electron-cli 0.3.0-alpha.17 → 0.3.0-alpha.19

package/Cargo.lock

@@ -953,7 +953,7 @@ checksum = "91622ff5e7162018101f2fea40d6ebf4a78bbe5a49736a2020649edf9693679e"
 
 [[package]]
 name = "electron-cli"
-version = "0.3.0-alpha.17"
+version = "0.3.0-alpha.19"
 dependencies = [
  "anyhow",
  "apple-codesign",

package/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "electron-cli"
-version = "0.3.0-alpha.17"
+version = "0.3.0-alpha.19"
 edition = "2021"
 description = "Experimental Rust CLI for Electron project diagnostics and workflow automation"
 license = "MIT"

package/README.md

@@ -41,9 +41,9 @@ The Rust-native flow currently owns:
 
 The GitHub publisher creates or reuses a release, uploads selected make artifacts, and can replace an existing asset with `--force`. It reads `GITHUB_TOKEN` or `GH_TOKEN` and can infer `OWNER/REPO` from package metadata, Forge GitHub publisher config, or `package.json` `repository`. You can also pass `--github-repo`.
 
-The package command recognizes macOS `packagerConfig.osxSign` and `packagerConfig.osxNotarize` options and reports the signing/notarization plan without serializing credential values. When `osxSign` is enabled on macOS and no certificate identity is configured, or the identity is `"-"`, `package` writes an experimental Rust-native ad-hoc signature for the generated `.app` bundle. Developer ID certificate/keychain signing and notarization execution are not implemented yet.
+The package command recognizes macOS `packagerConfig.osxSign` and `packagerConfig.osxNotarize` options and reports the signing/notarization plan without serializing credential values. When `osxSign` is enabled on macOS and no certificate identity is configured, or the identity is `"-"`, `package` writes an experimental Rust-native ad-hoc signature for the generated `.app` bundle. When `osxSign.p12File` points at a `.p12`/PFX certificate export, `package` can sign the bundle with that certificate and can request a CMS timestamp token for notarization-compatible signatures. macOS keychain identity lookup and notarization submission/stapling are not implemented yet.
 
-The DMG maker is currently a pure-Rust FAT32 image with the app bundle and an Applications entry. The MSI maker writes a compressed embedded CAB, Windows Installer database tables, and a Start Menu shortcut when the packaged executable is present. HFS+/APFS DMG layout customization, installer UI customization, Windows/Linux icon embedding, Developer ID signing execution, and notarization execution are still TODO.
+The DMG maker is currently a pure-Rust FAT32 image with the app bundle and an Applications entry. The MSI maker writes a compressed embedded CAB, Windows Installer database tables, and a Start Menu shortcut when the packaged executable is present. HFS+/APFS DMG layout customization, installer UI customization, Windows/Linux icon embedding, macOS keychain signing, and notarization execution are still TODO.
 
 Package metadata can be configured in `package.json`:
 
@@ -57,7 +57,9 @@ Package metadata can be configured in `package.json`:
       "icon": "assets/icon",
       "extraResource": "assets/config.json",
       "osxSign": {
-        "identity": "-",
+        "p12File": "certs/developer-id.p12",
+        "p12PasswordEnv": "ELECTRON_CLI_P12_PASSWORD",
+        "timestamp": true,
         "entitlements": "assets/entitlements.plist",
         "hardenedRuntime": true
       },
@@ -97,7 +99,7 @@ Package metadata can be configured in `package.json`:
 }
 ```
 
-Set `identity` to a Developer ID certificate name when you want the plan to reflect Forge-style release signing, but this project will report it as not executable until Rust-native certificate/keychain signing exists. Use `identity: "-"` or omit `identity` for the current ad-hoc signing path.
+Use `p12PasswordEnv`, `p12PasswordFile`, or `p12Password` for the `.p12` password; password values are not serialized in package reports. Set `osxSign.timestamp` to a timestamp server URL, `true` for Apple's default `http://timestamp.apple.com/ts01`, or `"none"` / `false` to disable timestamping. When `osxNotarize` is enabled with p12 signing, `electron-cli` automatically enables notarization-compatible signing and uses Apple's timestamp server unless timestamping is disabled explicitly. Set `identity` to a Developer ID certificate name when you want the plan to reflect Forge-style keychain release signing, but this project will report it as not executable until Rust-native keychain lookup exists. Use `identity: "-"` or omit `identity` for the current ad-hoc signing path.
 
 The package command also reads JSON-shaped `config.forge.packagerConfig` and `electronPackagerConfig` entries for the same fields. The make command maps JSON-shaped Forge maker names to the Rust-native targets it supports: zip, dmg, deb, rpm, and wix/msi. The publish command maps JSON-shaped publisher names to local and GitHub.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "electron-cli",
-  "version": "0.3.0-alpha.17",
+  "version": "0.3.0-alpha.19",
   "description": "Experimental Rust CLI for Electron project diagnostics and workflow automation",
   "license": "MIT",
   "repository": {

package/src/commands/package.rs

@@ -5,7 +5,10 @@ use std::{
 };
 
 use anyhow::{bail, Context, Result};
-use apple_codesign::{BundleSigner, CodeSignatureFlags, SettingsScope, SigningSettings};
+use apple_codesign::{
+    cryptography::{parse_pfx_data, PrivateKey},
+    BundleSigner, CodeSignatureFlags, SettingsScope, SigningSettings,
+};
 use camino::Utf8PathBuf;
 use plist::{Dictionary as PlistDictionary, Value as PlistValue};
 use serde::Serialize;
@@ -13,6 +16,8 @@ use serde_json::Value as JsonValue;
 
 use crate::{cli::PackageArgs, output, project::ProjectSnapshot};
 
+const APPLE_TIMESTAMP_URL: &str = "http://timestamp.apple.com/ts01";
+
 #[derive(Clone, Debug, Serialize)]
 pub(crate) struct PackageReport {
     project: ProjectSnapshot,
@@ -75,6 +80,14 @@ struct MacosSignPlan {
     will_execute: bool,
     method: Option<String>,
     identity: Option<String>,
+    p12_file: Option<Utf8PathBuf>,
+    p12_password_source: Option<String>,
+    p12_password_env: Option<String>,
+    p12_password_file: Option<Utf8PathBuf>,
+    #[serde(skip)]
+    p12_password: RedactedSecret,
+    timestamp_url: Option<String>,
+    for_notarization: bool,
     entitlements: Vec<Utf8PathBuf>,
     entitlements_inherit: Option<Utf8PathBuf>,
     hardened_runtime: Option<bool>,
@@ -90,6 +103,29 @@ struct MacosNotarizePlan {
     keychain: Option<String>,
 }
 
+#[derive(Clone, Default)]
+struct RedactedSecret(Option<String>);
+
+impl std::fmt::Debug for RedactedSecret {
+    fn fmt(&self, formatter: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        if self.0.is_some() {
+            formatter.write_str("<redacted>")
+        } else {
+            formatter.write_str("<unset>")
+        }
+    }
+}
+
+impl RedactedSecret {
+    fn new(value: Option<String>) -> Self {
+        Self(value)
+    }
+
+    fn as_deref(&self) -> Option<&str> {
+        self.0.as_deref()
+    }
+}
+
 #[derive(Clone, Copy, Debug, Serialize)]
 #[serde(rename_all = "kebab-case")]
 enum PackageStatus {
@@ -127,12 +163,24 @@ struct MacosSignConfig {
     enabled: bool,
     invalid_type: bool,
     identity: Option<String>,
+    p12_file: Option<String>,
+    p12_password: Option<String>,
+    p12_password_env: Option<String>,
+    p12_password_file: Option<String>,
+    timestamp: Option<MacosTimestampConfig>,
     entitlements: Vec<String>,
     entitlements_inherit: Option<String>,
     hardened_runtime: Option<bool>,
     gatekeeper_assess: Option<bool>,
 }
 
+#[derive(Clone, Debug)]
+enum MacosTimestampConfig {
+    Default,
+    Disabled,
+    Url(String),
+}
+
 #[derive(Clone, Debug, Default)]
 struct MacosNotarizeConfig {
     configured: bool,
@@ -409,15 +457,39 @@ fn execute_macos_signing(report: &PackageReport) -> Result<()> {
             .collect_nested_bundles()
             .context("Could not discover nested macOS bundles for signing")?;
 
-        let settings = macos_signing_settings(report)?;
-        signer
-            .write_signed_bundle(&signed_bundle_dir, &settings)
-            .with_context(|| {
-                format!(
-                    "Could not write signed macOS bundle to {}",
-                    signed_bundle_dir.display()
-                )
-            })?;
+        let mut settings = macos_signing_settings(report)?;
+        if let Some(p12_file) = &report.signing.macos.sign.p12_file {
+            let p12_path = Path::new(p12_file.as_str());
+            let p12_data = fs::read(p12_path)
+                .with_context(|| format!("Could not read {}", p12_path.display()))?;
+            let password = macos_p12_password(&report.signing.macos.sign)?;
+            let (certificate, signing_key) = parse_pfx_data(&p12_data, &password)
+                .with_context(|| format!("Could not parse {}", p12_path.display()))?;
+
+            settings.set_signing_key(signing_key.as_key_info_signer(), certificate);
+            settings.chain_apple_certificates();
+            settings.set_team_id_from_signing_certificate();
+            settings
+                .ensure_for_notarization_settings()
+                .context("macOS signing settings are not compatible with notarization")?;
+            signer
+                .write_signed_bundle(&signed_bundle_dir, &settings)
+                .with_context(|| {
+                    format!(
+                        "Could not write signed macOS bundle to {}",
+                        signed_bundle_dir.display()
+                    )
+                })?;
+        } else {
+            signer
+                .write_signed_bundle(&signed_bundle_dir, &settings)
+                .with_context(|| {
+                    format!(
+                        "Could not write signed macOS bundle to {}",
+                        signed_bundle_dir.display()
+                    )
+                })?;
+        }
 
         Ok(())
     })();
@@ -441,10 +513,17 @@ fn execute_macos_signing(report: &PackageReport) -> Result<()> {
     Ok(())
 }
 
-fn macos_signing_settings(report: &PackageReport) -> Result<SigningSettings<'static>> {
+fn macos_signing_settings<'key>(report: &PackageReport) -> Result<SigningSettings<'key>> {
     let sign = &report.signing.macos.sign;
     let mut settings = SigningSettings::default();
     settings.set_binary_identifier(SettingsScope::Main, &report.metadata.bundle_identifier);
+    settings.set_for_notarization(sign.for_notarization);
+
+    if let Some(timestamp_url) = &sign.timestamp_url {
+        settings
+            .set_time_stamp_url(timestamp_url)
+            .with_context(|| format!("Invalid macOS signing timestamp URL: {timestamp_url}"))?;
+    }
 
     if sign.hardened_runtime.unwrap_or(false) {
         settings.add_code_signature_flags(SettingsScope::Main, CodeSignatureFlags::RUNTIME);
@@ -471,6 +550,37 @@ fn macos_signing_settings(report: &PackageReport) -> Result<SigningSettings<'sta
     Ok(settings)
 }
 
+fn macos_p12_password(sign: &MacosSignPlan) -> Result<String> {
+    if let Some(password) = sign.p12_password.as_deref() {
+        return Ok(password.to_string());
+    }
+
+    if let Some(env_name) = &sign.p12_password_env {
+        return std::env::var(env_name)
+            .with_context(|| format!("Could not read macOS signing p12 password env {env_name}"));
+    }
+
+    if let Some(path) = &sign.p12_password_file {
+        let password_path = Path::new(path.as_str());
+        return fs::read_to_string(password_path)
+            .with_context(|| {
+                format!(
+                    "Could not read macOS signing p12 password file {}",
+                    password_path.display()
+                )
+            })
+            .and_then(|contents| {
+                contents
+                    .lines()
+                    .next()
+                    .map(str::to_string)
+                    .context("macOS signing p12 password file is empty")
+            });
+    }
+
+    Ok(String::new())
+}
+
 fn print_report(report: &PackageReport, json: bool) -> Result<()> {
     if json {
         return output::json(report);
@@ -507,6 +617,18 @@ fn print_report(report: &PackageReport, json: bool) -> Result<()> {
         if let Some(identity) = &report.signing.macos.sign.identity {
             println!("  identity: {identity}");
         }
+        if let Some(path) = &report.signing.macos.sign.p12_file {
+            println!("  p12 file: {path}");
+        }
+        if let Some(source) = &report.signing.macos.sign.p12_password_source {
+            println!("  p12 password: {source}");
+        }
+        if let Some(timestamp_url) = &report.signing.macos.sign.timestamp_url {
+            println!("  timestamp server: {timestamp_url}");
+        }
+        if report.signing.macos.sign.for_notarization {
+            println!("  signing mode: notarization-compatible");
+        }
         if let Some(method) = &report.signing.macos.sign.method {
             println!("  signing method: {method}");
         }
@@ -648,6 +770,32 @@ fn parse_macos_sign_config(value: Option<&JsonValue>) -> MacosSignConfig {
                     .or_else(|| object.get("identityName"))
                     .and_then(JsonValue::as_str)
                     .map(ToOwned::to_owned),
+                p12_file: object
+                    .get("p12File")
+                    .or_else(|| object.get("pfxFile"))
+                    .and_then(JsonValue::as_str)
+                    .map(ToOwned::to_owned),
+                p12_password: object
+                    .get("p12Password")
+                    .or_else(|| object.get("pfxPassword"))
+                    .and_then(JsonValue::as_str)
+                    .map(ToOwned::to_owned),
+                p12_password_env: object
+                    .get("p12PasswordEnv")
+                    .or_else(|| object.get("pfxPasswordEnv"))
+                    .and_then(JsonValue::as_str)
+                    .map(ToOwned::to_owned),
+                p12_password_file: object
+                    .get("p12PasswordFile")
+                    .or_else(|| object.get("pfxPasswordFile"))
+                    .and_then(JsonValue::as_str)
+                    .map(ToOwned::to_owned),
+                timestamp: parse_macos_timestamp_config(
+                    object
+                        .get("timestamp")
+                        .or_else(|| object.get("timestampUrl"))
+                        .or_else(|| object.get("timestampURL")),
+                ),
                 entitlements,
                 entitlements_inherit: object
                     .get("entitlementsInherit")
@@ -665,6 +813,22 @@ fn parse_macos_sign_config(value: Option<&JsonValue>) -> MacosSignConfig {
     }
 }
 
+fn parse_macos_timestamp_config(value: Option<&JsonValue>) -> Option<MacosTimestampConfig> {
+    match value {
+        Some(JsonValue::String(value)) => {
+            let value = value.trim();
+            if value.is_empty() || value.eq_ignore_ascii_case("none") {
+                Some(MacosTimestampConfig::Disabled)
+            } else {
+                Some(MacosTimestampConfig::Url(value.to_string()))
+            }
+        }
+        Some(JsonValue::Bool(true)) => Some(MacosTimestampConfig::Default),
+        Some(JsonValue::Bool(false)) => Some(MacosTimestampConfig::Disabled),
+        _ => None,
+    }
+}
+
 fn parse_macos_notarize_config(value: Option<&JsonValue>) -> MacosNotarizeConfig {
     match value {
         None => MacosNotarizeConfig::default(),
@@ -793,7 +957,13 @@ fn package_signing(
     platform: &str,
 ) -> Result<(PackageSigningPlan, Vec<String>)> {
     let mut warnings = Vec::new();
-    let sign = macos_sign_plan(root, &config.packager.osx_sign, platform, &mut warnings)?;
+    let sign = macos_sign_plan(
+        root,
+        &config.packager.osx_sign,
+        &config.packager.osx_notarize,
+        platform,
+        &mut warnings,
+    )?;
     let notarize = macos_notarize_plan(root, config, platform, &mut warnings);
 
     Ok((
@@ -807,6 +977,7 @@ fn package_signing(
 fn macos_sign_plan(
     root: &Path,
     config: &MacosSignConfig,
+    notarize_config: &MacosNotarizeConfig,
     platform: &str,
     warnings: &mut Vec<String>,
 ) -> Result<MacosSignPlan> {
@@ -844,11 +1015,63 @@ fn macos_sign_plan(
         }
     }
 
+    let p12_file = config
+        .p12_file
+        .as_deref()
+        .filter(|path| !path.trim().is_empty())
+        .map(|path| utf8_path(resolve_project_path(root, path)))
+        .transpose()?;
+    if let Some(path) = &p12_file {
+        if !Path::new(path.as_str()).exists() {
+            warnings.push(format!(
+                "Configured macOS signing p12 file does not exist: {}.",
+                path
+            ));
+        }
+    }
+    let p12_password_file = config
+        .p12_password_file
+        .as_deref()
+        .filter(|path| !path.trim().is_empty())
+        .map(|path| utf8_path(resolve_project_path(root, path)))
+        .transpose()?;
+    if let Some(path) = &p12_password_file {
+        if !Path::new(path.as_str()).exists() {
+            warnings.push(format!(
+                "Configured macOS signing p12 password file does not exist: {}.",
+                path
+            ));
+        }
+    }
+    let p12_password_source = if p12_file.is_some() {
+        if config.p12_password.is_some() {
+            Some("config".to_string())
+        } else if let Some(env_name) = config
+            .p12_password_env
+            .as_deref()
+            .filter(|name| !name.trim().is_empty())
+        {
+            Some(format!("env:{env_name}"))
+        } else if let Some(path) = &p12_password_file {
+            Some(format!("file:{path}"))
+        } else {
+            Some("empty".to_string())
+        }
+    } else {
+        None
+    };
+
     let identity = config.identity.as_deref().map(str::trim);
     let ad_hoc_identity = matches!(identity, None | Some("-"));
-    let will_execute = config.enabled && platform == "darwin" && ad_hoc_identity;
+    let p12_identity = p12_file.is_some();
+    let will_execute = config.enabled && platform == "darwin" && (ad_hoc_identity || p12_identity);
+    let timestamp_url = macos_timestamp_url(config, p12_identity, notarize_config.enabled);
+    let for_notarization =
+        will_execute && p12_identity && notarize_config.enabled && timestamp_url.is_some();
     let method = if config.enabled && platform == "darwin" {
-        if ad_hoc_identity {
+        if p12_identity {
+            Some("certificate-p12".to_string())
+        } else if ad_hoc_identity {
             Some("ad-hoc".to_string())
         } else {
             Some("certificate-identity".to_string())
@@ -863,17 +1086,22 @@ fn macos_sign_plan(
         ));
     } else if config.enabled && !will_execute {
         warnings.push(
-            "macOS signing identity is configured, but Rust-native certificate/keychain signing is not implemented yet; package output will be unsigned. Use identity '-' or omit identity for experimental ad-hoc signing.".to_string(),
+            "macOS signing identity is configured, but Rust-native keychain identity signing is not implemented yet; package output will be unsigned. Use p12File for certificate signing, or identity '-' / omit identity for experimental ad-hoc signing.".to_string(),
         );
     } else if will_execute {
+        if p12_identity && identity.is_some() {
+            warnings.push(
+                "packagerConfig.osxSign.p12File supplies the signing certificate; identity is reported but not used for keychain lookup.".to_string(),
+            );
+        }
         if config.entitlements.len() > 1 {
             warnings.push(
-                "Rust-native ad-hoc signing applies the first macOS entitlements file only; inherited/login-helper entitlement scoping is not implemented yet.".to_string(),
+                "Rust-native macOS signing applies the first macOS entitlements file only; inherited/login-helper entitlement scoping is not implemented yet.".to_string(),
             );
         }
         if config.entitlements_inherit.is_some() {
             warnings.push(
-                "packagerConfig.osxSign.entitlementsInherit is recognized but not applied to nested bundles by Rust-native ad-hoc signing yet.".to_string(),
+                "packagerConfig.osxSign.entitlementsInherit is recognized but not applied to nested bundles by Rust-native signing yet.".to_string(),
             );
         }
         if config.gatekeeper_assess.is_some() {
@@ -881,6 +1109,16 @@ fn macos_sign_plan(
                 "packagerConfig.osxSign.gatekeeperAssess is recognized but Gatekeeper assessment is not implemented yet.".to_string(),
             );
         }
+        if config.timestamp.is_some() && !p12_identity {
+            warnings.push(
+                "packagerConfig.osxSign.timestamp is recognized but ignored without p12File certificate signing.".to_string(),
+            );
+        }
+        if notarize_config.enabled && p12_identity && timestamp_url.is_none() {
+            warnings.push(
+                "macOS notarization requires a secure timestamp; packagerConfig.osxSign.timestamp disabled timestamping.".to_string(),
+            );
+        }
     }
 
     Ok(MacosSignPlan {
@@ -889,6 +1127,13 @@ fn macos_sign_plan(
         will_execute,
         method,
         identity: config.identity.clone(),
+        p12_file,
+        p12_password_source,
+        p12_password_env: config.p12_password_env.clone(),
+        p12_password_file,
+        p12_password: RedactedSecret::new(config.p12_password.clone()),
+        timestamp_url,
+        for_notarization,
         entitlements,
         entitlements_inherit,
         hardened_runtime: config.hardened_runtime,
@@ -896,6 +1141,24 @@ fn macos_sign_plan(
     })
 }
 
+fn macos_timestamp_url(
+    config: &MacosSignConfig,
+    p12_identity: bool,
+    notarize_enabled: bool,
+) -> Option<String> {
+    if !p12_identity {
+        return None;
+    }
+
+    match &config.timestamp {
+        Some(MacosTimestampConfig::Default) => Some(APPLE_TIMESTAMP_URL.to_string()),
+        Some(MacosTimestampConfig::Disabled) => None,
+        Some(MacosTimestampConfig::Url(url)) => Some(url.clone()),
+        None if notarize_enabled => Some(APPLE_TIMESTAMP_URL.to_string()),
+        None => None,
+    }
+}
+
 fn macos_notarize_plan(
     root: &Path,
     package_config: &PackageJsonConfig,
@@ -926,6 +1189,7 @@ fn macos_notarize_plan(
     if config.enabled
         && platform == "darwin"
         && package_config.packager.osx_sign.enabled
+        && package_config.packager.osx_sign.p12_file.is_none()
         && matches!(
             package_config
                 .packager
@@ -2008,7 +2272,7 @@ mod tests {
         assert!(report
             .warnings
             .iter()
-            .any(|warning| warning.contains("Rust-native certificate/keychain signing")));
+            .any(|warning| warning.contains("Rust-native keychain identity signing")));
         assert!(report
             .warnings
             .iter()
@@ -2063,13 +2327,198 @@ mod tests {
         assert_eq!(report.signing.macos.sign.identity.as_deref(), Some("-"));
         assert_eq!(report.signing.macos.sign.hardened_runtime, Some(true));
         assert!(!report.warnings.iter().any(|warning| {
-            warning.contains("Rust-native certificate/keychain signing")
+            warning.contains("Rust-native keychain identity signing")
                 || warning.contains("Rust-native signing is not implemented")
         }));
 
         let _ = fs::remove_dir_all(root);
     }
 
+    #[test]
+    fn plans_macos_p12_signing_without_serializing_password() {
+        let root = unique_temp_dir("macos-p12-signing-plan");
+        write_package_json(&root);
+        fs::write(root.join("developer-id.p12"), "not a real p12")
+            .expect("p12 placeholder should be written");
+        fs::write(
+            root.join("forge.config.js"),
+            r#"
+            module.exports = {
+              packagerConfig: {
+                osxSign: {
+                  identity: 'Developer ID Application: Example, Inc. (TEAMID1234)',
+                  p12File: 'developer-id.p12',
+                  p12Password: 'p12-secret',
+                  timestamp: 'http://timestamp.example.test/tsa',
+                  hardenedRuntime: true,
+                },
+              },
+            };
+            "#,
+        )
+        .expect("forge config should be written");
+        write_app_file(&root);
+        write_fake_electron_dist(&root);
+
+        let args = PackageArgs {
+            cwd: root.clone(),
+            out_dir: PathBuf::from("out"),
+            name: None,
+            platform: Some("darwin".to_string()),
+            arch: Some("arm64".to_string()),
+            force: false,
+            dry_run: true,
+            json: true,
+        };
+        let snapshot = crate::project::inspect(&root).expect("project should inspect");
+        let report = build_report(snapshot, &args).expect("report should build");
+
+        assert!(report.signing.macos.sign.configured);
+        assert!(report.signing.macos.sign.enabled);
+        assert!(report.signing.macos.sign.will_execute);
+        assert_eq!(
+            report.signing.macos.sign.method.as_deref(),
+            Some("certificate-p12")
+        );
+        assert_eq!(
+            report.signing.macos.sign.p12_password_source.as_deref(),
+            Some("config")
+        );
+        assert_eq!(
+            report.signing.macos.sign.timestamp_url.as_deref(),
+            Some("http://timestamp.example.test/tsa")
+        );
+        assert!(!report.signing.macos.sign.for_notarization);
+        assert!(report.signing.macos.sign.p12_file.is_some());
+        assert!(report
+            .warnings
+            .iter()
+            .any(|warning| { warning.contains("p12File supplies the signing certificate") }));
+
+        let json = serde_json::to_string(&report).expect("report should serialize");
+        assert!(!json.contains("p12-secret"));
+
+        let _ = fs::remove_dir_all(root);
+    }
+
+    #[test]
+    fn plans_macos_p12_signing_for_notarization_with_default_timestamp() {
+        let root = unique_temp_dir("macos-p12-notarization-signing-plan");
+        write_package_json(&root);
+        fs::write(root.join("developer-id.p12"), "not a real p12")
+            .expect("p12 placeholder should be written");
+        fs::write(
+            root.join("forge.config.js"),
+            r#"
+            module.exports = {
+              packagerConfig: {
+                appBundleId: 'com.example.notarized',
+                osxSign: {
+                  p12File: 'developer-id.p12',
+                  p12PasswordEnv: 'P12_PASSWORD',
+                },
+                osxNotarize: {
+                  keychainProfile: 'notary-profile',
+                },
+              },
+            };
+            "#,
+        )
+        .expect("forge config should be written");
+        write_app_file(&root);
+        write_fake_electron_dist(&root);
+
+        let args = PackageArgs {
+            cwd: root.clone(),
+            out_dir: PathBuf::from("out"),
+            name: None,
+            platform: Some("darwin".to_string()),
+            arch: Some("arm64".to_string()),
+            force: false,
+            dry_run: true,
+            json: true,
+        };
+        let snapshot = crate::project::inspect(&root).expect("project should inspect");
+        let report = build_report(snapshot, &args).expect("report should build");
+
+        assert!(report.signing.macos.sign.will_execute);
+        assert_eq!(
+            report.signing.macos.sign.timestamp_url.as_deref(),
+            Some(APPLE_TIMESTAMP_URL)
+        );
+        assert!(report.signing.macos.sign.for_notarization);
+        assert_eq!(
+            report.signing.macos.notarize.auth_method.as_deref(),
+            Some("keychain-profile")
+        );
+        assert!(!report
+            .warnings
+            .iter()
+            .any(|warning| warning.contains("ad-hoc signing is not notarizable")));
+
+        let settings = macos_signing_settings(&report).expect("signing settings should build");
+        assert!(settings.for_notarization());
+        assert_eq!(
+            settings.time_stamp_url().map(|url| url.as_str()),
+            Some(APPLE_TIMESTAMP_URL)
+        );
+
+        let json = serde_json::to_string(&report).expect("report should serialize");
+        assert!(!json.contains("P12_PASSWORD="));
+
+        let _ = fs::remove_dir_all(root);
+    }
+
+    #[test]
+    fn warns_when_macos_notarization_timestamp_is_disabled() {
+        let root = unique_temp_dir("macos-p12-notarization-no-timestamp");
+        write_package_json(&root);
+        fs::write(root.join("developer-id.p12"), "not a real p12")
+            .expect("p12 placeholder should be written");
+        fs::write(
+            root.join("forge.config.js"),
+            r#"
+            module.exports = {
+              packagerConfig: {
+                osxSign: {
+                  p12File: 'developer-id.p12',
+                  timestamp: 'none',
+                },
+                osxNotarize: {
+                  keychainProfile: 'notary-profile',
+                },
+              },
+            };
+            "#,
+        )
+        .expect("forge config should be written");
+        write_app_file(&root);
+        write_fake_electron_dist(&root);
+
+        let args = PackageArgs {
+            cwd: root.clone(),
+            out_dir: PathBuf::from("out"),
+            name: None,
+            platform: Some("darwin".to_string()),
+            arch: Some("arm64".to_string()),
+            force: false,
+            dry_run: true,
+            json: true,
+        };
+        let snapshot = crate::project::inspect(&root).expect("project should inspect");
+        let report = build_report(snapshot, &args).expect("report should build");
+
+        assert!(report.signing.macos.sign.will_execute);
+        assert!(report.signing.macos.sign.timestamp_url.is_none());
+        assert!(!report.signing.macos.sign.for_notarization);
+        assert!(report
+            .warnings
+            .iter()
+            .any(|warning| warning.contains("requires a secure timestamp")));
+
+        let _ = fs::remove_dir_all(root);
+    }
+
     #[test]
     fn warns_when_macos_notarization_is_configured_without_signing() {
         let root = unique_temp_dir("notarize-without-sign");
@@ -2252,6 +2701,69 @@ mod tests {
         let _ = fs::remove_dir_all(root);
     }
 
+    #[test]
+    fn packages_macos_bundle_with_p12_certificate_signature() {
+        if current_platform() != "darwin" {
+            return;
+        }
+
+        let Some(p12_fixture) = apple_codesign_test_fixture("apple-codesign-testuser.p12") else {
+            return;
+        };
+
+        let root = unique_temp_dir("macos-p12-signing-execute");
+        fs::copy(&p12_fixture, root.join("developer-id.p12"))
+            .expect("p12 fixture should be copied");
+        fs::write(
+            root.join("package.json"),
+            r#"{"name":"starter-app","version":"0.1.0","main":"src/main.js","devDependencies":{"electron":"30.0.0"},"electronCli":{"packagerConfig":{"appBundleId":"com.example.p12-signed","osxSign":{"p12File":"developer-id.p12","p12Password":"password123","hardenedRuntime":true}}}}"#,
+        )
+        .expect("package.json should be written");
+        write_app_file(&root);
+        write_macho_electron_dist(&root);
+
+        let args = PackageArgs {
+            cwd: root.clone(),
+            out_dir: PathBuf::from("out"),
+            name: None,
+            platform: None,
+            arch: None,
+            force: false,
+            dry_run: false,
+            json: false,
+        };
+        let snapshot = crate::project::inspect(&root).expect("project should inspect");
+        let report = build_report(snapshot, &args).expect("report should build");
+
+        assert!(report.signing.macos.sign.will_execute);
+        assert_eq!(
+            report.signing.macos.sign.method.as_deref(),
+            Some("certificate-p12")
+        );
+        assert!(report.warnings.is_empty());
+
+        execute_package(&report, false).expect("package should succeed");
+
+        let executable = Path::new(report.bundle_dir.as_str())
+            .join("Contents/MacOS")
+            .join(&report.executable_name);
+        let executable_data = fs::read(executable).expect("signed executable should read");
+        let macho = apple_codesign::MachFile::parse(&executable_data)
+            .expect("signed executable should parse as Mach-O");
+        assert!(macho.iter_macho().all(|binary| {
+            let signature = binary
+                .code_signature()
+                .expect("code signature should parse")
+                .expect("code signature should exist");
+            signature
+                .signature_data()
+                .expect("CMS signature should parse")
+                .is_some_and(|data| !data.is_empty())
+        }));
+
+        let _ = fs::remove_dir_all(root);
+    }
+
     #[test]
     fn missing_required_runtime_dependency_fails() {
         let root = unique_temp_dir("runtime-deps");
@@ -2415,6 +2927,31 @@ mod tests {
         .expect("Mach-O test executable should be copied");
     }
 
+    fn apple_codesign_test_fixture(file_name: &str) -> Option<PathBuf> {
+        let cargo_home = std::env::var_os("CARGO_HOME")
+            .map(PathBuf::from)
+            .or_else(|| std::env::var_os("HOME").map(|home| PathBuf::from(home).join(".cargo")))?;
+        let registry_src = cargo_home.join("registry/src");
+        for index_dir in fs::read_dir(registry_src).ok()? {
+            let index_dir = index_dir.ok()?;
+            for crate_dir in fs::read_dir(index_dir.path()).ok()? {
+                let crate_dir = crate_dir.ok()?;
+                let file_name_matches = crate_dir
+                    .file_name()
+                    .to_str()
+                    .is_some_and(|name| name.starts_with("apple-codesign-"));
+                if file_name_matches {
+                    let candidate = crate_dir.path().join("src").join(file_name);
+                    if candidate.exists() {
+                        return Some(candidate);
+                    }
+                }
+            }
+        }
+
+        None
+    }
+
     fn unique_temp_dir(label: &str) -> PathBuf {
         let nanos = std::time::SystemTime::now()
             .duration_since(std::time::UNIX_EPOCH)