Miner app should store the seed phrase, if users enter it
This requires using FlutterSecureStorage
which in turn requires additional entitlements and code signing hurdles, as below
=====
Great question. If you add keychain-access-groups back, Developer ID Application cert alone is usually not enough for a notarized direct-download app.
You need a matching signing identity + provisioning profile + entitlements set.
What You Need
For your current distribution model (zip + notarization, not Mac App Store):
- Developer ID Application certificate (
Quantus Labs LLC)
- macOS App ID for
com.quantus.quantusMiner with Keychain Sharing capability enabled
- Developer ID provisioning profile bound to that App ID and certificate
- Entitlements that match profile (including
keychain-access-groups)
If any one of these is mismatched, you’ll see launch failures (EPOLICY) or runtime keychain errors (-34018).
How To Create It (Apple Portal)
- In Apple Developer portal, create/verify App ID:
com.quantus.quantusMiner
- Enable Keychain Sharing capability on that App ID
- Ensure you have a valid Developer ID Application cert
- Create a Developer ID provisioning profile for that App ID + cert
- Download and install:
- cert in Keychain (export
.p12 for CI)
- profile for CI (embed as
Contents/embedded.provisionprofile)
Project/CI Requirements
- Sign in build with Xcode/
xcodebuild using:
DEVELOPMENT_TEAM=8BRRAHLVW5CODE_SIGN_IDENTITY=Developer ID Application- provisioning profile specifier set
- In entitlements, use keychain group value that resolves correctly (e.g. via Xcode capability), not ad-hoc post-sign substitutions.
- Avoid post-build manual
codesign --entitlements ... rewriting unless you fully control profile + entitlement parity.
- If you must re-sign, use
--preserve-metadata=entitlements.
Verification Checklist
After build, verify all 3:
codesign -d --entitlements - "Quantus Miner.app"security cms -D -i "Quantus Miner.app/Contents/embedded.provisionprofile" (entitlements inside profile)spctl --assess --type execute --verbose "Quantus Miner.app"
References:
Miner app should store the seed phrase, if users enter it
This requires using FlutterSecureStorage
which in turn requires additional entitlements and code signing hurdles, as below
=====
Great question. If you add
keychain-access-groupsback,Developer ID Applicationcert alone is usually not enough for a notarized direct-download app.You need a matching signing identity + provisioning profile + entitlements set.
What You Need
For your current distribution model (zip + notarization, not Mac App Store):
Quantus Labs LLC)com.quantus.quantusMinerwith Keychain Sharing capability enabledkeychain-access-groups)If any one of these is mismatched, you’ll see launch failures (
EPOLICY) or runtime keychain errors (-34018).How To Create It (Apple Portal)
com.quantus.quantusMiner.p12for CI)Contents/embedded.provisionprofile)Project/CI Requirements
xcodebuildusing:DEVELOPMENT_TEAM=8BRRAHLVW5CODE_SIGN_IDENTITY=Developer ID Applicationcodesign --entitlements ...rewriting unless you fully control profile + entitlement parity.--preserve-metadata=entitlements.Verification Checklist
After build, verify all 3:
codesign -d --entitlements - "Quantus Miner.app"security cms -D -i "Quantus Miner.app/Contents/embedded.provisionprofile"(entitlements inside profile)spctl --assess --type execute --verbose "Quantus Miner.app"References: