Tauri to use your certificate when building macOS apps on your local machine or when using CI/CD platforms.
本地签名
¥Signing locally
在 Mac 电脑密钥串中安装证书后,你可以配置 Tauri 以使用它进行代码签名。
¥With the certificate installed in your Mac computer keychain, you can configure Tauri to use it for code signing.
证书的密钥串条目的名称代表 signing identity
,也可以通过执行以下命令找到:
¥The name of the certificate’s keychain entry represents the signing identity
, which can also be found by executing:
security find-identity -v -p codesigning
此身份可以在 tauri.conf.json > bundle > macOS > signingIdentity
配置选项中或通过 APPLE_SIGNING_IDENTITY
环境变量提供。
¥This identity can be provided in the tauri.conf.json > bundle > macOS > signingIdentity
configuration option or
via the APPLE_SIGNING_IDENTITY
environment variable.
:::note 注意
签名证书仅与你的 Apple ID 关联时才有效。无效证书不会列在 Keychain Access > My Certifications 选项卡或 security find-identity -v -p codesigning 输出中。如果证书未下载到正确的位置,请确保在下载 .cer 文件时在 “默认密钥串” 下的 Keychain Access 中选择了 “login” 选项。
¥A signing certificate is only valid if associated with your Apple ID. An invalid certificate won’t be listed on the Keychain Access > My Certificates tab or the security find-identity -v -p codesigning output. If the certificate does not download to the correct location, make sure the “login” option is selected in Keychain Access under “Default Keychains” when downloading the .cer file.
:::
在 CI/CD 平台中签名
¥Signing in CI/CD platforms
要在 CI/CD 平台中使用证书,你必须将证书导出为 base64 字符串并配置 APPLE_CERTIFICATE
和 APPLE_CERTIFICATE_PASSWORD
环境变量:
¥To use the certificate in CI/CD platforms, you must export the certificate to a base64 string
and configure the APPLE_CERTIFICATE
and APPLE_CERTIFICATE_PASSWORD
environment variables:
-
打开
Keychain Access
应用,单击登录密钥串中的我的证书选项卡并找到你的证书条目。¥Open the
Keychain Access
app, click the My Certificates tab in the login keychain and find your certificate’s entry. -
展开条目,右键单击关键项,然后选择
Export "$KEYNAME"
。¥Expand the entry, right-click on the key item, and select
Export "$KEYNAME"
. -
选择保存证书的
.p12
文件的路径并为导出的证书定义密码。¥Select the path to save the certificate’s
.p12
file and define a password for the exported certificate. -
在终端上运行以下脚本将
.p12
文件转换为 base64:¥Convert the
.p12
file to base64 running the following script on the terminal:
openssl base64 -in /path/to/certificate.p12 -out certificate-base64.txt
-
将
certificate-base64.txt
文件的内容设置为APPLE_CERTIFICATE
环境变量。¥Set the contents of the
certificate-base64.txt
file to theAPPLE_CERTIFICATE
environment variable. -
将证书密码设置为
APPLE_CERTIFICATE_PASSWORD
环境变量。¥Set the certificate password to the
APPLE_CERTIFICATE_PASSWORD
environment variable.
Example GitHub Actions configuration
所需密钥:
¥Required secrets:
-
APPLE_ID
- 你的 Apple ID 电子邮件¥
APPLE_ID
- Your Apple ID email -
APPLE_ID_PASSWORD
- 你的 Apple ID 密码¥
APPLE_ID_PASSWORD
- Your Apple ID password -
APPLE_CERTIFICATE
- base64 编码的.p12
文件¥
APPLE_CERTIFICATE
- The base64 encoded.p12
file -
APPLE_CERTIFICATE_PASSWORD
- 导出的.p12
文件的密码¥
APPLE_CERTIFICATE_PASSWORD
- The password for your exported.p12
file -
KEYCHAIN_PASSWORD
- 密钥串的密码¥
KEYCHAIN_PASSWORD
- The password for your keychain
查看官方 GitHub 指南以了解 如何设置秘密。
¥Check out the official GitHub guide to learn how to set up secrets.
name: 'build'
on: push: branches: - main
jobs: build-macos: needs: prepare strategy: matrix: include: - args: '--target aarch64-apple-darwin' arch: 'silicon' - args: '--target x86_64-apple-darwin' arch: 'intel' runs-on: macos-latest env: APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} steps: - name: Import Apple Developer Certificate env: APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} run: | echo $APPLE_CERTIFICATE | base64 --decode > certificate.p12 security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain security default-keychain -s build.keychain security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain security find-identity -v -p codesigning build.keychain - name: Verify Certificate run: | CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Apple Development") CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}') echo "CERT_ID=$CERT_ID" >> $GITHUB_ENV echo "Certificate imported." - uses: tauri-apps/tauri-action@v0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} APPLE_SIGNING_IDENTITY: ${{ env.CERT_ID }} with: args: ${{ matrix.args }}
公证
¥Notarization
要公证你的应用,你必须提供 Tauri 向 Apple 进行身份验证的凭据:
¥To notarize your application, you must provide credentials for Tauri to authenticate with Apple:
-
APPLE_API_ISSUER、APPLE_API_KEY 和 APPLE_API_KEY_PATH:使用 App Store Connect API 密钥进行身份验证
¥APPLE_API_ISSUER, APPLE_API_KEY and APPLE_API_KEY_PATH: authenticate using an App Store Connect API key
打开 App Store Connect 的用户和访问页面,选择集成选项卡,单击添加按钮并选择名称和开发者访问权限。APPLE_API_ISSUER(发行者 ID)显示在密钥表上方,APPLE_API_KEY 是该表上密钥 ID 列的值。你还需要下载私钥,该操作只能执行一次,并且仅在页面重新加载后可见(按钮显示在新创建密钥的表格行上)。私钥文件路径必须通过 APPLE_API_KEY_PATH 环境变量设置。
¥Open the App Store Connect’s Users and Access page, select the Integrations tab, click on the Add button and select a name and the Developer access. The APPLE_API_ISSUER (Issuer ID) is presented above the keys table, and the APPLE_API_KEY is the value on the Key ID column on that table. You also need to download the private key, which can only be done once and is only visible after a page reload (the button is shown on the table row for the newly created key). The private key file path must be set via the APPLE_API_KEY_PATH environment variable.
-
APPLE_ID、APPLE_PASSWORD 和 APPLE_TEAM_ID:使用你的 Apple ID 进行身份验证
¥APPLE_ID, APPLE_PASSWORD and APPLE_TEAM_ID: authenticate using your Apple ID
或者,要使用你的 Apple ID 进行身份验证,请将 APPLE_ID 设置为你的 Apple 账户电子邮件,并将 APPLE_PASSWORD 设置为 Apple 账户的应用专用密码。
¥Alternatively, to authenticate with your Apple ID, set the APPLE_ID to your Apple account email and the APPLE_PASSWORD to an app-specific password for the Apple account.
:::note 注意
使用开发者 ID 应用证书时需要公证。
¥Notarization is required when using a Developer ID Application certificate.
:::
Tauri v2.3 中文网 - 粤ICP备13048890号
Nodejs.cn 旗下网站