From 69a6538567554f8877aea4bf88850159d1e32750 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sat, 27 Dec 2025 19:24:24 +0100
Subject: [PATCH] docs: note notarytool profile

---
 appcast.xml         | 2 +-
 docs/RELEASING.md   | 1 +
 docs/mac/release.md | 4 ++++
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/appcast.xml b/appcast.xml
index 7365a6392..79fa714cc 100644
--- a/appcast.xml
+++ b/appcast.xml
@@ -126,7 +126,7 @@
 </ul>
 <p><a href="https://github.com/steipete/clawdis/blob/main/CHANGELOG.md">View full changelog</a></p>
 ]]></description>
-            <enclosure url="https://github.com/steipete/clawdis/releases/download/v2.0.0-beta3/Clawdis-2.0.0-beta3.zip" length="70404952" type="application/octet-stream" sparkle:edSignature="NMyAKWKCTFKRjMCK9bnGrFyjAav69PHhh4Y/HdMp11QQ2CISDIjvtRj80gVRszzB0SX4pxSvt9/9EOx1jJ9eDw=="/>
+            <enclosure url="https://github.com/steipete/clawdis/releases/download/v2.0.0-beta3/Clawdis-2.0.0-beta3.zip" length="70407960" type="application/octet-stream" sparkle:edSignature="A8ySMmbLRrpIkqkrmc9QrC+6om8Iyqray/6x/YNiJxDoJeXjp2T5t8XT0CKJeNBUlDkzIj/fwiK53v0qQ59cDQ=="/>
         </item>
     </channel>
 </rss>
\ No newline at end of file
diff --git a/docs/RELEASING.md b/docs/RELEASING.md
index 38c603f99..7562c167f 100644
--- a/docs/RELEASING.md
+++ b/docs/RELEASING.md
@@ -36,6 +36,7 @@ Use `pnpm` (Node 22+) from the repo root. Keep the working tree clean before tag
 - [ ] Generate the Sparkle appcast (HTML notes via `scripts/make_appcast.sh`) and update `appcast.xml`.
 - [ ] Keep the app zip (and optional dSYM zip) ready to attach to the GitHub release.
 - [ ] Follow `docs/mac/release.md` for the exact commands and required env vars.
+  - If notarizing, use the `clawdis-notary` keychain profile created from App Store Connect API env vars (see `docs/mac/release.md`).
 
 6) **Publish (npm)**
 - [ ] Confirm git status is clean; commit and push as needed.
diff --git a/docs/mac/release.md b/docs/mac/release.md
index 9372f25b7..73b042daa 100644
--- a/docs/mac/release.md
+++ b/docs/mac/release.md
@@ -13,6 +13,10 @@ This app now ships Sparkle auto-updates. Release builds must be Developer ID–s
 - Developer ID Application cert installed (`Developer ID Application: Peter Steinberger (Y5PE65HELJ)` is expected).
 - Sparkle private key path set in the environment as `SPARKLE_PRIVATE_KEY_FILE`; key lives in `/Users/steipete/Library/CloudStorage/Dropbox/Backup/Sparkle` (same key as Trimmy; public key baked into Info.plist).
 - Notary credentials (keychain profile or API key) for `xcrun notarytool` if you want Gatekeeper-safe DMG/zip distribution.
+  - We use a Keychain profile named `clawdis-notary`, created from App Store Connect API key env vars in your shell profile:
+    - `APP_STORE_CONNECT_API_KEY_P8`, `APP_STORE_CONNECT_KEY_ID`, `APP_STORE_CONNECT_ISSUER_ID`
+    - `echo "$APP_STORE_CONNECT_API_KEY_P8" | sed 's/\\n/\n/g' > /tmp/clawdis-notary.p8`
+    - `xcrun notarytool store-credentials "clawdis-notary" --key /tmp/clawdis-notary.p8 --key-id "$APP_STORE_CONNECT_KEY_ID" --issuer "$APP_STORE_CONNECT_ISSUER_ID"`
 - `pnpm` deps installed (`pnpm install --config.node-linker=hoisted`).
 - Sparkle tools are fetched automatically via SwiftPM at `apps/macos/.build/artifacts/sparkle/Sparkle/bin/` (`sign_update`, `generate_appcast`, etc.).