Closes the code-side v0.1 ship gate. All quality gates green: cargo fmt/clippy/test (~327 tests), npm check (0/0), vitest 13/13, scripts/dogfood-rebrand-drill.sh 8/8. Phase F — first-run onboarding promoted to v0.1 - FirstRunPage with skip-to-main + failure recovery + event recording - Six onboarding commands (record/list/has-completed + lumotia_events) - Storage migration v17 (onboarding_events + lumotia_events tables) UI hardening (in-scope items from v0.1-ui-hardening.md) - StatusPill + PostCaptureCard components, 21st preview entry - Sidebar recording-as-sacred-state (opacity + aria-disabled, reduced-motion) - Settings 6-section regroup + Help section + Activation log + Privacy toggle - Error-state copy sweep (DictationPage + SettingsPage, plain-language) - Global :focus-visible rule, textarea outlines restored - Ctrl+K / Ctrl+, / Escape bindings in +layout LLM resilience - rule_based_extract_tasks (regex-free imperative-verb extractor) + extract_tasks_with_fallback wrapper — task extraction never returns zero - tokio::time::timeout(120s) wraps cleanup/tags/tasks commands Release artefacts - LICENSE (canonical AGPL-3.0), CHANGELOG (Keep-a-Changelog format) - v0.1-release-notes, privacy-and-ai-use, install-warnings, tester-onboarding-kit, tester-acceptance-runbook, code-signing-setup, apple-silicon-rb08-runbook, virtual-audio-setup, v0.1-contrast-audit - Workspace versioning + AGPL spdx; npm exact-pin (10 ranges removed) - AppImage SHA-256 sidecar in build.yml - README v0.1 section + Reporting-issues; canonical repo slug Closure pass — items moved from human-required to code-complete - KI-02 Linux idle inhibit: zbus 5 → org.freedesktop.login1.Manager.Inhibit - KI-03 Windows sleep prevention: SetThreadExecutionState(ES_CONTINUOUS|...) - acquire/release_idle_inhibit Tauri commands, wired in DictationPage - Diagnostic-bundle frontend wire-up (Settings → Help button) - WCAG-AA contrast fix via .btn-filled-text utility (no token changes) - 8 destructive-action sites wrapped in plain-language confirm() guards - KNOWN-ISSUES.md + v0.1-known-limitations.md updated (KI-02/03 fixed) Scripts - pre-tag-verify.sh, tag-day.sh, smoke-linux + driver - parse-diagnostic-bundle.sh, parse-activation-log.py Per-item audit trail: docs/release/v0.1-completion-status.md Remaining: W-01…W-08 (signing certs, hardware probes, smoke matrix, tester recruitment) — see docs/release/v0.1-known-limitations.md.
5.0 KiB
name, type, tags, description
| name | type | tags | description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| code-signing-setup | release |
|
Step-by-step walkthrough: procure signing certificates and set the GitHub secrets that activate conditional code-signing in the CI workflow. |
Code-signing setup
The CI workflow (build.yml) signs automatically when the relevant GitHub secrets are present. If they aren't set, the workflow still builds correctly — it just produces an unsigned .dmg / .msi. Set the secrets once and every subsequent tag push signs for free.
Linux ships clean today: the AppImage is unsigned but accompanied by a SHA-256 checksum, which is sufficient for the v0.1 trust posture.
macOS — Developer ID signing + notarisation
Prerequisite: enrol in the Apple Developer Program at https://developer.apple.com ($99/year individual or $299/year organisation). Notarisation requires an enrolled account; unsigned .dmg files trigger Gatekeeper warnings (documented in docs/release/install-warnings.md).
-
Generate a Developer ID Application certificate.
- Xcode → Settings → Accounts → select your Apple ID → Manage Certificates → click
+→ Developer ID Application. - Alternatively: Apple Developer portal → Certificates, Identifiers & Profiles → Certificates →
+.
- Xcode → Settings → Accounts → select your Apple ID → Manage Certificates → click
-
Export the certificate as a
.p12.- Open Keychain Access → My Certificates → find "Developer ID Application: Your Name (TEAMID)".
- Right-click → Export → choose
.p12format → set a strong export password. Keep the password; you'll need it next.
-
Base64-encode the
.p12for GitHub.base64 -i developer-id.p12 | pbcopy -
Set the GitHub secrets (run from the repo root; paste when prompted):
gh secret set APPLE_CERTIFICATE # paste the base64 blob gh secret set APPLE_CERTIFICATE_PASSWORD # the .p12 export password gh secret set APPLE_SIGNING_IDENTITY # e.g. "Developer ID Application: Jake Sames (AB12CD34EF)" gh secret set APPLE_ID # your Apple ID email address gh secret set APPLE_PASSWORD # an app-specific password from appleid.apple.com gh secret set APPLE_TEAM_ID # 10-character team ID (visible in the Developer portal)To create the app-specific password: https://appleid.apple.com → Sign-In and Security → App-Specific Passwords → Generate.
-
Re-tag. The next CI run will sign and notarise the
.dmgautomatically. Thetauri-actionrunner detects the env vars at build time — no workflow edits required.
Windows — EV code-signing certificate
Why EV and not OV? Extended Validation certificates earn immediate SmartScreen reputation. OV certificates require download volume to "warm up" before SmartScreen stops warning users. For a new product, EV is the only practical path to a clean install experience.
-
Purchase an EV code-signing certificate. Reputable CAs:
- DigiCert — supports KeyLocker (cloud signing, CI-friendly)
- Sectigo — supports Code Signing on Demand
- SSL.com — supports eSigner cloud signing Typical cost: £200–£400/year. Budget 1–5 business days for identity verification.
-
Use the CA's cloud-signing service for CI. EV certs ship on a USB hardware token that cannot be copied to a CI runner. Every major CA now offers a cloud equivalent:
- DigiCert KeyLocker, Sectigo CSOD, SSL.com eSigner.
- Follow the CA's CI integration guide to obtain a signing credential (usually a client certificate or API token) that does not require the physical token.
-
Set the GitHub secrets once you have the cloud-signing credential:
gh secret set WINDOWS_CERTIFICATE # base64-encoded cert (local) or cloud-signing client cert gh secret set WINDOWS_CERTIFICATE_PASSWORD # cert password / PINIf your CA's cloud-signing workflow requires additional env vars (e.g. a KeyLocker API key), set those as secrets and pass them in the
env:block of theBuild (release)step inbuild.yml— keep the existing pattern. -
Re-tag. The
tauri-actionrunner picks upWINDOWS_CERTIFICATE+WINDOWS_CERTIFICATE_PASSWORDand signs the.msiand.exeautomatically.
Verify after setting secrets
Run a test tag to confirm signing is working before the real release:
git tag v0.1.0-test1
git push origin v0.1.0-test1
Watch the CI run. In the macOS job log look for Signed using developer ID... and in the Windows job look for Signed using SignTool. Once confirmed, delete the test tag:
git push --delete origin v0.1.0-test1
git tag -d v0.1.0-test1
Until signing is configured
- macOS users see a Gatekeeper warning on first launch. Workaround: right-click the
.dmg→ Open. Documented indocs/release/install-warnings.md. - Windows users see a SmartScreen warning on first run. Workaround: More info → Run anyway. Documented in
docs/release/install-warnings.md. - Linux ships clean today (AppImage + SHA-256 checksum).