{"id":16847372,"url":"https://github.com/indygreg/apple-code-sign-action","last_synced_at":"2025-10-05T20:41:47.640Z","repository":{"id":208174632,"uuid":"720937014","full_name":"indygreg/apple-code-sign-action","owner":"indygreg","description":"Sign and notarize Apple applications using open source software","archived":false,"fork":false,"pushed_at":"2025-02-10T09:01:00.000Z","size":925,"stargazers_count":26,"open_issues_count":8,"forks_count":4,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-16T08:31:36.776Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/indygreg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-11-20T02:21:38.000Z","updated_at":"2025-03-09T00:09:10.000Z","dependencies_parsed_at":null,"dependency_job_id":"b5517437-1f98-4d0f-aed4-6bb8f5a0e9d1","html_url":"https://github.com/indygreg/apple-code-sign-action","commit_stats":null,"previous_names":["indygreg/apple-code-sign-action"],"tags_count":2,"template":false,"template_full_name":"actions/javascript-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/indygreg%2Fapple-code-sign-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/indygreg%2Fapple-code-sign-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/indygreg%2Fapple-code-sign-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/indygreg%2Fapple-code-sign-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/indygreg","download_url":"https://codeload.github.com/indygreg/apple-code-sign-action/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243981155,"owners_count":20378532,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-13T13:07:40.749Z","updated_at":"2025-10-05T20:41:42.609Z","avatar_url":"https://github.com/indygreg.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Apple Code Signing and Notarization Action\n\nThis action signs, notarizes, and/or staples Apple applications using the open source `rcodesign` tool from https://github.com/indygreg/apple-platform-rs/tree/main/apple-codesign.\n\nThis action can be run from Linux, Windows, and macOS Actions Runners.\n\nThis action is a thin veneer over downloading and invoking `rcodesign`.\nAdvanced customers may want to forego this action and invoke `rcodesign`\ndirectly.\n\n## Usage\n\nYou will likely want an Apple issued code signing certificate. See\nhttps://gregoryszorc.com/docs/apple-codesign/stable/apple_codesign_certificate_management.html\nfor instructions on how to obtain one.\n\nFor notarizing, you will need an App Store Connect API Key. See\nhttps://gregoryszorc.com/docs/apple-codesign/stable/apple_codesign_getting_started.html#obtaining-an-app-store-connect-api-key\nfor instructions on how to obtain one.\n\nIt is up to the caller to materialize a file/directory for\nsigning/notarizing/stapling.\n\nIt is up to the caller to do something with the file/directory operated on.\n\n## Inputs and Outputs\n\nSee [action.yml](action.yml) for the set of inputs. The file should be\nself-documenting.\n\nThe only output is `output_path`, which holds the filesystem path of the\nsigned/notarized/stapled entity.\n\n## Examples\n\nAd-hoc signing.\n\n```yaml\nsteps:\n # Add a step here to materialize a Mach-O binary, bundle, DMG, etc\n # that you want to sign.\n\n - name: Sign an Application Bundle\n uses: indygreg/apple-code-sign-action@v1\n with:\n input_path: MyApp.app\n output_path: dist/MyApp.app\n\n # MyApp.app should be signed, but without a code signing certificate.\n```\n\nSign using a code signing certificate in a .p12/.pfx file.\n\n```yaml\nsteps:\n # Add a step here to materialize a Mach-O binary, bundle, DMG, etc\n # that you want to sign.\n\n - name: Sign a Mach-O binary\n uses: indygreg/apple-code-sign-action@v1\n with:\n input_path: my-exe\n p12_file: cert.p12\n p12_password: ${{ secrets.certificate_password }}\n```\n\nSign using a PEM encoded code signing certificate stored in a secret.\n\n```yaml\nsteps:\n - name: Write PEM encoded private key data to a file\n env:\n # The secret has content:\n #\n # ```\n # -----BEGIN PRIVATE KEY-----\n # MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCkdCzwAgHcNbpH\n # ...\n # -----END PRIVATE KEY-----\n # ```\n #\n # Because of the way GitHub Actions secrets are stored, the newlines likely\n # get mangled to a single line. So we pipe to `tr` to translate whitespace\n # to newlines to restore the original format.\n SIGNING_KEY_PEM: ${{ secrets.SIGNING_KEY_PEM }}\n run: |\n echo $SIGNING_KEY_PEM | tr ' ' '\\n' \u003e key.pem\n\n # We assume the `-----BEGIN PUBLIC CERTIFICATE------` exists in a file named\n # `cert.pem`.\n #\n # The public certificate data is not a secret: the public certificate will be\n # embedded in code signatures. So you can safely check this data into version\n # control. You can also store it as a GitHub Secret: it doesn't really much\n # matter how you do it as long as code signing sees both the private key and\n # public certificate data.\n\n - name: Sign a Mach-O binary\n uses: indygreg/apple-code-sign-action@v1\n with:\n input_path: my-exe\n pem_file: |\n key.pem\n cert.pem\n```\n\nSign on a remote machine (requires running `rcodesign remote-sign` on another machine when this action is running).\n\n```yaml\nsteps:\n # Add a step here to materialize a Mach-O binary, bundle, DMG, etc\n # that you want to sign.\n\n - name: Sign a DMG\n uses: indygreg/apple-code-sign-action@v1\n with:\n input_path: MyApp.dmg\n remote_sign_public_key: |\n MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6GIrYnjZ3mbcAJjmmEm/\n 5jEp66vjs81MSt7AwVw381lteMoX9nzXVFuI4hwu7o41ZPuSqp+YvG90mMSVoTjy\n m6O1tVoD7m8X0fLdfBegZN7sePlgS34s9Sj0fEvNVjrwFimfWQ1RNR+JNogufeKZ\n IaePfb/hXBSbPxJrMVsCno6lUVuoFu2bJPMJUWxAsDhJLTyllJ5wzVc3MhzSL4OC\n 3B4SCgv/QKi8R7cYIZlJHXZAyghRAO2jpa7PHOfCmCb1tT1Cs50OQlpk9XBv2xGV\n 3r/2kqiG3Ay7cozX8V+oKZtzQHJQrqDVZNNXENcaPo7meoSCIdJhjd+leUI3iTLK\n hwIDAQAB\n```\n\nSign, notarize, and staple an app bundle.\n\n```yaml\nsteps:\n - name: Install App Store Connect API Key\n run: |\n mkdir -p private_keys/\n echo '${{ secrets.app_store_connect_key }}' \u003e private_keys/AuthKey_DEADBEEF.p12\n\n - name: Sign and Notarize\n uses: indygreg/apple-code-sign-action@v1\n with:\n input_path: MyApp.app\n notarize: true\n staple: true\n p12_file: cert.p12\n p12_password: ${{ secrets.certificate_password }}\n # Find the issuer and key ID at https://appstoreconnect.apple.com/access/api.\n # The `AuthKey_XXXXXX.12` file created above must have the same `api_key` value listed here.\n app_store_connect_api_issuer: 'abcdef-42-2411312...'\n app_store_connect_api_key: 'DEADBEEF'\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Findygreg%2Fapple-code-sign-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Findygreg%2Fapple-code-sign-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Findygreg%2Fapple-code-sign-action/lists"}