功能描述

Scaffold, build, and package SwiftPM-based macOS apps without an Xcode project. Use when you need a from-scratch macOS app layout, SwiftPM targets/resources, a custom .app bundle assembly script, or signing/notarization/appcast steps outside Xcode.

使用说明 (SKILL.md)

macOS SwiftPM App Packaging (No Xcode)

Name: Macos Spm App Packaging
Author: dimillian

Overview

Bootstrap a complete SwiftPM macOS app folder, then build, package, and run it without Xcode. Use assets/templates/bootstrap/ for the starter layout and references/packaging.md + references/release.md for packaging and release details.

Two-Step Workflow

Bootstrap the project folder
- Copy assets/templates/bootstrap/ into a new repo.
- Rename MyApp in Package.swift, Sources/MyApp/, and version.env.
- Customize APP_NAME, BUNDLE_ID, and versions.
Build, package, and run the bootstrapped app
- Copy scripts from assets/templates/ into your repo (for example, Scripts/).
- Build/tests: swift build and swift test.
- Package: Scripts/package_app.sh.
- Run: Scripts/compile_and_run.sh (preferred) or Scripts/launch.sh.
- Release (optional): Scripts/sign-and-notarize.sh and Scripts/make_appcast.sh.
- Tag + GitHub release (optional): create a git tag, upload the zip/appcast to the GitHub release, and publish.

Templates

assets/templates/package_app.sh: Build binaries, create the .app bundle, copy resources, sign.
assets/templates/compile_and_run.sh: Dev loop to kill running app, package, launch.
assets/templates/build_icon.sh: Generate .icns from an Icon Composer file (requires Xcode install).
assets/templates/sign-and-notarize.sh: Notarize, staple, and zip a release build.
assets/templates/make_appcast.sh: Generate Sparkle appcast entries for updates.
assets/templates/setup_dev_signing.sh: Create a stable dev code-signing identity.
assets/templates/launch.sh: Simple launcher for a packaged .app.
assets/templates/version.env: Example version file consumed by packaging scripts.
assets/templates/bootstrap/: Minimal SwiftPM macOS app skeleton (Package.swift, Sources/, version.env).

Notes

Keep entitlements and signing configuration explicit; edit the template scripts instead of reimplementing.
Remove Sparkle steps if you do not use Sparkle for updates.
Sparkle relies on the bundle build number (CFBundleVersion), so BUILD_NUMBER in version.env must increase for each update.
For menu bar apps, set MENU_BAR_APP=1 when packaging to emit LSUIElement in Info.plist.

安全使用建议

This skill appears to provide legitimate macOS SwiftPM packaging workflows, but several scripts perform sensitive actions. Before using/installing: 1) Review the scripts line-by-line (especially setup_dev_signing.sh and sign-and-notarize.sh). 2) Do not paste private keys or App Store Connect key material into an agent or into environment variables unless you trust the source; the scripts write keys to /tmp and call notarization APIs. 3) Be aware setup_dev_signing.sh will create and import a certificate into your login keychain—only run it if you understand and accept that change, and prefer to create/import certs manually in Keychain Access. 4) Run these scripts in an isolated/test environment (or VM) first. 5) Prefer obtaining this tooling from a repository with a known maintainer, commit history, and checksums; lack of a homepage/source URL is an additional risk. If you provide the App Store Connect/P8 key or Sparkle private key, ensure you rotate or audit use afterward. Additional information that would increase confidence: a public source repo, maintainer identity, release signatures/checksums, and an explicit manifest of which env vars are required vs optional.

功能分析

Type: OpenClaw Skill Name: macos-spm-app-packaging Version: 1.0.0 The skill bundle is classified as suspicious due to its handling of sensitive credentials and execution of high-privilege security operations. Specifically, `assets/templates/setup_dev_signing.sh` directly modifies the user's keychain to install a code-signing identity, and `assets/templates/sign-and-notarize.sh` processes highly sensitive App Store Connect API keys for app notarization, temporarily writing the private key to disk. Additionally, `assets/templates/package_app.sh` and `assets/templates/make_appcast.sh` perform code signing and appcast signing, respectively, using provided identities or private keys, which are inherently high-risk operations, even if for their stated purpose of macOS app packaging.

能力评估

ℹ Purpose & Capability

The name/description (SwiftPM macOS packaging, signing, notarization, appcast) aligns with the included templates and docs. The templates implement expected functionality: building, packaging, codesigning, notarization, and Sparkle appcast generation. Minor mismatch: registry metadata lists no required env vars, but the scripts and reference docs document several optional but sensitive environment variables used for notarization and Sparkle (APP_STORE_CONNECT_*, SPARKLE_PRIVATE_KEY_FILE, APP_IDENTITY).

⚠ Instruction Scope

SKILL.md and templates instruct running build/package/sign/notarize flows and include scripts that: call git, swift build/test, lipo, codesign, xcrun notarytool, spctl, security import, openssl and write temporary files in /tmp. The scripts will write an App Store Connect key file from an env var, import a generated PKCS#12 into the user's login keychain, and remove temp files—these are beyond simple file scaffolding and modify system state. The SKILL.md does not instruct arbitrary data exfiltration, but the scripts reference environment variables and system commands that are sensitive and can affect the user's keychain and signing identities.

✓ Install Mechanism

No install spec (instruction-only with included template files). No network downloads or remote installers are embedded in the skill. All code is present in the template files so nothing external is fetched by the skill itself.

⚠ Credentials

The skill metadata declares no required environment variables, yet several templates and the release docs rely on sensitive env vars at runtime: APP_STORE_CONNECT_API_KEY_P8, APP_STORE_CONNECT_KEY_ID, APP_STORE_CONNECT_ISSUER_ID (notarization), SPARKLE_PRIVATE_KEY_FILE / SPARKLE_DOWNLOAD_URL_PREFIX / SPARKLE_RELEASE_VERSION (appcast), APP_IDENTITY, and optional APP_ENTITLEMENTS. These credentials are reasonable for notarization/appcast flows but are sensitive; scripts write API key contents to /tmp and import certificates into the login keychain—actions that should be made explicit to users and not assumed safe.

⚠ Persistence & Privilege

The skill does not request 'always' or persistent inclusion, but some templates (setup_dev_signing.sh) create certificates and import them into the user's login keychain (security import). That modifies system state and can create persistent signing identities. sign-and-notarize.sh uses the App Store Connect key written into /tmp for notarytool operations. These behaviors require the user's explicit consent and careful review because they affect system-level trust and signing configuration.

版本历史

v1.0.0

Inital release

元数据

Slug macos-spm-app-packaging

版本 1.0.0

许可证 —

累计安装 4

当前安装数 4

历史版本数 1

常见问题

Macos Spm App Packaging 是什么？

Scaffold, build, and package SwiftPM-based macOS apps without an Xcode project. Use when you need a from-scratch macOS app layout, SwiftPM targets/resources, a custom .app bundle assembly script, or signing/notarization/appcast steps outside Xcode. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 2242 次。

如何安装 Macos Spm App Packaging？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install macos-spm-app-packaging」即可一键安装，无需额外配置。

Macos Spm App Packaging 是免费的吗？

是的，Macos Spm App Packaging 完全免费（开源免费），可自由下载、安装和使用。

Macos Spm App Packaging 支持哪些平台？

Macos Spm App Packaging 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Macos Spm App Packaging？

由 Dimillian（@dimillian）开发并维护，当前版本 v1.0.0。

Macos Spm App Packaging