Distribution & Notarization

Properties3

Is BaseNo

Iconi-lucide-package

Order20

Requirements

A "Developer ID Application" certificate in Keychain
An app-specific password for your Apple ID

Check for a valid signing certificate:

security find-identity -v -p codesigning | grep "Developer ID"

Full Pipeline

export SIGN_IDENTITY="Developer ID Application: Your Name (TEAM_ID)"
export APPLE_ID="your@apple.id"
export APPLE_PASSWORD="xxxx-xxxx-xxxx-xxxx"
export APPLE_TEAM_ID="YOUR_TEAM_ID"

git tag v0.1.0
pixi run sign       # build-release → package → sign
pixi run dmg        # create Kytos-0.1.0.dmg
pixi run notarize   # submit, wait, staple

Tasks

Task	Description
`build-release`	Release configuration with `ARCHS=arm64`
`package`	Copy `.app` to project root
`sign`	Code sign all Mach-O binaries with hardened runtime
`dmg`	Create `Kytos-<version>.dmg`
`notarize`	Submit to Apple, wait for approval, staple ticket
`changelog`	Generate changelog from git log since last tag

Notes

build-release passes CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO to strip com.apple.security.get-task-allow, which blocks notarization
sign with a SIGN_IDENTITY uses --options runtime --timestamp (hardened runtime + secure timestamp, both required)
Without SIGN_IDENTITY, sign defaults to ad-hoc (codesign --force --deep --sign -) for local testing