feat: add macOS signing and notarization support for Electron builds

JulianFun123 · JulianFun123 · commit 8c3cb022684c · 2026-03-25T16:32:53.000+01:00
diff --git a/.github/workflows/release-electron.yml b/.github/workflows/release-electron.yml
@@ -58,6 +58,42 @@ jobs:
       - name: Install workspace dependencies
         run: pnpm install --frozen-lockfile
 
+      - name: Prepare Apple signing certificate
+        if: runner.os == 'macOS' && secrets.APPLE_SIGN_CERTIFICATE_P12_BASE64 != ''
+        shell: bash
+        run: |
+          CERTIFICATE_PATH="$RUNNER_TEMP/starquery-macos-signing.p12"
+          KEYCHAIN_PATH="$RUNNER_TEMP/starquery-signing.keychain-db"
+          KEYCHAIN_PASSWORD="$(uuidgen)"
+
+          echo "${{ secrets.APPLE_SIGN_CERTIFICATE_P12_BASE64 }}" | base64 --decode > "$CERTIFICATE_PATH"
+
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security import "$CERTIFICATE_PATH" \
+            -k "$KEYCHAIN_PATH" \
+            -P "${{ secrets.APPLE_SIGN_CERTIFICATE_PASSWORD }}" \
+            -T /usr/bin/codesign \
+            -T /usr/bin/security \
+            -T /usr/bin/productbuild
+          security set-key-partition-list \
+            -S apple-tool:,apple:,codesign: \
+            -s \
+            -k "$KEYCHAIN_PASSWORD" \
+            "$KEYCHAIN_PATH"
+          security default-keychain -d user -s "$KEYCHAIN_PATH"
+          security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"')
+          echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
+
+      - name: Prepare Apple notarization API key
+        if: runner.os == 'macOS' && secrets.APPLE_NOTARY_API_KEY_P8_BASE64 != ''
+        shell: bash
+        run: |
+          API_KEY_PATH="$RUNNER_TEMP/AuthKey_${{ secrets.APPLE_API_KEY_ID }}.p8"
+          echo "${{ secrets.APPLE_NOTARY_API_KEY_P8_BASE64 }}" | base64 --decode > "$API_KEY_PATH"
+          echo "APPLE_API_KEY=$API_KEY_PATH" >> "$GITHUB_ENV"
+
       - name: Prepare optional Windows code-signing certificate
         if: runner.os == 'Windows' && secrets.STARQUERY_WINDOWS_CERTIFICATE_BASE64 != ''
         shell: pwsh
@@ -71,6 +107,16 @@ jobs:
 
       - name: Build Electron distributables
         env:
+          STARQUERY_MAC_SIGN: ${{ runner.os == 'macOS' && secrets.APPLE_SIGN_CERTIFICATE_P12_BASE64 != '' && 'true' || 'false' }}
+          STARQUERY_MAC_NOTARIZE: ${{ runner.os == 'macOS' && ((secrets.APPLE_NOTARY_API_KEY_P8_BASE64 != '' && secrets.APPLE_API_KEY_ID != '' && secrets.APPLE_API_ISSUER != '') || (secrets.APPLE_ID != '' && secrets.APPLE_APP_SPECIFIC_PASSWORD != '' && secrets.APPLE_TEAM_ID != '')) && 'true' || 'false' }}
+          STARQUERY_MAC_BUNDLE_ID: ${{ vars.STARQUERY_MAC_BUNDLE_ID }}
+          STARQUERY_MAC_APP_CATEGORY: ${{ vars.STARQUERY_MAC_APP_CATEGORY }}
+          APPLE_SIGN_IDENTITY: ${{ secrets.APPLE_SIGN_IDENTITY }}
+          APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
           STARQUERY_MSIX_PUBLISHER: ${{ vars.STARQUERY_MSIX_PUBLISHER }}
           STARQUERY_MSIX_PUBLISHER_DISPLAY_NAME: ${{ vars.STARQUERY_MSIX_PUBLISHER_DISPLAY_NAME }}
           STARQUERY_MSIX_IDENTITY_NAME: ${{ vars.STARQUERY_MSIX_IDENTITY_NAME }}
diff --git a/README.md b/README.md
@@ -277,6 +277,40 @@ These are only relevant for Windows Electron builds. The Electron Forge setup no
 | `WINDOWS_CERTIFICATE_FILE` | unset | Optional `.pfx` path for signed Windows/MSIX builds outside the Store. |
 | `WINDOWS_CERTIFICATE_PASSWORD` | unset | Password for `WINDOWS_CERTIFICATE_FILE`. |
 
+## Electron macOS Signing And Notarization
+
+The Electron Forge setup can now sign and notarize the regular macOS ZIP distribution without enabling any Mac App Store packaging path.
+
+Build-time environment variables:
+
+| Variable | Default | Description |
+| --- | --- | --- |
+| `STARQUERY_MAC_SIGN` | `false` | Enables macOS code signing for the Electron build. |
+| `STARQUERY_MAC_NOTARIZE` | `false` | Enables notarization for the macOS Electron build. |
+| `STARQUERY_MAC_BUNDLE_ID` | `com.interaapps.starquery` | Bundle identifier used for the regular macOS app build. |
+| `STARQUERY_MAC_APP_CATEGORY` | `public.app-category.developer-tools` | App category written into the macOS app metadata. |
+| `APPLE_SIGN_IDENTITY` | unset | Optional explicit signing identity, for example `Developer ID Application: Your Name (TEAMID)`. If unset, Electron signing can auto-detect a suitable identity from the keychain. |
+| `APPLE_API_KEY` | unset | Path to the App Store Connect API key `.p8` file used for notarization. |
+| `APPLE_API_KEY_ID` | unset | App Store Connect API key ID used for notarization. |
+| `APPLE_API_ISSUER` | unset | App Store Connect API issuer ID used for notarization. |
+| `APPLE_ID` | unset | Optional fallback Apple ID for notarization when not using API-key-based notarization. |
+| `APPLE_APP_SPECIFIC_PASSWORD` | unset | App-specific password for `APPLE_ID` notarization. |
+| `APPLE_TEAM_ID` | unset | Apple team ID required for Apple-ID-based notarization. |
+
+GitHub Actions secrets for the macOS release job:
+
+| Secret | Required | Description |
+| --- | --- | --- |
+| `APPLE_SIGN_CERTIFICATE_P12_BASE64` | yes for signing | Base64-encoded exported `.p12` containing the `Developer ID Application` certificate. |
+| `APPLE_SIGN_CERTIFICATE_PASSWORD` | yes for signing | Password used when exporting the `.p12` certificate. |
+| `APPLE_SIGN_IDENTITY` | recommended | Exact signing identity name, if you want to avoid auto-detection ambiguity. |
+| `APPLE_NOTARY_API_KEY_P8_BASE64` | recommended for notarization | Base64-encoded App Store Connect API key `.p8`. |
+| `APPLE_API_KEY_ID` | recommended for notarization | App Store Connect API key ID. |
+| `APPLE_API_ISSUER` | recommended for notarization | App Store Connect API issuer ID. |
+| `APPLE_ID` | optional fallback | Apple ID email if you want to use the older Apple-ID notarization flow instead of API keys. |
+| `APPLE_APP_SPECIFIC_PASSWORD` | optional fallback | App-specific password for the Apple-ID notarization flow. |
+| `APPLE_TEAM_ID` | optional fallback | Team ID for the Apple-ID notarization flow. |
+
 ## Backend Configuration Examples
 
 ### Hosted with MySQL meta database
diff --git a/packages/electron/forge.config.js b/packages/electron/forge.config.js
@@ -7,6 +7,7 @@ const iconBasePath = path.resolve(__dirname, 'images', 'icon');
 const pngIconPath = path.resolve(__dirname, 'images', 'icon.png');
 const icoIconPath = path.resolve(__dirname, 'images', 'icon.ico');
 const msixAssetsPath = path.resolve(__dirname, 'images', 'msix-assets');
+const isDarwin = process.platform === 'darwin';
 
 function readBooleanEnv(name, fallback = false) {
   const value = process.env[name];
@@ -55,10 +56,69 @@ function buildMsixMakerConfig() {
   return config;
 }
 
+function buildMacSignConfig() {
+  if (!isDarwin || !readBooleanEnv('STARQUERY_MAC_SIGN', false)) {
+    return undefined;
+  }
+
+  const config = {
+    hardenedRuntime: true,
+    gatekeeperAssess: false,
+  };
+
+  const identity = process.env.APPLE_SIGN_IDENTITY || process.env.CSC_NAME;
+  if (identity) {
+    config.identity = identity;
+  }
+
+  return config;
+}
+
+function buildMacNotarizeConfig() {
+  if (!isDarwin || !readBooleanEnv('STARQUERY_MAC_NOTARIZE', false)) {
+    return undefined;
+  }
+
+  const appleApiKey = process.env.APPLE_API_KEY;
+  const appleApiKeyId = process.env.APPLE_API_KEY_ID;
+  const appleApiIssuer = process.env.APPLE_API_ISSUER;
+
+  if (appleApiKey && appleApiKeyId && appleApiIssuer) {
+    return {
+      appleApiKey,
+      appleApiKeyId,
+      appleApiIssuer,
+    };
+  }
+
+  const appleId = process.env.APPLE_ID;
+  const appleIdPassword =
+    process.env.APPLE_APP_SPECIFIC_PASSWORD || process.env.APPLE_PASSWORD;
+  const teamId = process.env.APPLE_TEAM_ID;
+
+  if (appleId && appleIdPassword && teamId) {
+    return {
+      appleId,
+      appleIdPassword,
+      teamId,
+    };
+  }
+
+  return undefined;
+}
+
+const macSignConfig = buildMacSignConfig();
+const macNotarizeConfig = buildMacNotarizeConfig();
+
 module.exports = {
   packagerConfig: {
     icon: iconBasePath,
     asar: true,
+    appBundleId: process.env.STARQUERY_MAC_BUNDLE_ID || 'com.interaapps.starquery',
+    appCategoryType:
+      process.env.STARQUERY_MAC_APP_CATEGORY || 'public.app-category.developer-tools',
+    ...(macSignConfig ? { osxSign: macSignConfig } : {}),
+    ...(macNotarizeConfig ? { osxNotarize: macNotarizeConfig } : {}),
   },
   rebuildConfig: {},
   makers: [
