Breakthrough Preferences jobs-apply

Apple code signing complete: Developer ID + notarization in one command

->

breakthroughopscareer
Key Metric
Before
After

The jobs-apply Electron app is now code-signed and notarized with a single command. Developer ID certificate (Alejandro Gutierrez, F8N8NR33SG) installed in login keychain, notarization credentials stored as keychain profile jobs-apply-notary. Future builds: pnpm run dist handles signing, notarization, and stapling automatically.

What Happened

Before this work, every DMG shipped with ad-hoc signing. macOS Gatekeeper flagged the app on first launch, requiring users to right-click > Open and dismiss a scary warning. This was acceptable during private testing but a hard blocker for any public distribution: Mac App Store submission, direct download from the website, or sharing with beta testers outside the immediate circle.

The fix was a three-step process collapsed into permanent infrastructure:

  1. Certificate. Enrolled in the Apple Developer Program, generated a Developer ID Application certificate, and installed it in the login keychain. The certificate identity Alejandro Gutierrez (F8N8NR33SG) is now the signing identity for all electron-builder runs.

  2. Notarization profile. Created a keychain profile (jobs-apply-notary) storing the Apple ID, team ID, and app-specific password. This eliminates any need to pass credentials via environment variables or CI secrets: xcrun notarytool pulls them from the keychain automatically.

  3. Build integration. electron-builder’s mac config now references the signing identity and the afterSign hook triggers notarization + stapling. The entire flow: build, sign, notarize, staple, package DMG: runs end-to-end from pnpm run dist with zero manual steps.

Why It Matters

Code signing was the last infrastructure prerequisite blocking three distribution paths simultaneously:

  • Mac App Store. Submission requires a signed, notarized app. Now possible without any additional setup.
  • Gatekeeper pass. Direct downloads from the R2-hosted DMG will open cleanly on first launch. No right-click workaround, no System Preferences override.
  • Auto-update. electron-updater (currently removed due to crash issues) requires signed binaries to verify update integrity. When the updater is re-enabled, the signing chain is already in place.

The keychain profile approach is also more secure than environment-variable-based signing. Credentials never appear in shell history, process lists, or CI logs. The profile is scoped to the local machine: portable to a CI runner by exporting the keychain, not by copying plaintext secrets.

Evidence

  • Certificate installed: security find-identity -v -p codesigning shows Alejandro Gutierrez (F8N8NR33SG).
  • Keychain profile stored: xcrun notarytool history --keychain-profile jobs-apply-notary returns submission history.
  • DMG built and notarized via pnpm run dist: spctl --assess --type execute passes on the resulting .app.
  • Gatekeeper test: fresh download of DMG on a clean user account opens without warning.