{"id":16179813,"url":"https://github.com/bep/buildpkg","last_synced_at":"2025-03-19T01:31:03.211Z","repository":{"id":59047090,"uuid":"533653819","full_name":"bep/buildpkg","owner":"bep","description":"Builds, signs, notarizes and staples a MacOS pkg file.","archived":false,"fork":false,"pushed_at":"2022-09-10T08:38:35.000Z","size":2115,"stargazers_count":14,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-02-28T13:49:24.260Z","etag":null,"topics":["apple","build-tool","golang","macos","pkgbuild"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bep.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null},"funding":{"github":["bep"]}},"created_at":"2022-09-07T07:23:55.000Z","updated_at":"2024-12-09T16:14:01.000Z","dependencies_parsed_at":"2022-09-11T06:51:27.561Z","dependency_job_id":null,"html_url":"https://github.com/bep/buildpkg","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":"bep/golibtemplate","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bep%2Fbuildpkg","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bep%2Fbuildpkg/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bep%2Fbuildpkg/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bep%2Fbuildpkg/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bep","download_url":"https://codeload.github.com/bep/buildpkg/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243960361,"owners_count":20375102,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apple","build-tool","golang","macos","pkgbuild"],"created_at":"2024-10-10T05:44:03.574Z","updated_at":"2025-03-19T01:31:02.808Z","avatar_url":"https://github.com/bep.png","language":"Go","funding_links":["https://github.com/sponsors/bep"],"categories":[],"sub_categories":[],"readme":"[![Tests on Linux, MacOS and Windows](https://github.com/bep/buildpkg/workflows/Test/badge.svg)](https://github.com/bep/buildpkg/actions?query=workflow:Test)\n[![Go Report Card](https://goreportcard.com/badge/github.com/bep/buildpkg)](https://goreportcard.com/report/github.com/bep/buildpkg)\n[![GoDoc](https://godoc.org/github.com/bep/buildpkg?status.svg)](https://godoc.org/github.com/bep/buildpkg)\n\nThis journey started with my naive idea that I could do all of this outside of Macintosh/MacOS. It started out great when I found Apple's [Notary API](https://developer.apple.com/documentation/notaryapi), so I wrote [macosnotarylib](https://github.com/bep/macosnotarylib). But I also needed binary and package signing, and I gave up the grand idea. There are some third party libraries that claim to do some of this, but for me, even getting passed the trust part where I would have to inspect the code, would be too much work.\n\nSo, I wrote some tooling for this myself that uses Apple's CLI tools and API, and this library is the core part of it. There are Go alternatives out there, most notably [gon](https://github.com/mitchellh/gon). The biggest difference is that `gon` produces DMG or ZIP files. This library produces the very end-user-friendly PKG format.\n\nThe bulding blocks:\n\n* Running `buildpkg.New(opts).Build()` will\n    1. Sign the binary with `codesign`\n    1. Package the binary with `pkgbuild`\n    1. Sign the package with `productsign`\n    1. Check the package with `pkgutil`\n    1. Notarize the package with [macosnotarylib](https://github.com/bep/macosnotarylib) (uses the Apple API)\n    1. Staple the package with `stapler`\n\nFor the **codesign** step you need create a `Developer ID Application Certificate` and for the **package signing** step you need a `Developer ID Installer Certificate`. These needs to be imported into your Keychain. Follow the instructions at [developer.apple.com](https://developer.apple.com/account/resources/certificates/list).\n\n\u003cimg width=\"1028\" alt=\"image\" src=\"https://user-images.githubusercontent.com/394382/189410218-cab4cbf9-4f82-4f4b-ab0a-f19eb90e9c20.png\"\u003e\n\nOnce you have those imported in the Keychain you can locate their common _signing identity_ with `security find-identity -v`, which is `XYZJUFSYL4` in the example below:\n\n```bash\n~/d/g/hugoreleaser ❯❯❯ security find-identity -v\n  1) D4A412805301423E2DF63D90CE37C8A050B3AA2F \"Developer ID Application: Bjørn Erik Pedersen (XYZJUFSYL4)\"\n  2) D4A412805301423E2DF63D90CE37C8A050B3AA2F \"Developer ID Application: Bjørn Erik Pedersen (XYZJUFSYL4)\"\n  3) EADAD38B73CADB2E6975F55B8735F17B09138217 \"Developer ID Installer: Bjørn Erik Pedersen (XYZJUFSYL4)\"\n  4) EADAD38B73CADB2E6975F55B8735F17B09138217 \"Developer ID Installer: Bjørn Erik Pedersen (XYZJUFSYL4)\"\n     4 valid identities found\n```\n\nFor the **notarizer** step you need to [create a new new API access key](https://appstoreconnect.apple.com/access/api) with `Developer` access and download the private key. Take note of the `Issuer ID` and `Key ID`:\n\n\u003cimg width=\"1025\" alt=\"image\" src=\"https://user-images.githubusercontent.com/394382/189411457-d0ecf2f8-5457-45ad-ae0c-bd48fd48ab5a.png\"\u003e\n\nAlso See [Creating API Keys for App Store Connect AP](https://developer.apple.com/documentation/appstoreconnectapi/creating_api_keys_for_app_store_connect_api).\n\nWith the above you could put the _signing identity_ in the `Options` struct and pass it to `New`:\n\n```go\n\ntype Options struct {\n\t// The Info logger.\n\t// If nil, no Info logging will be done.\n\tInfof func(format string, a ...interface{})\n\n\t// The Dir to build from.\n\tDir string\n\n\t// Developer ID Application + Developer ID Installer\n\t// https://developer.apple.com/account/resources/certificates/list\n\tSigningIdentity string\n\n\t// The result\n\tPackageOutputFilename string\n\n\t// The staging directory where all your build artifacts are located.\n\tStagingDirectory string\n\n\t// E.g. io.gohugo.hugo\n\tIdentifier string\n\n\t// E.g. 234\n\tVersion string\n\n\t// E.g. /usr/local/bin\n\tInstallLocation string\n\n\t// Scripts passed on the command line --scripts flag.\n\t// E.g. /mypkgscripts\n\tScriptsDirectory string\n\n\t// Flags to enable skipping of build steps.\n\tSkipCodeSigning      bool\n\tSkipInstallerSigning bool\n\tSkipNotarization     bool\n}\n```\n\nThe other settings currently needs to be set as OS environment variables:\n\n*  `MACOSNOTARYLIB_ISSUER_ID`\n*  `MACOSNOTARYLIB_KID` (Key ID)\n*  `MACOSNOTARYLIB_PRIVATE_KEY` (in base64 format).\n\n## Use with Hugoreleaser\n\nThere are 2 archive plugins available:\n\n* [macospkgremote](https://github.com/gohugoio/hugoreleaser-archive-plugins/tree/main/macospkgremote)\n* [macospkg](https://github.com/gohugoio/hugoreleaser-archive-plugins/tree/main/macospkg) (a \"local\" variant of the above)\n\nAlso see it configured in Hugoreleaser's [build config](https://github.com/gohugoio/hugoreleaser/blob/main/hugoreleaser.toml).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbep%2Fbuildpkg","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbep%2Fbuildpkg","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbep%2Fbuildpkg/lists"}