From 54e60ca8204da7292aaa76da02a1b34824a1719f Mon Sep 17 00:00:00 2001
From: Jamil <jamilbk@users.noreply.github.com>
Date: Wed, 16 Apr 2025 11:29:59 -0700
Subject: [PATCH] fix(ci): Use `Developer ID Installer` cert to sign pkg
 (#8796)

Apple requires standalone-distributed `PKG` installers to be signed with
a Developer ID Installer certificate.

Fixes
https://github.com/firezone/firezone/actions/runs/14497960810/job/40670440720#step:6:3500

---------

Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
---
 .github/workflows/_swift.yml      | 2 ++
 scripts/build/lib.sh              | 5 +++++
 scripts/build/macos-standalone.sh | 8 ++++----
 swift/apple/README.md             | 7 +++++++
 4 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/_swift.yml b/.github/workflows/_swift.yml
index ce7d2faab..bcc979d55 100644
--- a/.github/workflows/_swift.yml
+++ b/.github/workflows/_swift.yml
@@ -99,6 +99,8 @@ jobs:
           INSTALLER_CERT_PASS: "${{ secrets.APPLE_MAC_INSTALLER_CERTIFICATE_P12_PASSWORD }}"
           STANDALONE_BUILD_CERT: "${{ secrets.APPLE_STANDALONE_BUILD_CERTIFICATE_BASE64 }}"
           STANDALONE_BUILD_CERT_PASS: "${{ secrets.APPLE_STANDALONE_BUILD_CERTIFICATE_P12_PASSWORD }}"
+          STANDALONE_INSTALLER_CERT: "${{ secrets.APPLE_STANDALONE_MAC_INSTALLER_CERTIFICATE_BASE64 }}"
+          STANDALONE_INSTALLER_CERT_PASS: "${{ secrets.APPLE_STANDALONE_MAC_INSTALLER_CERTIFICATE_P12_PASSWORD }}"
           ARTIFACT_PATH: "${{ runner.temp }}/${{ matrix.artifact-file }}"
           PKG_ARTIFACT_PATH: "${{ runner.temp }}/${{ matrix.pkg-artifact-file }}"
           NOTARIZE: "${{ github.event_name == 'workflow_dispatch' }}"
diff --git a/scripts/build/lib.sh b/scripts/build/lib.sh
index 1fd1f0378..a1e70a190 100755
--- a/scripts/build/lib.sh
+++ b/scripts/build/lib.sh
@@ -45,6 +45,11 @@ function setup_runner() {
         "$STANDALONE_BUILD_CERT_PASS" \
         "$keychain_pass" \
         "$keychain_path"
+    install_cert \
+        "$STANDALONE_INSTALLER_CERT" \
+        "$STANDALONE_INSTALLER_CERT_PASS" \
+        "$keychain_pass" \
+        "$keychain_path"
 }
 
 function base64_decode() {
diff --git a/scripts/build/macos-standalone.sh b/scripts/build/macos-standalone.sh
index 7a03fa94c..e5784b0e9 100755
--- a/scripts/build/macos-standalone.sh
+++ b/scripts/build/macos-standalone.sh
@@ -17,8 +17,8 @@ staging_dmg_path="$temp_dir/staging.dmg"
 staging_pkg_path="$temp_dir/staging.pkg"
 git_sha=${GITHUB_SHA:-$(git rev-parse HEAD)}
 project_file=swift/apple/Firezone.xcodeproj
-codesign_identity="Developer ID Application: Firezone, Inc. (47R2M6779T)"
-installer_code_sign_identity="3rd Party Mac Developer Installer: Firezone, Inc. (47R2M6779T)"
+code_sign_identity="Developer ID Application: Firezone, Inc. (47R2M6779T)"
+installer_code_sign_identity="Developer ID Installer: Firezone, Inc. (47R2M6779T)"
 
 if [ "${CI:-}" = "true" ]; then
     # Configure the environment for building, signing, and packaging in CI
@@ -35,7 +35,7 @@ seconds_since_epoch=$(date +%s)
 xcodebuild build \
     GIT_SHA="$git_sha" \
     CODE_SIGN_STYLE=Manual \
-    CODE_SIGN_IDENTITY="$codesign_identity" \
+    CODE_SIGN_IDENTITY="$code_sign_identity" \
     PACKET_TUNNEL_PROVIDER_SUFFIX=-systemextension \
     OTHER_CODE_SIGN_FLAGS="--timestamp" \
     CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO \
@@ -103,7 +103,7 @@ hdiutil detach "$mount_dir"
 hdiutil convert "$staging_dmg_path" -format UDZO -o "$dmg_path"
 
 # Sign disk image
-codesign --force --sign "$codesign_identity" "$dmg_path"
+codesign --force --sign "$code_sign_identity" "$dmg_path"
 
 echo "Disk image created at $dmg_path"
 
diff --git a/swift/apple/README.md b/swift/apple/README.md
index ee45073ec..0770c3a38 100644
--- a/swift/apple/README.md
+++ b/swift/apple/README.md
@@ -288,6 +288,11 @@ Application certificates are **precious** and we only have a limited number of
 them. They also cannot be revoked. So do not generate them. Instead, obtain it
 from 1Password.
 
+Also, the signing certificate for the package installer artifact specifically needs
+to be a `Developer ID Installer` certificate, not a `Developer ID Application` or
+`Apple Distribution` certificate. This is needed to sign the PKG files we distribute
+that are consumed by MDMs.
+
 Once you've done that, you can create the provisioning profiles and update the
 GitHub secrets using the same steps as above, only using the following secrets
 names:
@@ -295,6 +300,8 @@ names:
 ```
 APPLE_STANDALONE_BUILD_CERTIFICATE_BASE64
 APPLE_STANDALONE_BUILD_CERTIFICATE_P12_PASSWORD
+APPLE_STANDALONE_MAC_INSTALLER_CERTIFICATE_BASE64
+APPLE_STANDALONE_MAC_INSTALLER_CERTIFICATE_P12_PASSWORD
 APPLE_STANDALONE_MACOS_APP_PROVISIONING_PROFILE
 APPLE_STANDALONE_MACOS_NE_PROVISIONING_PROFILE
 ```