🤖 Fix: Enable DMG code signing #83
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The .app bundles were being signed, but the final DMG files were not. Adding dmg.sign configuration to ensure the DMG itself is also signed. _Generated with `cmux`_
ammario
force-pushed
the
fix-dmg-signing-v2
branch
from
ea34e95 to
d6f8396
Compare
ammario
added a commit
that referenced
this pull request
Oct 7, 2025
## Problem 1. PR #83 added `dmg.sign: true` which is actually **unnecessary and discouraged** by electron-builder 2. Both DMG files (x64 and arm64) are being uploaded as a single artifact, making it confusing for users ## Solution 1. **Removed `dmg.sign: true`** - DMG signing is not needed and can cause issues. What matters is the .app bundle signing (which works perfectly) 2. **Split artifacts** - Now uploading as separate `macos-dmg-x64` and `macos-dmg-arm64` artifacts for clarity ## Why DMG signing is unnecessary According to electron-builder documentation: "Signing is not required and will lead to unwanted errors in combination with notarization requirements." The .app bundle inside the DMG is properly signed with: - Developer ID Application certificate - Hardened Runtime enabled - All frameworks and helpers signed - Valid certificate chain through Apple Root CA ✅ Verified on local machine: `codesign --verify --deep --strict` passes ## Changes ```yaml # .github/workflows/build.yml - name: Upload macOS DMG (x64) path: release/*-x64.dmg - name: Upload macOS DMG (arm64) path: release/*-arm64.dmg ``` ```json // package.json - removed dmg section entirely "mac": { "target": [ { "target": "dmg", "arch": "x64" }, { "target": "dmg", "arch": "arm64" } ], ... } ``` _Generated with `cmux`_
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
dmg.sign: truewhich is actually unnecessary and discouraged by electron-builderSolution
dmg.sign: true- DMG signing is not needed and can cause issues. What matters is the .app bundle signing (which works perfectly)macos-dmg-x64andmacos-dmg-arm64artifacts for clarityWhy DMG signing is unnecessary
According to electron-builder documentation: "Signing is not required and will lead to unwanted errors in combination with notarization requirements."
The .app bundle inside the DMG is properly signed with:
Changes
Generated with
cmux