Every release build is signed and notarized to comply with Apple policies. Weekly builds are also notarized, but just to avoid surprises from such policies.

Code-signing

The process to create a suitable certificate, when needed, is as follows:

1. Generate a .csr, a.k.a., certificate signing request:

   openssl req -nodes -newkey rsa:2048 -keyout gimp-apple.key -out CertificateSigningRequest.certSigningRequest

   With the information like so (ensure you give it a password):

             Country Name (2 letter code):GB
       State or Province Name (full name):London
                 Locality Name (eg, city):
          Organization Name (eg, company):GNOME
   Organizational Unit Name (eg, section):
           Common Name (e.g. server FQDN):org.gnome.gimp
                            Email Address:

2. Login to https://developer.apple.com, go to: “Member Center” -> “Manage your certificates, App IDs, devices, and provisioning profiles.” -> “Certificates” -> “Add”. Go through the wizard, selecting the certificate type, and upload the .csr.

3. Download the .cer file.

4. Convert the .cer file to a .pem file:

   openssl x509 -in gimp-apple.cer -inform DER -out gimp-apple.pem -outform PEM

5. Generate a random password for the certificate (it will later used as the value of osx_crt_pw GitLab CI variable):

   osx_crt_pw=$(openssl rand -base64 32)

6. Convert the .pem to a .p12. Then, encode the .p12 file to base64 (it will later used as the value of osx_crt GitLab CI varible).

   openssl pkcs12 -export -legacy -inkey gimp-apple.key -in gimp-apple.pem -out gimp-apple.p12
   osx_crt=$(openssl base64 -in gimp-apple.p12 -out gimp-apple.base64 && cat gimp-apple.base64)

Notarization

The following must be stored on GitLab CI variables:

• notarization_login: the Apple account email authorized to login on Apple Developer portal
• notarization_password: an “App Specific” password that is generated at https://account.apple.com