Added apple docs

2022-10-12 16:48:38 -07:00 · 2022-10-12 16:48:38 -07:00 · 0e34ced34f
--- a/apple/certificates.md
+++ b/apple/certificates.md
@ -0,0 +1,21 @@
+# Apple Certificates
+
+Apple docs: https://developer.apple.com/support/certificates/
+
+The process to create a new certificate signing request can be found here:
+https://help.apple.com/developer-account/#/devbfa00fef7
+
+Instructions on how to issue new certs:
+https://mana.mozilla.org/wiki/pages/viewpage.action?spaceKey=RelEng&title=Signing#Signing-OSX&iOSSigning
+
+### Notes
+1. There's a limited amount of `Apple Distribution`, `Developer ID Installer`, 
+`Developer ID Application`, `iOS App Development` (and possibly others) that can
+be issued and valid at the same time.
+**BE EXTREMELY CAREFUL WITH ISSUED CERTIFICATES.**
+
+1. `App Managers` with `Access to Certificates, Identifiers & Profiles` are able
+to issue production level certificates. We should avoid giving out this type of
+access.
+
+1. If we migrate to autograph/rcodesign, we won't need to hold the certificate in a keychain
--- a/apple/index.rst
+++ b/apple/index.rst
@ -0,0 +1,21 @@
+Apple Developer Portal
+======================
+
+Apple developer portal can be accessed at https://developer.apple.com.
+Credentials can be found in the RelEng SOPS under apple-accounts.yml
+
+____
+Bitrise: https://app.bitrise.io/users/sign_in.
+
+Access given via ldap group in conjunction to a Bitrise account.
+____
+
+
+Contents:
+
+.. toctree::
+    :maxdepth: 2
+
+    certificates.md
+    user_access.md
+    provisioning_profiles.md
--- a/apple/provisioning_profiles.md
+++ b/apple/provisioning_profiles.md
@ -0,0 +1,6 @@
+# Provisioning Profiles
+
+Production profiles are used when developers want to bypass notarization.
+
+Development profiles include a list of devices, where the application will be
+able to install and run without a production-level signing process.
--- a/apple/user_access.md
+++ b/apple/user_access.md
@ -0,0 +1,19 @@
+# Apple Account User Access
+
+All mozilla apple (mac/iOS) developers will need an apple account. We should try
+as much as possible only give out permissions to their @m.c accounts. Personal
+accounts should be avoided in case the developer leaves the company and we don't
+delete the apple account.
+
+## Permissions
+Roles are confusing!
+
+An user with `Developer` Role, and 
+`Access to Certificates, Identifiers & Profiles` will only be able to access 
+development-level items. **The majority of developers will want this combination.**
+
+`App Managers` with `Access to Certificates, Identifiers & Profiles` will be able
+to issue production-level certificates. **It is very unlikely that we should 
+allow this type of access. Make sure the user understands this risk.**
+
+Sales, Marketing and Finance users will likely want `Access to Reports`.
--- a/index.rst
+++ b/index.rst
@ -50,6 +50,7 @@ Contents:
   machine-users.rst
   troubleshooting.rst
   gecko_tests/index.rst
+   apple/index.rst

 .. toctree::
   :caption: Meta