agent: lumotia — v0.1 release-completion run
Some checks failed
check / cargo check (macos-latest) (push) Has been cancelled
check / cargo check (ubuntu-22.04) (push) Has been cancelled
check / cargo check (windows-latest) (push) Has been cancelled
check / svelte build + lint (push) Has been cancelled

Closes the code-side v0.1 ship gate. All quality gates green:
cargo fmt/clippy/test (~327 tests), npm check (0/0), vitest 13/13,
scripts/dogfood-rebrand-drill.sh 8/8.

Phase F — first-run onboarding promoted to v0.1
- FirstRunPage with skip-to-main + failure recovery + event recording
- Six onboarding commands (record/list/has-completed + lumotia_events)
- Storage migration v17 (onboarding_events + lumotia_events tables)

UI hardening (in-scope items from v0.1-ui-hardening.md)
- StatusPill + PostCaptureCard components, 21st preview entry
- Sidebar recording-as-sacred-state (opacity + aria-disabled, reduced-motion)
- Settings 6-section regroup + Help section + Activation log + Privacy toggle
- Error-state copy sweep (DictationPage + SettingsPage, plain-language)
- Global :focus-visible rule, textarea outlines restored
- Ctrl+K / Ctrl+, / Escape bindings in +layout

LLM resilience
- rule_based_extract_tasks (regex-free imperative-verb extractor) +
  extract_tasks_with_fallback wrapper — task extraction never returns zero
- tokio::time::timeout(120s) wraps cleanup/tags/tasks commands

Release artefacts
- LICENSE (canonical AGPL-3.0), CHANGELOG (Keep-a-Changelog format)
- v0.1-release-notes, privacy-and-ai-use, install-warnings,
  tester-onboarding-kit, tester-acceptance-runbook, code-signing-setup,
  apple-silicon-rb08-runbook, virtual-audio-setup, v0.1-contrast-audit
- Workspace versioning + AGPL spdx; npm exact-pin (10 ranges removed)
- AppImage SHA-256 sidecar in build.yml
- README v0.1 section + Reporting-issues; canonical repo slug

Closure pass — items moved from human-required to code-complete
- KI-02 Linux idle inhibit: zbus 5 → org.freedesktop.login1.Manager.Inhibit
- KI-03 Windows sleep prevention: SetThreadExecutionState(ES_CONTINUOUS|...)
- acquire/release_idle_inhibit Tauri commands, wired in DictationPage
- Diagnostic-bundle frontend wire-up (Settings → Help button)
- WCAG-AA contrast fix via .btn-filled-text utility (no token changes)
- 8 destructive-action sites wrapped in plain-language confirm() guards
- KNOWN-ISSUES.md + v0.1-known-limitations.md updated (KI-02/03 fixed)

Scripts
- pre-tag-verify.sh, tag-day.sh, smoke-linux + driver
- parse-diagnostic-bundle.sh, parse-activation-log.py

Per-item audit trail: docs/release/v0.1-completion-status.md
Remaining: W-01…W-08 (signing certs, hardware probes, smoke matrix,
tester recruitment) — see docs/release/v0.1-known-limitations.md.
This commit is contained in:
2026-05-15 06:59:08 +01:00
parent bf1b68275a
commit 3770815fbf
77 changed files with 8697 additions and 1017 deletions

View File

@@ -0,0 +1,95 @@
---
name: code-signing-setup
type: release
tags: [release, signing, notarisation, macos, windows, secrets]
description: "Step-by-step walkthrough: procure signing certificates and set the GitHub secrets that activate conditional code-signing in the CI workflow."
---
# Code-signing setup
The CI workflow (`build.yml`) signs automatically when the relevant GitHub secrets are present. If they aren't set, the workflow still builds correctly — it just produces an unsigned `.dmg` / `.msi`. Set the secrets once and every subsequent tag push signs for free.
Linux ships clean today: the AppImage is unsigned but accompanied by a SHA-256 checksum, which is sufficient for the v0.1 trust posture.
---
## macOS — Developer ID signing + notarisation
**Prerequisite:** enrol in the Apple Developer Program at <https://developer.apple.com> ($99/year individual or $299/year organisation). Notarisation requires an enrolled account; unsigned `.dmg` files trigger Gatekeeper warnings (documented in `docs/release/install-warnings.md`).
1. **Generate a Developer ID Application certificate.**
- Xcode → Settings → Accounts → select your Apple ID → Manage Certificates → click `+` → Developer ID Application.
- Alternatively: Apple Developer portal → Certificates, Identifiers & Profiles → Certificates → `+`.
2. **Export the certificate as a `.p12`.**
- Open Keychain Access → My Certificates → find "Developer ID Application: Your Name (TEAMID)".
- Right-click → Export → choose `.p12` format → set a strong export password. Keep the password; you'll need it next.
3. **Base64-encode the `.p12` for GitHub.**
```sh
base64 -i developer-id.p12 | pbcopy
```
4. **Set the GitHub secrets** (run from the repo root; paste when prompted):
```sh
gh secret set APPLE_CERTIFICATE # paste the base64 blob
gh secret set APPLE_CERTIFICATE_PASSWORD # the .p12 export password
gh secret set APPLE_SIGNING_IDENTITY # e.g. "Developer ID Application: Jake Sames (AB12CD34EF)"
gh secret set APPLE_ID # your Apple ID email address
gh secret set APPLE_PASSWORD # an app-specific password from appleid.apple.com
gh secret set APPLE_TEAM_ID # 10-character team ID (visible in the Developer portal)
```
To create the app-specific password: <https://appleid.apple.com> → Sign-In and Security → App-Specific Passwords → Generate.
5. **Re-tag.** The next CI run will sign and notarise the `.dmg` automatically. The `tauri-action` runner detects the env vars at build time — no workflow edits required.
---
## Windows — EV code-signing certificate
**Why EV and not OV?** Extended Validation certificates earn immediate SmartScreen reputation. OV certificates require download volume to "warm up" before SmartScreen stops warning users. For a new product, EV is the only practical path to a clean install experience.
1. **Purchase an EV code-signing certificate.** Reputable CAs:
- DigiCert — supports KeyLocker (cloud signing, CI-friendly)
- Sectigo — supports Code Signing on Demand
- SSL.com — supports eSigner cloud signing
Typical cost: £200£400/year. Budget 15 business days for identity verification.
2. **Use the CA's cloud-signing service for CI.** EV certs ship on a USB hardware token that cannot be copied to a CI runner. Every major CA now offers a cloud equivalent:
- DigiCert KeyLocker, Sectigo CSOD, SSL.com eSigner.
- Follow the CA's CI integration guide to obtain a signing credential (usually a client certificate or API token) that does not require the physical token.
3. **Set the GitHub secrets** once you have the cloud-signing credential:
```sh
gh secret set WINDOWS_CERTIFICATE # base64-encoded cert (local) or cloud-signing client cert
gh secret set WINDOWS_CERTIFICATE_PASSWORD # cert password / PIN
```
If your CA's cloud-signing workflow requires additional env vars (e.g. a KeyLocker API key), set those as secrets and pass them in the `env:` block of the `Build (release)` step in `build.yml` — keep the existing pattern.
4. **Re-tag.** The `tauri-action` runner picks up `WINDOWS_CERTIFICATE` + `WINDOWS_CERTIFICATE_PASSWORD` and signs the `.msi` and `.exe` automatically.
---
## Verify after setting secrets
Run a test tag to confirm signing is working before the real release:
```sh
git tag v0.1.0-test1
git push origin v0.1.0-test1
```
Watch the CI run. In the macOS job log look for `Signed using developer ID...` and in the Windows job look for `Signed using SignTool`. Once confirmed, delete the test tag:
```sh
git push --delete origin v0.1.0-test1
git tag -d v0.1.0-test1
```
---
## Until signing is configured
- macOS users see a Gatekeeper warning on first launch. Workaround: right-click the `.dmg` → Open. Documented in `docs/release/install-warnings.md`.
- Windows users see a SmartScreen warning on first run. Workaround: More info → Run anyway. Documented in `docs/release/install-warnings.md`.
- Linux ships clean today (AppImage + SHA-256 checksum).