Files
Lumotia/docs/release/code-signing-setup.md
Jake 3770815fbf
Some checks failed
check / cargo check (macos-latest) (push) Has been cancelled
check / cargo check (ubuntu-22.04) (push) Has been cancelled
check / cargo check (windows-latest) (push) Has been cancelled
check / svelte build + lint (push) Has been cancelled
agent: lumotia — v0.1 release-completion run
Closes the code-side v0.1 ship gate. All quality gates green:
cargo fmt/clippy/test (~327 tests), npm check (0/0), vitest 13/13,
scripts/dogfood-rebrand-drill.sh 8/8.

Phase F — first-run onboarding promoted to v0.1
- FirstRunPage with skip-to-main + failure recovery + event recording
- Six onboarding commands (record/list/has-completed + lumotia_events)
- Storage migration v17 (onboarding_events + lumotia_events tables)

UI hardening (in-scope items from v0.1-ui-hardening.md)
- StatusPill + PostCaptureCard components, 21st preview entry
- Sidebar recording-as-sacred-state (opacity + aria-disabled, reduced-motion)
- Settings 6-section regroup + Help section + Activation log + Privacy toggle
- Error-state copy sweep (DictationPage + SettingsPage, plain-language)
- Global :focus-visible rule, textarea outlines restored
- Ctrl+K / Ctrl+, / Escape bindings in +layout

LLM resilience
- rule_based_extract_tasks (regex-free imperative-verb extractor) +
  extract_tasks_with_fallback wrapper — task extraction never returns zero
- tokio::time::timeout(120s) wraps cleanup/tags/tasks commands

Release artefacts
- LICENSE (canonical AGPL-3.0), CHANGELOG (Keep-a-Changelog format)
- v0.1-release-notes, privacy-and-ai-use, install-warnings,
  tester-onboarding-kit, tester-acceptance-runbook, code-signing-setup,
  apple-silicon-rb08-runbook, virtual-audio-setup, v0.1-contrast-audit
- Workspace versioning + AGPL spdx; npm exact-pin (10 ranges removed)
- AppImage SHA-256 sidecar in build.yml
- README v0.1 section + Reporting-issues; canonical repo slug

Closure pass — items moved from human-required to code-complete
- KI-02 Linux idle inhibit: zbus 5 → org.freedesktop.login1.Manager.Inhibit
- KI-03 Windows sleep prevention: SetThreadExecutionState(ES_CONTINUOUS|...)
- acquire/release_idle_inhibit Tauri commands, wired in DictationPage
- Diagnostic-bundle frontend wire-up (Settings → Help button)
- WCAG-AA contrast fix via .btn-filled-text utility (no token changes)
- 8 destructive-action sites wrapped in plain-language confirm() guards
- KNOWN-ISSUES.md + v0.1-known-limitations.md updated (KI-02/03 fixed)

Scripts
- pre-tag-verify.sh, tag-day.sh, smoke-linux + driver
- parse-diagnostic-bundle.sh, parse-activation-log.py

Per-item audit trail: docs/release/v0.1-completion-status.md
Remaining: W-01…W-08 (signing certs, hardware probes, smoke matrix,
tester recruitment) — see docs/release/v0.1-known-limitations.md.
2026-05-15 06:59:08 +01:00

96 lines
5.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
name: code-signing-setup
type: release
tags: [release, signing, notarisation, macos, windows, secrets]
description: "Step-by-step walkthrough: procure signing certificates and set the GitHub secrets that activate conditional code-signing in the CI workflow."
---
# Code-signing setup
The CI workflow (`build.yml`) signs automatically when the relevant GitHub secrets are present. If they aren't set, the workflow still builds correctly — it just produces an unsigned `.dmg` / `.msi`. Set the secrets once and every subsequent tag push signs for free.
Linux ships clean today: the AppImage is unsigned but accompanied by a SHA-256 checksum, which is sufficient for the v0.1 trust posture.
---
## macOS — Developer ID signing + notarisation
**Prerequisite:** enrol in the Apple Developer Program at <https://developer.apple.com> ($99/year individual or $299/year organisation). Notarisation requires an enrolled account; unsigned `.dmg` files trigger Gatekeeper warnings (documented in `docs/release/install-warnings.md`).
1. **Generate a Developer ID Application certificate.**
- Xcode → Settings → Accounts → select your Apple ID → Manage Certificates → click `+` → Developer ID Application.
- Alternatively: Apple Developer portal → Certificates, Identifiers & Profiles → Certificates → `+`.
2. **Export the certificate as a `.p12`.**
- Open Keychain Access → My Certificates → find "Developer ID Application: Your Name (TEAMID)".
- Right-click → Export → choose `.p12` format → set a strong export password. Keep the password; you'll need it next.
3. **Base64-encode the `.p12` for GitHub.**
```sh
base64 -i developer-id.p12 | pbcopy
```
4. **Set the GitHub secrets** (run from the repo root; paste when prompted):
```sh
gh secret set APPLE_CERTIFICATE # paste the base64 blob
gh secret set APPLE_CERTIFICATE_PASSWORD # the .p12 export password
gh secret set APPLE_SIGNING_IDENTITY # e.g. "Developer ID Application: Jake Sames (AB12CD34EF)"
gh secret set APPLE_ID # your Apple ID email address
gh secret set APPLE_PASSWORD # an app-specific password from appleid.apple.com
gh secret set APPLE_TEAM_ID # 10-character team ID (visible in the Developer portal)
```
To create the app-specific password: <https://appleid.apple.com> → Sign-In and Security → App-Specific Passwords → Generate.
5. **Re-tag.** The next CI run will sign and notarise the `.dmg` automatically. The `tauri-action` runner detects the env vars at build time — no workflow edits required.
---
## Windows — EV code-signing certificate
**Why EV and not OV?** Extended Validation certificates earn immediate SmartScreen reputation. OV certificates require download volume to "warm up" before SmartScreen stops warning users. For a new product, EV is the only practical path to a clean install experience.
1. **Purchase an EV code-signing certificate.** Reputable CAs:
- DigiCert — supports KeyLocker (cloud signing, CI-friendly)
- Sectigo — supports Code Signing on Demand
- SSL.com — supports eSigner cloud signing
Typical cost: £200£400/year. Budget 15 business days for identity verification.
2. **Use the CA's cloud-signing service for CI.** EV certs ship on a USB hardware token that cannot be copied to a CI runner. Every major CA now offers a cloud equivalent:
- DigiCert KeyLocker, Sectigo CSOD, SSL.com eSigner.
- Follow the CA's CI integration guide to obtain a signing credential (usually a client certificate or API token) that does not require the physical token.
3. **Set the GitHub secrets** once you have the cloud-signing credential:
```sh
gh secret set WINDOWS_CERTIFICATE # base64-encoded cert (local) or cloud-signing client cert
gh secret set WINDOWS_CERTIFICATE_PASSWORD # cert password / PIN
```
If your CA's cloud-signing workflow requires additional env vars (e.g. a KeyLocker API key), set those as secrets and pass them in the `env:` block of the `Build (release)` step in `build.yml` — keep the existing pattern.
4. **Re-tag.** The `tauri-action` runner picks up `WINDOWS_CERTIFICATE` + `WINDOWS_CERTIFICATE_PASSWORD` and signs the `.msi` and `.exe` automatically.
---
## Verify after setting secrets
Run a test tag to confirm signing is working before the real release:
```sh
git tag v0.1.0-test1
git push origin v0.1.0-test1
```
Watch the CI run. In the macOS job log look for `Signed using developer ID...` and in the Windows job look for `Signed using SignTool`. Once confirmed, delete the test tag:
```sh
git push --delete origin v0.1.0-test1
git tag -d v0.1.0-test1
```
---
## Until signing is configured
- macOS users see a Gatekeeper warning on first launch. Workaround: right-click the `.dmg` → Open. Documented in `docs/release/install-warnings.md`.
- Windows users see a SmartScreen warning on first run. Workaround: More info → Run anyway. Documented in `docs/release/install-warnings.md`.
- Linux ships clean today (AppImage + SHA-256 checksum).