Add check for signing variables in build.sh

2 files changed, 33 insertions, 4 deletions

diff --git a/README.md b/README.md
index fe5680b0d5..18aeaa726e 100644
--- a/README.md
+++ b/README.md
@@ -113,7 +113,7 @@ it and behave accordingly.
     ```
     as in `yarn run pack:linux`.
 
-    The artifact (.dmg, .deb, .msi) version is the `version` property of `package.json`.
+    The artifact (.pkg, .deb, .msi) version is the `version` property of `package.json`.
 
 
 ## Making a release
@@ -135,6 +135,19 @@ the version of the app you are going to release. For example `2018.3-beta1` or `
 
     Please verify that the script did the right thing before you push the commit and tag it created.
 
+1. When building for macOS, the following environment variables must be set:
+   * `CSC_LINK` - The path to the `.p12` certificate file with the Apple application signing keys.
+     This file must contain both the "Developer ID Application" and the "Developer ID Installer"
+     certificates + private keys. If this environment variable is missing `build.sh` will skip
+     signing.
+   * `CSC_KEY_PASSWORD` - The password to the file given in `CSC_LINK`. If this is not set then
+     `build.sh` will prompt you for it. If you set it yourself, make sure to define it in such a
+     way that it's not stored in your bash history:
+     ```bash
+     export HISTCONTROL=ignorespace
+     export CSC_KEY_PASSWORD='my secret'
+     ```
+
 1. Run `./build.sh` on each computer/platform where you want to create a release artifact. This will
     do the following for you:
     1. Update `relays.json` with the latest relays
diff --git a/build.sh b/build.sh
index 87116e49ee..cffbdb5afe 100755
--- a/build.sh
+++ b/build.sh
@@ -25,9 +25,25 @@ if [[ "${1:-""}" != "--allow-dirty" ]]; then
     fi
 fi
 
-case "$(uname -s)" in
-    Darwin*)    export MACOSX_DEPLOYMENT_TARGET="10.7";;
-esac
+if [[ "$(uname -s)" = "Darwin" ]]; then
+    export MACOSX_DEPLOYMENT_TARGET="10.7"
+
+    # if CSC_LINK is set, then we do signing
+    if [[ ! -z ${CSC_LINK-} ]]; then
+        echo "Building with macOS signing activated. Using certificate at $CSC_LINK"
+        if [[ -z ${CSC_KEY_PASSWORD-} ]]; then
+            read -sp "CSC_KEY_PASSWORD = " CSC_KEY_PASSWORD
+            echo ""
+            export CSC_KEY_PASSWORD
+        fi
+        export CSC_IDENTITY_AUTO_DISCOVERY=true
+    else
+        echo "!! CSC_LINK not set. This build will not be signed !!"
+        unset CSC_LINK CSC_KEY_PASSWORD
+        export CSC_IDENTITY_AUTO_DISCOVERY=false
+    fi
+fi
+
 
 # Remove binaries. To make sure it is rebuilt with the stable toolchain and the latest changes.
 cargo +stable clean