Sure, essentially my workflow is now as follows
- Build the binary and code sign it with "Developer ID Application" identity.
- Create a
.pkgfor installation in/usr/local/binand sign with with "Developer ID Installer". - Submit
.pkgfor notarization. - Staple ticket onto
.pkg - Package
.pkginside a.dmg.
or:
make notarize
and later
make image
VERSION = 0.1.0
PRODUCT = my-tool
BINARY = .build/apple/Products/Release/${PRODUCT}
PKG_ROOT = ./pkg/${PRODUCT}-${VERSION}
PKG_DIR = ${PKG_ROOT}/usr/local/bin
PKG_DMG = ./pkg/${PRODUCT}-${VERSION}.dmg
PKG_DMG_ROOT = ./pkg/out
PKG = ${PKG_DMG_ROOT}/${PRODUCT}-${VERSION}.pkg
CODESIGN_IDENTITY = "Developer ID Application: John Appleseed (1234AAPL)"
PKG_CODESIGN_IDENTITY = "Developer ID Installer: John Appleseed (1234AAPL)"
BUNDLE_ID = dev.appleseed.${PRODUCT}
USERNAME = john.appleseed@me.com
PASSWORD_ID = AC_PASSWORD
ASC_PROVIDER = 47MVPF48NE
${BINARY}:
swift build -c release --product ${PRODUCT} --arch arm64 --arch x86_64
xcrun codesign -s ${CODESIGN_IDENTITY} \
--options=runtime \
--timestamp \
${BINARY}
${PKG}: ${BINARY}
rm -rf "${PKG_ROOT}" || true
rm -rf "${PKG_DMG_ROOT}" || true
mkdir -p ${PKG_DIR}
mkdir -p ${PKG_DMG_ROOT}
cp ${BINARY} ${PKG_DIR}
xcrun pkgbuild --root ${PKG_ROOT} \
--identifier "${BUNDLE_ID}" \
--version "${VERSION}" \
--install-location "/" \
--sign ${PKG_CODESIGN_IDENTITY} \
${PKG}
${PKG_DMG}: ${PKG} staple
hdiutil create -volname "${PRODUCT}" -srcfolder "${PKG_DMG_ROOT}" -ov -format UDZO "${PKG_DMG}"
.PHONY: build
build: ${BINARY}
.PHONY: package
package: ${PKG}
.PHONY: notarize
notarize: ${PKG}
xcrun altool --notarize-app \
--primary-bundle-id ${BUNDLE_ID} \
--username "${USERNAME}" \
--password "@keychain:${PASSWORD_ID}" \
--asc-provider ${ASC_PROVIDER} \
--file "${PKG}"
.PHONY: staple
staple:
xcrun stapler staple "${PKG}"
.PHONY: image
image: ${PKG_DMG}