Skip to content

Add macOS App Store build workflow#41

Open
bnsoni wants to merge 1 commit into
mainfrom
feat/macos-appstore-build
Open

Add macOS App Store build workflow#41
bnsoni wants to merge 1 commit into
mainfrom
feat/macos-appstore-build

Conversation

@bnsoni

@bnsoni bnsoni commented Mar 19, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds .github/workflows/build-macos-appstore.yml — builds a signed universal .pkg for Mac App Store
  • Adds src-tauri/Info.plist — encryption compliance declaration (required by App Store)

How it works

Unlike iOS (which uses API keys for automatic signing), macOS App Store builds require certificates directly:

Import certs → cargo tauri build --bundles app --target universal-apple-darwin → xcrun productbuild --sign → .pkg

The workflow produces a universal binary (Intel + Apple Silicon) in a single .pkg.

Secrets required (one-time setup)

Secret What it is How to get it
APPLE_CERTIFICATE Apple Distribution cert (.p12), base64 Keychain Access → export cert → base64 -i cert.p12 | pbcopy
APPLE_CERTIFICATE_PASSWORD Password used when exporting .p12 You set this during export
APPLE_SIGNING_IDENTITY Signing identity string security find-identity -v -p codesigning → e.g. Apple Distribution: Class Generation, LLC (L4FWRM8W5Z)
MAC_INSTALLER_CERTIFICATE 3rd Party Mac Developer Installer cert (.p12), base64 Same export process, different cert type
MAC_INSTALLER_CERTIFICATE_PASSWORD Password for installer cert .p12 You set this during export
MAC_INSTALLER_IDENTITY Installer identity string e.g. 3rd Party Mac Developer Installer: Class Generation, LLC (L4FWRM8W5Z)
MAC_PROVISIONING_PROFILE Mac App Store provisioning profile, base64 developer.apple.com → Profiles → create "Mac App Store Connect" → base64 -i profile.provisionprofile | pbcopy
KEYCHAIN_PASSWORD Any random string e.g. openssl rand -base64 32

Certificate setup steps

  1. Go to Certificates, IDs & Profiles
  2. Create Apple Distribution certificate (signs the .app)
  3. Create Mac Installer Distribution certificate (signs the .pkg)
  4. Create a Mac App Store Connect provisioning profile linking your App ID (ai.ibl.mentorai) and certificate
  5. Export both certs from Keychain Access as .p12 files
  6. Base64 encode everything and store as GitHub secrets

Output

  • mentorai-macos-pkg — signed .pkg ready for App Store Connect upload
  • mentorai-macos-app — the .app bundle (useful for local testing)

Test plan

  • Configure all 8 secrets in repo settings
  • Trigger workflow manually
  • Verify build produces universal binary .pkg
  • Download .pkg and upload to App Store Connect

🤖 Generated with Claude Code

@bnsoni @claude
feat: add macOS App Store build workflow
22a5430 
Adds a workflow that builds a signed universal (x64 + arm64) .pkg for
Mac App Store submission. The workflow:

- Imports Apple Distribution cert (signs .app) and Mac Installer
  Distribution cert (signs .pkg) into a temporary keychain
- Embeds the Mac App Store provisioning profile
- Builds universal binary via cargo tauri build --target universal-apple-darwin
- Creates signed .pkg via xcrun productbuild
- Uploads .pkg and .app as artifacts

Also adds src-tauri/Info.plist with ITSAppUsesNonExemptEncryption=false
(required for App Store compliance).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bnsoni