Skip to content
Tauri 中文网
指南 手册 公告 🌐 Nodejs.cn

macOS 代码签名

在 macOS 上需要进行代码签名,以允许你的应用在 Apple App Store 上列出,并防止在通过浏览器下载时出现应用损坏无法启动的警告。

🌐 Code signing is required on macOS to allow your application to be listed in the Apple App Store and to prevent a warning that your application is broken and can not be started, when downloaded from the browser.

先决条件

Section titled “先决条件”

🌐 Prerequisites

在 macOS 上进行代码签名需要一个 [Apple 开发者] 账号,该账号可以是付费的(每年 99 美元)或免费的计划(仅用于测试和开发目的)。你还需要一台 Apple 设备来执行代码签名。这是签名过程所要求的,同时也是根据 Apple 的条款和条件所必须的。

🌐 Code signing on macOS requires an Apple Developer account which is either paid (99$ per year) or on the free plan (only for testing and development purposes). You also need an Apple device where you perform the code signing. This is required by the signing process and due to Apple’s Terms and Conditions.

签名

Section titled “签名”

🌐 Signing

要为 macOS 设置代码签名,你必须创建一个 Apple 代码签名证书,并将其安装到你的 Mac 计算机密钥串中,或导出以在 CI/CD 平台中使用。

🌐 To setup code signing for macOS you must create an Apple code signing certificate and install it to your Mac computer keychain or export it to be used in CI/CD platforms.

创建签名证书

Section titled “创建签名证书”

🌐 Creating a signing certificate

要创建新的签名证书,你必须从 Mac 计算机生成证书签名请求 (CSR) 文件。请参阅 [创建证书签名请求] 以了解如何为代码签名创建 CSR。

🌐 To create a new signing certificate, you must generate a Certificate Signing Request (CSR) file from your Mac computer. See creating a certificate signing request to learn how to create the CSR for code signing.

在你的 Apple 开发者账户中,导航到 [证书、标识符和描述文件] 页面, 然后点击 Create a certificate 按钮以打开创建新证书的界面。 选择合适的证书类型(Apple Distribution 用于提交应用到 App Store,Developer ID Application 用于在 App Store 外发布应用)。 上传你的 CSR,证书将被创建。

🌐 On your Apple Developer account, navigate to the Certificates, IDs & Profiles page and click on the Create a certificate button to open the interface to create a new certificate. Choose the appropriate certificate type (Apple Distribution to submit apps to the App Store, and Developer ID Application to ship apps outside the App Store). Upload your CSR, and the certificate will be created.

正在下载证书

Section titled “正在下载证书”

🌐 Downloading the certificate

在【证书、ID 与配置文件页面】上,点击要使用的证书,然后点击 Download 按钮。打开后,它会保存一个 .cer 文件,将证书安装到密钥串中。

🌐 On the Certificates, IDs & Profiles page, click on the certificate you want to use and click on the Download button. It saves a .cer file that installs the certificate on the keychain once opened.

配置 Tauri

Section titled “配置 Tauri”

🌐 Configuring Tauri

你可以将 Tauri 配置为在本地计算机上构建 macOS 应用或使用 CI/CD 平台时使用你的证书。

🌐 You can configure Tauri to use your certificate when building macOS apps on your local machine or when using CI/CD platforms.

本地签名

Section titled “本地签名”

🌐 Signing locally

在 Mac 电脑密钥串中安装证书后,你可以配置 Tauri 以使用它进行代码签名。

🌐 With the certificate installed in your Mac computer keychain, you can configure Tauri to use it for code signing.

证书密钥串条目的名称表示 signing identity,也可以通过执行以下命令找到:

🌐 The name of the certificate’s keychain entry represents the signing identity, which can also be found by executing:

Terminal window
security find-identity -v -p codesigning

此身份可以在 tauri.conf.json > bundle > macOS > signingIdentity 配置选项中提供,或通过 APPLE_SIGNING_IDENTITY 环境变量提供。

🌐 This identity can be provided in the tauri.conf.json > bundle > macOS > signingIdentity configuration option or via the APPLE_SIGNING_IDENTITY environment variable.

在 CI/CD 平台中签名

Section titled “在 CI/CD 平台中签名”

🌐 Signing in CI/CD platforms

要在 CI/CD 平台中使用证书,你必须将证书导出为 base64 字符串,并配置 APPLE_CERTIFICATEAPPLE_CERTIFICATE_PASSWORD 环境变量:

🌐 To use the certificate in CI/CD platforms, you must export the certificate to a base64 string and configure the APPLE_CERTIFICATE and APPLE_CERTIFICATE_PASSWORD environment variables:

  1. 打开 Keychain Access 应用,点击 登录 密钥串中的 我的证书 标签,然后找到你的证书条目。
  2. 展开条目,右键点击关键项目,然后选择 Export "$KEYNAME"
  3. 选择保存证书 .p12 文件的路径,并为导出的证书设置密码。
  4. 在终端运行以下脚本将 .p12 文件转换为 base64:
Terminal window
openssl base64 -A -in /path/to/certificate.p12 -out certificate-base64.txt
  1. certificate-base64.txt 文件的内容设置为 APPLE_CERTIFICATE 环境变量。
  2. 将证书密码设置为 APPLE_CERTIFICATE_PASSWORD 环境变量。

示例 GitHub Actions 配置

所需密钥:

🌐 Required secrets:

  • APPLE_ID - 你的 Apple ID 电子邮件
  • APPLE_PASSWORD - 你的 Apple ID 密码
  • APPLE_CERTIFICATE - Base64 编码的 .p12 文件
  • APPLE_CERTIFICATE_PASSWORD - 你导出的 .p12 文件的密码
  • KEYCHAIN_PASSWORD - 密钥串的密码

查看官方 GitHub 指南以了解如何设置密钥

🌐 Check out the official GitHub guide to learn how to set up secrets.

name: 'build'


on:
  push:
    branches:
      - main


jobs:
  build-macos:
    needs: prepare
    strategy:
      matrix:
        include:
          - args: '--target aarch64-apple-darwin'
            arch: 'silicon'
          - args: '--target x86_64-apple-darwin'
            arch: 'intel'
    runs-on: macos-latest
    env:
      APPLE_ID: ${{ secrets.APPLE_ID }}
      APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
    steps:
      - name: Import Apple Developer Certificate
        env:
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
        run: |
          echo $APPLE_CERTIFICATE | base64 --decode > certificate.p12
          security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
          security default-keychain -s build.keychain
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
          security set-keychain-settings -t 3600 -u build.keychain
          security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
          security find-identity -v -p codesigning build.keychain
      - name: Verify Certificate
        run: |
          CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Apple Development")
          CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}')
          echo "CERT_ID=$CERT_ID" >> $GITHUB_ENV
          echo "Certificate imported."
      - uses: tauri-apps/tauri-action@v0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
          APPLE_SIGNING_IDENTITY: ${{ env.CERT_ID }}
        with:
          args: ${{ matrix.args }}

公证

Section titled “公证”

🌐 Notarization

要对你的申请进行公证,你必须提供凭据,以便 Tauri 能够通过 Apple 进行身份验证。这可以通过 App Store Connect API 或你的 Apple ID 来完成。

🌐 To notarize your application, you must provide credentials for Tauri to authenticate with Apple. This can be done via the App Store Connect API, or via your Apple ID.

  1. 打开 [App Store Connect 的用户与访问页面],选择集成标签,点击添加按钮,然后选择一个名称和开发者访问权限。
  2. APPLE_API_ISSUER 环境变量设置为上方密钥表中显示的值。
  3. APPLE_API_KEY 环境变量设置为该表中 Key ID 列上的值。
  4. 下载私钥,此操作仅可执行一次,并且仅在页面重新加载后可见(下载按钮显示在新创建密钥的表格行中)。
  5. APPLE_API_KEY_PATH 环境变量设置为下载的私钥文件路径。

临时签名

Section titled “临时签名”

🌐 Ad-Hoc Signing

如果你不希望提供经过苹果认证的身份,但仍希望签署你的应用,你可以配置一个 临时 签名。

🌐 If you do not wish to provide an Apple-authenticated identity, but still wish to sign your application, you can configure an ad-hoc signature.

这在 ARM(Apple Silicon)设备上非常有用,因为所有来自互联网的应用都需要代码签名。

🌐 This is useful on ARM (Apple Silicon) devices, where code-signing is required for all apps from the Internet.

要配置临时签名,请向 Tauri 提供伪身份 -,例如。

🌐 To configure an ad-hoc signature, provide the pseudo-identity - to Tauri, e.g.

"signingIdentity": "-"

有关配置 Tauri 签名身份的详细信息,请参见上文

🌐 For details on configuring Tauri’s signing identity, see above.

Tauri 中文网 - 粤ICP备13048890号
Nodejs.cn 旗下网站