feat(bundler): try to find API key file for notarization, ref #7616 (#7771)

2026-02-06 15:26:54 +00:00 · 2023-09-07 10:01:12 -03:00 · 2023-09-07 10:01:12 -03:00 · dfbbca423b
commit dfbbca423b
parent 0797a002ca
3 changed files with 38 additions and 3 deletions
--- a/.changes/notarytool.md
+++ b/.changes/notarytool.md
@ -2,4 +2,4 @@
 "tauri-bundler": minor:breaking
 ---

-The macOS notarization now uses `notarytool` as `altool` will be discontinued on November 2023. When authenticating with an API key, the key `.p8` file path must be provided in the `APPLE_API_KEY_PATH` environment variable.
+The macOS notarization now uses `notarytool` as `altool` will be discontinued on November 2023. When authenticating with an API key, the key `.p8` file path must be provided in the `APPLE_API_KEY_PATH` environment variable. To prevent a breaking change, we will try to find the key path in the `altool` default search paths.
--- a/tooling/bundler/src/bundle/macos/sign.rs
+++ b/tooling/bundler/src/bundle/macos/sign.rs
@ -384,8 +384,44 @@ pub fn notarize_auth() -> crate::Result<NotarizeAuth> {
          let issuer = api_issuer.to_str().expect("failed to convert APPLE_API_ISSUER to string").to_string();
          Ok(NotarizeAuth::ApiKey { key, key_path: key_path.into(), issuer })
        },
+        (Some(api_key), Some(api_issuer), Err(_)) => {
+          let key = api_key.to_str().expect("failed to convert APPLE_API_KEY to string").to_string();
+          let issuer = api_issuer.to_str().expect("failed to convert APPLE_API_ISSUER to string").to_string();
+
+          let api_key_file_name = format!("AuthKey_{key}.p8");
+          let mut key_path = None;
+
+          let mut search_paths = vec!["./private_keys".into()];
+          if let Some(home_dir) = dirs_next::home_dir() {
+            search_paths.push(home_dir.join("private_keys"));
+            search_paths.push(home_dir.join(".private_keys"));
+            search_paths.push(home_dir.join(".appstoreconnect").join("private_keys"));
+          }
+
+          for folder in search_paths {
+            if let Some(path) = find_api_key(folder, &api_key_file_name) {
+              key_path = Some(path);
+              break;
+            }
+          }
+
+          if let Some(key_path) = key_path {
+          Ok(NotarizeAuth::ApiKey { key, key_path, issuer })
+          } else {
+            Err(anyhow::anyhow!("could not find API key file. Please set the APPLE_API_KEY_PATH environment variables to the path to the {api_key_file_name} file").into())
+          }
+        }
        _ => Err(anyhow::anyhow!("no APPLE_ID & APPLE_PASSWORD or APPLE_API_KEY & APPLE_API_ISSUER & APPLE_API_KEY_PATH environment variables found").into())
      }
    }
  }
 }
+
+fn find_api_key(folder: PathBuf, file_name: &str) -> Option<PathBuf> {
+  let path = folder.join(file_name);
+  if path.exists() {
+    Some(path)
+  } else {
+    None
+  }
+}
--- a/tooling/cli/ENVIRONMENT_VARIABLES.md
+++ b/tooling/cli/ENVIRONMENT_VARIABLES.md
@ -26,10 +26,9 @@ These environment variables are inputs to the CLI which may have an equivalent C
 - `APPLE_ID` — The Apple ID used to notarize the application. If this environment variable is provided, `APPLE_PASSWORD` must also be set. Alternatively, `APPLE_API_KEY` and `APPLE_API_ISSUER` can be used to authenticate.
 - `APPLE_PASSWORD` — The Apple password used to authenticate for application notarization. Required if `APPLE_ID` is specified. An app-specific password can be used. Alternatively to entering the password in plaintext, it may also be specified using a '@keychain:' or '@env:' prefix followed by a keychain password item name or environment variable name.
 - `APPLE_API_KEY` — Alternative to `APPLE_ID` and `APPLE_PASSWORD` for notarization authentication using JWT.
-  - This option will search the following directories in sequence for a private key file with the name of 'AuthKey_<api_key>.p8': './private_keys', '~/private_keys', '~/.private_keys', and '~/.appstoreconnect/private_keys'. Additionally, you can set environment variable $API_PRIVATE_KEYS_DIR or a user default API_PRIVATE_KEYS_DIR to specify the directory where your AuthKey file is located.
  - See [creating API keys](https://developer.apple.com/documentation/appstoreconnectapi/creating_api_keys_for_app_store_connect_api) for more information.
 - `APPLE_API_ISSUER` — Issuer ID. Required if `APPLE_API_KEY` is specified.
- `APPLE_API_KEY_PATH` - path to the API key `.p8` file.
+- `APPLE_API_KEY_PATH` - path to the API key `.p8` file. If not specified, the bundler searches the following directories in sequence for a private key file with the name of 'AuthKey_<api_key>.p8': './private_keys', '~/private_keys', '~/.private_keys', and '~/.appstoreconnect/private_keys'.
 - `APPLE_SIGNING_IDENTITY` — The identity used to code sign. Overwrites `tauri.conf.json > tauri > bundle > macOS > signingIdentity`.
 - `APPLE_PROVIDER_SHORT_NAME` — If your Apple ID is connected to multiple teams, you have to specify the provider short name of the team you want to use to notarize your app. Overwrites `tauri.conf.json > tauri > bundle > macOS > providerShortName`.
 - `CI` — If set, the CLI will run in CI mode and won't require any user interaction.