Release operations

Signing and notarization

BarShelf can produce Apple-signed and notarized macOS release DMGs when the repository has the required Apple Developer secrets.

What this solves

Unsigned macOS apps trigger Gatekeeper friction. Signing with a Developer ID Application certificate and notarizing the DMG tells macOS that Apple scanned and accepted the release for direct distribution outside the Mac App Store.

Required Apple account

You need an active Apple Developer Program membership. A free Apple ID is not enough for Developer ID distribution.

For direct-download macOS apps, use a Developer ID Application certificate. This is separate from Mac App Store and iOS App Store signing assets.

GitHub secrets

Add these repository secrets before creating a release:

If signing secrets are absent, the release workflow still builds an unsigned DMG. If signing and notarization secrets are present, it signs, notarizes, staples, and uploads the DMG.

Create the certificate secret

  1. Create or download a Developer ID Application certificate from Apple Developer.
  2. Export it from Keychain Access as a password-protected .p12.
  3. Base64 encode it:
base64 -i DeveloperIDApplication.p12 | pbcopy

Paste the copied value into APPLE_DEVELOPER_ID_APPLICATION_CERT_BASE64.

macOS direct distribution vs iOS App Store

The Apple Developer Program account is shared, but the release pipelines are different:

So setting up Developer ID notarization does not automatically ship iOS apps, but the paid Apple Developer membership is the same prerequisite.