build-emacs-for-macos
build-emacs-for-macos copied to clipboard
Instructions for producing a signed app
The README says that code sign instructions are coming soon. Even a pointer to what you have to set up and pass to the go run ./cmd/emacs-builder package
would be great!
I'm building on an M1 machine, otherwise I would slack off and use the Homebrew cask.
Apologies, I haven't gotten around to properly documenting it. It's a bit involved, but below are some very brief instructions that hopefully will help.
First, you'll need a paid for Apple Developer account, with a application signing key available on your machine, and then set a few environment variables to relevant values, and run the emacsbuilder package
command with the --sign
flag.
You can view the help info for the package command by running go run ./cmd/emacs-builder package --help
. The environment variables needed are AC_USERNAME
, AC_PASSWORD
, AC_PROVIDER
, and AC_SIGN_IDENTITY
. The help output has a brief description of each.
Then you should be able to sign, package and notarize a folder containing a Emacs.app
bundle to a *.dmg
by running:
go run ./cmd/emacs-builder package --sign /path/to/folder
If it helps, the relevant part in my GitHub Actions setup for nightly builds is here. The only thing the package
command pulls out of the passed in build-plan.yml
file is the source directory to package.
Thanks. The symptom is that the app won't launch, and I get a crash report SIGKILL (Code Signature Invalid), so I can't even allow the app in the security and privacy settings.
Right, yeah. It seems M1 machines refuse to run unsigned code altogether. On Intel-based Macs it seems to be aware of what binaries were built locally, so they're automatically trusted.
I don't have a M1 machine myself yet though, so my knowledge is mostly second hand right now.
Indeed running Contents/MacOS/bin/emacs from the command line also gets killed. However, a hand-coded hello-world.c compiled with /usr/bin/gcc works ok.
This article has a nice explanation: https://eclecticlight.co/2021/01/26/when-you-dont-have-permission-to-run-an-app-on-an-m1-mac/. And links to another of the author's articles with a solution, https://eclecticlight.co/2019/01/17/code-signing-for-the-concerned-3-signing-an-app/. If you do this:
codesign --force --deep -s - Emacs.app
it will launch.
@isoboroff @jimeh I just met the same issue yesterday, and I use the same command to fix the issue. Instead of manually codesigning the .app
, is it possible that the script signs it for us?
I had not realized ad-hoc signing without any paid developer certificates was possible. I'll have a look at automatically doing that on non-Intel Macs when I finally get an Apple Silicon machine later this month.