|
| 1 | +# Sign for macOS {: .doctitle} |
| 2 | +--- |
| 3 | + |
| 4 | +[TOC] |
| 5 | + |
| 6 | +# Overview |
| 7 | + |
| 8 | +You can distribute your macOS apps through official Mac App Store or outside the store. But the apps should always be signed before distribution. Unsigned apps are refused to be launched by the [Gatekeeper](https://support.apple.com/en-us/HT202491). |
| 9 | + |
| 10 | +This guide will show you how to sign NW.js based apps for macOS. |
| 11 | + |
| 12 | +# Prerequisits |
| 13 | + |
| 14 | +* Create a macOS app through [iTunesConnect](https://itunesconnect.apple.com) |
| 15 | +* Obtain Application & Installer certificates from [Apple Developer](https://developer.apple.com). |
| 16 | + - If you distribute your app through **Mac App Store**: |
| 17 | + + 3rd Party Mac Developer Application: Foo (XXXXXXXXXX) |
| 18 | + + 3rd Party Mac Developer Installer: Foo (XXXXXXXXXX) |
| 19 | + - If you distribute your app **outside the store**: |
| 20 | + + Developer ID Application: Foo (XXXXXXXXXX) |
| 21 | + + Developer ID Installer: Foo (XXXXXXXXXX) |
| 22 | + |
| 23 | +# Build the App |
| 24 | + |
| 25 | +Download NW.js MAS build from [nwjs.io](https://nwjs.io/downloads/) and build your app as described in [Package and Distribute](../Package and Distribute.md). |
| 26 | + |
| 27 | +# Sign the App |
| 28 | + |
| 29 | +`build_mas.py` is used to sign your app for macOS. And the script can generate an uploadable `.pkg` file for Mac App Store after signing by giving `--pkg` argument. |
| 30 | + |
| 31 | +**Basic Usage** |
| 32 | + |
| 33 | +```bash |
| 34 | +python build_mas.py -C build.cfg -I myapp-dev.app -O MyApp.app |
| 35 | +``` |
| 36 | + |
| 37 | +## Configuration File Format |
| 38 | + |
| 39 | +Configuration file (`build.cfg`) is a human readable text file. It contains important settings for signing and packaging the app. |
| 40 | + |
| 41 | +`ApplicationIdentity` and `InstallerIdentity` are the names of the certificates used for signing and packaging your app. See [Prerequisits](#prerequisits) for which certificates you need. |
| 42 | + |
| 43 | +`NWTeamID` is used to establish IPC channels for launch NW.js based app. It can be obtained from Apple Developer -> Membership -> Team ID. |
| 44 | + |
| 45 | +`ParentEntitlements` and `ChildEntitlements` should be valid [entitlements files](https://developer.apple.com/library/content/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/AboutEntitlements.html). By default, your app is signed with minimal privileges as below. |
| 46 | + |
| 47 | +**entitlements-parent.plist** |
| 48 | + |
| 49 | +```xml |
| 50 | +<?xml version="1.0" encoding="UTF-8"?> |
| 51 | +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> |
| 52 | +<plist version="1.0"> |
| 53 | +<dict> |
| 54 | + <key>com.apple.security.app-sandbox</key> |
| 55 | + <true/> |
| 56 | + <key>com.apple.security.application-groups</key> |
| 57 | + <string>NWTeamID.your.app.bundle.id</string> |
| 58 | +</dict> |
| 59 | +</plist> |
| 60 | +``` |
| 61 | + |
| 62 | +**entitlements-child.plist** |
| 63 | + |
| 64 | +```xml |
| 65 | +<?xml version="1.0" encoding="UTF-8"?> |
| 66 | +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> |
| 67 | +<plist version="1.0"> |
| 68 | +<dict> |
| 69 | + <key>com.apple.security.app-sandbox</key> |
| 70 | + <true/> |
| 71 | + <key>com.apple.security.inherit</key> |
| 72 | + <true/> |
| 73 | +</dict> |
| 74 | +</plist> |
| 75 | +``` |
| 76 | + |
| 77 | +Read the sample `build.cfg` for detailed meanings all fields. |
0 commit comments