Skip to content

Add macOS code signing and notarization to release workflow#338

Open
forketyfork wants to merge 2 commits into
mainfrom
air/main
Open

Add macOS code signing and notarization to release workflow#338
forketyfork wants to merge 2 commits into
mainfrom
air/main

Conversation

@forketyfork

Copy link
Copy Markdown
Owner

No description provided.

Co-Authored-By: Claude <claude@air.dev>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Developer ID code signing and Apple notarization to the macOS release pipeline so published release archives should pass Gatekeeper by default.

Changes:

  • Introduces a scripts/notarize-macos.sh helper to submit, wait, staple, and validate notarization for Architect.app.
  • Updates scripts/bundle-macos.sh to support real Developer ID signing via APPLE_SIGNING_IDENTITY (while keeping ad-hoc signing as the local default).
  • Extends the GitHub Actions release workflow to import signing certs, notarize per-arch artifacts, and updates documentation accordingly.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
scripts/notarize-macos.sh New script to zip, submit, staple, and validate notarization for the app bundle.
scripts/bundle-macos.sh Adds support for Developer ID signing (runtime + timestamp) and centralizes signing logic.
README.md Updates macOS install notes to reflect notarized release artifacts; clarifies Homebrew/source behavior.
docs/development.md Documents required APPLE_* secrets and one-time setup steps for signing/notarization.
CLAUDE.md Adds a repo note capturing the new release workflow signing/notarization requirements.
.github/workflows/release.yaml Imports signing certs, notarizes the app, and adjusts timeouts and release packaging flow.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/release.yaml
Comment thread .github/workflows/release.yaml Outdated

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7819de4406

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/release.yaml Outdated
Pass secrets via env: instead of interpolating ${{ secrets.* }} directly
into the shell script (Copilot/Codex flagged the secrets-verification step
as vulnerable to metacharacter breakage). Also harden temp key material
handling with umask-restricted writes and EXIT traps so the .p12/.p8 files
are cleaned up even if a step fails partway through.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants