add app bundle ID for MacOS notarization

OWASP · Nov 13, 2024 · fb7bf2a · fb7bf2a
1 parent 0af04e1
commit fb7bf2a
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 4 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -158,7 +158,7 @@ jobs:
         run: npm clean-install
 
       - name: Build Windows executable
-        # signing has to be done later with hardware key
+        # code signing done later using Extended Verification (EV) with a hardware key
         run: npm run build:desktop -- --windows --publish never
 
       - name: Save SBOM artifact
@@ -180,7 +180,7 @@ jobs:
       # MacOS signing: certificate and password, see electron.build/code-signing
       CSC_KEY_PASSWORD: ${{ secrets.MAC_CERTS_PASSWORD }}
       CSC_LINK:  ${{ secrets.MAC_CERTS }}
-      # MacOS notarization:
+      # MacOS notarization: see github.com/electron/notarize#readme
       APPLE_ID: ${{ secrets.APPLE_ID }}
       APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
       APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}

diff --git a/release-process.md b/release-process.md
@@ -133,9 +133,10 @@ and any other relevant channels
 ### Manually notarize / staple for MacOS images
 
 It used to be that [altool][altool] could be used to notarize the MacOS `.dmg` files in the pipeline.
-As of early 2024 this is no longer available and [notarytool][notarize] must be used in a secure environment.
-Used in [the pipeline][notarytool], it can also be done/checked manually:
+As of early 2024 this is no longer available and [notarytool][notarytool] must be used in a secure environment.
+The secrets for both signing and notarization can be checked by running it manually from the command line:
 
+- provide the [code signing certs for MacOS][certs]
 - Download both x86 and arm64 images for the MacOS installer (`*.dmg`)
 - ensure that the apple developer [environment is set up][notarize]
 - notarize and staple, for example with version 2.3.0:
@@ -158,6 +159,7 @@ Token used in the Threat Dragon pipeline as 'SNAPCRAFT_TOKEN', use command to re
 
 [altool]: https://successfulsoftware.net/2023/04/28/moving-from-altool-to-notarytool-for-mac-notarization/
 [area]: https://github.com/OWASP/threat-dragon/releases
+[certs]: https://federicoterzi.com/blog/automatic-code-signing-and-notarization-for-macos-apps-using-github-actions/
 [heroku]: https://id.heroku.com/login
 [herokucli]: https://devcenter.heroku.com/articles/heroku-cli#install-the-heroku-cli
 [herokudash]: https://dashboard.heroku.com/apps

diff --git a/td.vue/vue.config.js b/td.vue/vue.config.js
@@ -41,6 +41,7 @@ module.exports = {
                     provider: 'github'
                 },
                 mac: {
+                    appBundleId: 'org.owasp.threatdragon',
                     category: 'public.app-category.developer-tools',
                     icon: './src/icons/icon.icns',
                     hardenedRuntime: true,