update Developer ID Application cert

.github/workflows/release.yml

@@ -32,6 +32,7 @@ jobs:
     - uses: apple-actions/import-codesign-certs@v3
       with:
         keychain: ${{ env.KEYCHAIN }}
+        # base64 enc of Developer ID Application + Developer ID Application with priv keys p12
         p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
         p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
 
@@ -101,6 +102,7 @@ jobs:
         CASK_SHA256=$(shasum --algorithm 256 "build/Release/MailTrackerBlocker.pkg" | awk '{print $1}')
 
         brew update
+        brew tap homebrew/cask --force
         brew bump-cask-pr --no-browse --sha256 ${CASK_SHA256} --version ${CASK_VERSION} --no-audit --no-style ${CASK_NAME}
 
         cd apparition47-homebrew-tap

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## [0.8.9] - 2025-07-12
+
+- Important: the signing certificate has changed so the auto-updater will fail to update. Please manually update.
+- add beehiiv rule (thanks Damon S.)
+
 ## [0.8.7] - 2025-02-04
 
 - updated ruleset (thanks @Jee-Bee, James M. Damon S.)

MailTrackerBlocker.xcodeproj/project.pbxproj

@@ -3730,6 +3730,7 @@
 				BUNDLE_LOADER = /System/Applications/Mail.app/Contents/MacOS/Mail;
 				CLANG_ENABLE_OBJC_ARC = YES;
 				CODE_SIGN_ENTITLEMENTS = "";
+				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "Developer ID Application";
 				COMBINE_HIDPI_IMAGES = YES;
 				COPY_PHASE_STRIP = NO;
 				DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
@@ -3779,6 +3780,7 @@
 				BUNDLE_LOADER = /System/Applications/Mail.app/Contents/MacOS/Mail;
 				CLANG_ENABLE_OBJC_ARC = YES;
 				CODE_SIGN_ENTITLEMENTS = "";
+				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "Developer ID Application";
 				COMBINE_HIDPI_IMAGES = YES;
 				COPY_PHASE_STRIP = YES;
 				DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";

Source/MTBPackageValidator.m

@@ -8,9 +8,11 @@
 #import "MTBPackageValidator.h"
 #import <xar/xar.h>
 
-// PKCS#1 base64 enc output from SecKeyCopyExternalRepresentation
-// of my Developer ID Installer (XXX)
-const NSString *pinnedDevIDInstallerPKCS1PubKey = @"MIIBCgKCAQEA0vFlrhW0ldvlYKgQe8tQ+wsI6wzoKsjTF7M/fdnzx2SP0NqVQ/eLYk9wCiCQEJkZJXZznGyXzl1oeTjjQVfsH2TvMElhEzKXcyCEOd7axmEYGro/wwZlTlYEGOuR9GwgghCltHU9x/cSyOMDPOcM+ySG9Porea+GPbyeURzeT4QnSKMCE2y+Tdxo/aRgJfcn57DRXCFy/CEhMPJm8axr2bsoLfaj6RHA7TrQurphryvO9VBKL+2b1sbj9B8OXunlwe5t4Bq3DfXpjzhPWt1pXdve+q8qbtIatrLgYcpq1yOfhToMVQzMBf2NHteqPhhaHRDEG0gmjzoUD9r6sAwwRQIDAQAB";
+// Use the public key of your Developer ID Installer
+// Derived from PKCS#1 base64 enc output from SecKeyCopyExternalRepresentation of my Developer ID Installer (XXX)
+// OR command to get without ASN.1 parsing output:
+// $ security find-certificate -c "Developer ID Installer: Name (TEAM_ID)" -p | openssl x509 -pubkey -noout | openssl asn1parse -strparse 19 -noout -out - | base64
+const NSString *pinnedDevIDInstallerPKCS1PubKey = @"MIIBCgKCAQEAxTrGKLRw9XGmHprzbVYQyvApHGlqz7lm0/P3VOMUqHcvZR/hnL3qrM7BISbyqbFFygFrpEiy1HBwbGKPEa3WOaxo+FWFK1EuVPLCWX45JA7uyc5xusdcPjnYWkPeZ3teaRfEKPvTZGpKs33iUmfwNu+3xFH7kqBJjacV3IPn25rmQDsoEirfy0te8Tjxzj6ORJUlwcNn1qjjdOLwDhRAYZrskGFNE2ZUQ26iVHW0/PCt8B4zQNyujwOe80Sw14S1pw+MLUw2JSbQ/hKsn4iWAnWRmNh1zkjlwwQf8l5bSa444bpaXqUaTcKvBd/iEehlXfSkoTXf6Fdr/+QL9xYfnwIDAQAB";
 
 @implementation MTBPackageValidator
 +(BOOL)isPkgSignatureValidAtURL:(NSURL *)url {

Version.config

@@ -1,7 +1,7 @@
 TOOL=MailTrackerBlocker_#MACOS_VERSION#
 MAJOR=0
 MINOR=8
-REVISION=8
+REVISION=9
 unset PRERELEASE
 
 VERSION="${MAJOR}.${MINOR}${REVISION:+.$REVISION}${PRERELEASE}"