Files
Lumotia/docs/release/code-signing-setup.md
Jake 3770815fbf
Some checks failed
check / cargo check (macos-latest) (push) Has been cancelled
check / cargo check (ubuntu-22.04) (push) Has been cancelled
check / cargo check (windows-latest) (push) Has been cancelled
check / svelte build + lint (push) Has been cancelled
agent: lumotia — v0.1 release-completion run
Closes the code-side v0.1 ship gate. All quality gates green:
cargo fmt/clippy/test (~327 tests), npm check (0/0), vitest 13/13,
scripts/dogfood-rebrand-drill.sh 8/8.

Phase F — first-run onboarding promoted to v0.1
- FirstRunPage with skip-to-main + failure recovery + event recording
- Six onboarding commands (record/list/has-completed + lumotia_events)
- Storage migration v17 (onboarding_events + lumotia_events tables)

UI hardening (in-scope items from v0.1-ui-hardening.md)
- StatusPill + PostCaptureCard components, 21st preview entry
- Sidebar recording-as-sacred-state (opacity + aria-disabled, reduced-motion)
- Settings 6-section regroup + Help section + Activation log + Privacy toggle
- Error-state copy sweep (DictationPage + SettingsPage, plain-language)
- Global :focus-visible rule, textarea outlines restored
- Ctrl+K / Ctrl+, / Escape bindings in +layout

LLM resilience
- rule_based_extract_tasks (regex-free imperative-verb extractor) +
  extract_tasks_with_fallback wrapper — task extraction never returns zero
- tokio::time::timeout(120s) wraps cleanup/tags/tasks commands

Release artefacts
- LICENSE (canonical AGPL-3.0), CHANGELOG (Keep-a-Changelog format)
- v0.1-release-notes, privacy-and-ai-use, install-warnings,
  tester-onboarding-kit, tester-acceptance-runbook, code-signing-setup,
  apple-silicon-rb08-runbook, virtual-audio-setup, v0.1-contrast-audit
- Workspace versioning + AGPL spdx; npm exact-pin (10 ranges removed)
- AppImage SHA-256 sidecar in build.yml
- README v0.1 section + Reporting-issues; canonical repo slug

Closure pass — items moved from human-required to code-complete
- KI-02 Linux idle inhibit: zbus 5 → org.freedesktop.login1.Manager.Inhibit
- KI-03 Windows sleep prevention: SetThreadExecutionState(ES_CONTINUOUS|...)
- acquire/release_idle_inhibit Tauri commands, wired in DictationPage
- Diagnostic-bundle frontend wire-up (Settings → Help button)
- WCAG-AA contrast fix via .btn-filled-text utility (no token changes)
- 8 destructive-action sites wrapped in plain-language confirm() guards
- KNOWN-ISSUES.md + v0.1-known-limitations.md updated (KI-02/03 fixed)

Scripts
- pre-tag-verify.sh, tag-day.sh, smoke-linux + driver
- parse-diagnostic-bundle.sh, parse-activation-log.py

Per-item audit trail: docs/release/v0.1-completion-status.md
Remaining: W-01…W-08 (signing certs, hardware probes, smoke matrix,
tester recruitment) — see docs/release/v0.1-known-limitations.md.
2026-05-15 06:59:08 +01:00

5.0 KiB
Raw Blame History

name, type, tags, description
name type tags description
code-signing-setup release
release
signing
notarisation
macos
windows
secrets
Step-by-step walkthrough: procure signing certificates and set the GitHub secrets that activate conditional code-signing in the CI workflow.

Code-signing setup

The CI workflow (build.yml) signs automatically when the relevant GitHub secrets are present. If they aren't set, the workflow still builds correctly — it just produces an unsigned .dmg / .msi. Set the secrets once and every subsequent tag push signs for free.

Linux ships clean today: the AppImage is unsigned but accompanied by a SHA-256 checksum, which is sufficient for the v0.1 trust posture.


macOS — Developer ID signing + notarisation

Prerequisite: enrol in the Apple Developer Program at https://developer.apple.com ($99/year individual or $299/year organisation). Notarisation requires an enrolled account; unsigned .dmg files trigger Gatekeeper warnings (documented in docs/release/install-warnings.md).

  1. Generate a Developer ID Application certificate.

    • Xcode → Settings → Accounts → select your Apple ID → Manage Certificates → click + → Developer ID Application.
    • Alternatively: Apple Developer portal → Certificates, Identifiers & Profiles → Certificates → +.
  2. Export the certificate as a .p12.

    • Open Keychain Access → My Certificates → find "Developer ID Application: Your Name (TEAMID)".
    • Right-click → Export → choose .p12 format → set a strong export password. Keep the password; you'll need it next.
  3. Base64-encode the .p12 for GitHub.

    base64 -i developer-id.p12 | pbcopy
    
  4. Set the GitHub secrets (run from the repo root; paste when prompted):

    gh secret set APPLE_CERTIFICATE            # paste the base64 blob
    gh secret set APPLE_CERTIFICATE_PASSWORD   # the .p12 export password
    gh secret set APPLE_SIGNING_IDENTITY       # e.g. "Developer ID Application: Jake Sames (AB12CD34EF)"
    gh secret set APPLE_ID                     # your Apple ID email address
    gh secret set APPLE_PASSWORD               # an app-specific password from appleid.apple.com
    gh secret set APPLE_TEAM_ID               # 10-character team ID (visible in the Developer portal)
    

    To create the app-specific password: https://appleid.apple.com → Sign-In and Security → App-Specific Passwords → Generate.

  5. Re-tag. The next CI run will sign and notarise the .dmg automatically. The tauri-action runner detects the env vars at build time — no workflow edits required.


Windows — EV code-signing certificate

Why EV and not OV? Extended Validation certificates earn immediate SmartScreen reputation. OV certificates require download volume to "warm up" before SmartScreen stops warning users. For a new product, EV is the only practical path to a clean install experience.

  1. Purchase an EV code-signing certificate. Reputable CAs:

    • DigiCert — supports KeyLocker (cloud signing, CI-friendly)
    • Sectigo — supports Code Signing on Demand
    • SSL.com — supports eSigner cloud signing Typical cost: £200£400/year. Budget 15 business days for identity verification.
  2. Use the CA's cloud-signing service for CI. EV certs ship on a USB hardware token that cannot be copied to a CI runner. Every major CA now offers a cloud equivalent:

    • DigiCert KeyLocker, Sectigo CSOD, SSL.com eSigner.
    • Follow the CA's CI integration guide to obtain a signing credential (usually a client certificate or API token) that does not require the physical token.
  3. Set the GitHub secrets once you have the cloud-signing credential:

    gh secret set WINDOWS_CERTIFICATE          # base64-encoded cert (local) or cloud-signing client cert
    gh secret set WINDOWS_CERTIFICATE_PASSWORD # cert password / PIN
    

    If your CA's cloud-signing workflow requires additional env vars (e.g. a KeyLocker API key), set those as secrets and pass them in the env: block of the Build (release) step in build.yml — keep the existing pattern.

  4. Re-tag. The tauri-action runner picks up WINDOWS_CERTIFICATE + WINDOWS_CERTIFICATE_PASSWORD and signs the .msi and .exe automatically.


Verify after setting secrets

Run a test tag to confirm signing is working before the real release:

git tag v0.1.0-test1
git push origin v0.1.0-test1

Watch the CI run. In the macOS job log look for Signed using developer ID... and in the Windows job look for Signed using SignTool. Once confirmed, delete the test tag:

git push --delete origin v0.1.0-test1
git tag -d v0.1.0-test1

Until signing is configured

  • macOS users see a Gatekeeper warning on first launch. Workaround: right-click the .dmg → Open. Documented in docs/release/install-warnings.md.
  • Windows users see a SmartScreen warning on first run. Workaround: More info → Run anyway. Documented in docs/release/install-warnings.md.
  • Linux ships clean today (AppImage + SHA-256 checksum).