ci(desktop): notarize via App Store Connect API key instead of Apple ID

LaZzyMan · LaZzyMan · commit a36b7878d088 · 2026-06-16T10:23:32.000+08:00
Switch the macOS desktop release notarization path from the Apple ID +
app-specific password method to the App Store Connect API key method,
which is more robust (no 2FA, no password expiry) and reuses the notary
key already provisioned for the org's Apple Developer account.

The signing step now reads APPLE_NOTARY_API_KEY_P8_BASE64,
APPLE_NOTARY_KEY_ID, and APPLE_NOTARY_ISSUER_ID, decodes the .p8 to a
temp file, and exports APPLE_API_KEY/APPLE_API_KEY_ID/APPLE_API_ISSUER,
which electron-builder (&gt;=24) consumes to notarize via notarytool. The
existing unsigned-draft fallback behavior is preserved.
diff --git a/.github/workflows/desktop-release.yml b/.github/workflows/desktop-release.yml
@@ -282,8 +282,9 @@ jobs:
         shell: bash
         env:
           IS_DRY_RUN: ${{ inputs.dry_run }}
-          APPLE_APP_SPECIFIC_PASSWORD_SECRET: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
-          APPLE_ID_SECRET: ${{ secrets.APPLE_ID }}
+          APPLE_NOTARY_API_KEY_P8_BASE64_SECRET: ${{ secrets.APPLE_NOTARY_API_KEY_P8_BASE64 }}
+          APPLE_NOTARY_KEY_ID_SECRET: ${{ secrets.APPLE_NOTARY_KEY_ID }}
+          APPLE_NOTARY_ISSUER_ID_SECRET: ${{ secrets.APPLE_NOTARY_ISSUER_ID }}
           APPLE_TEAM_ID_SECRET: ${{ secrets.APPLE_TEAM_ID }}
           IS_DRAFT: ${{ inputs.draft }}
           MAC_CSC_KEY_PASSWORD_SECRET: ${{ secrets.MAC_CSC_KEY_PASSWORD }}
@@ -333,10 +334,19 @@ jobs:
                 exit 1
               fi
 
+              # Materialize the App Store Connect API key (.p8) so electron-builder
+              # (>=24) notarizes via notarytool. It reads APPLE_API_KEY (a path to
+              # the .p8 file), APPLE_API_KEY_ID, and APPLE_API_ISSUER from the env.
+              if [ -n "$APPLE_NOTARY_API_KEY_P8_BASE64_SECRET" ] && [ -n "$APPLE_NOTARY_KEY_ID_SECRET" ] && [ -n "$APPLE_NOTARY_ISSUER_ID_SECRET" ]; then
+                api_key_path="${RUNNER_TEMP}/apple-notary-key.p8"
+                printf '%s' "$APPLE_NOTARY_API_KEY_P8_BASE64_SECRET" | base64 --decode > "$api_key_path"
+                append_env "APPLE_API_KEY" "$api_key_path"
+                append_env "APPLE_API_KEY_ID" "$APPLE_NOTARY_KEY_ID_SECRET"
+                append_env "APPLE_API_ISSUER" "$APPLE_NOTARY_ISSUER_ID_SECRET"
+              fi
+
               append_env "CSC_LINK" "$mac_csc_link"
               append_env "CSC_KEY_PASSWORD" "$mac_csc_key_password"
-              append_env "APPLE_ID" "$APPLE_ID_SECRET"
-              append_env "APPLE_APP_SPECIFIC_PASSWORD" "$APPLE_APP_SPECIFIC_PASSWORD_SECRET"
               append_env "APPLE_TEAM_ID" "$APPLE_TEAM_ID_SECRET"
               echo "CSC_IDENTITY_AUTO_DISCOVERY=true" >> "$GITHUB_ENV"
             else
