Skip to content

ci: allow development-signed releases#25

Merged
sozercan merged 1 commit into
masterfrom
agent/development-signed-releases
Jul 16, 2026
Merged

ci: allow development-signed releases#25
sozercan merged 1 commit into
masterfrom
agent/development-signed-releases

Conversation

@sozercan

Copy link
Copy Markdown
Owner

Summary

  • allow published releases to use an Apple Development signing identity
  • keep ad-hoc fallback disabled for public releases
  • continue notarizing only Developer ID builds
  • verify the signed app's actual team identifier against APPLE_TEAM_ID

Why

The project does not have a paid Apple Developer Program account, so public releases need to use the available Apple Development certificate instead of Developer ID signing.

Validation

  • ./scripts/test.sh
  • actionlint .github/workflows/release.yml
  • universal arm64/x86_64 Release build with version 2.0.0
  • local Apple Development signing and strict codesign verification
  • verified TeamIdentifier=57QNR9B89Q and Finder automation entitlement

Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Copilot AI review requested due to automatic review settings July 16, 2026 06:51

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Enables public releases signed with Apple Development certificates while preserving Developer ID notarization.

Changes:

  • Allows Apple Development signing for published releases.
  • Prevents ad-hoc signing and validates team IDs.
  • Restricts notarization to Developer ID builds.
Show a summary per file
File Description
.github/workflows/release.yml Updates release signing selection and verification.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 1
  • Review effort level: Medium

Comment on lines +167 to +169
if [ -n "$APPLE_DEVELOPMENT" ]; then
echo "::add-mask::$APPLE_DEVELOPMENT"
echo "::warning::Using Apple Development signing; this build will not be notarized."
echo "::warning::Using Apple Development signing; this release will not be notarized."
@sozercan
sozercan merged commit fcc4c91 into master Jul 16, 2026
2 checks passed

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1667dc26b0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

APPLE_DEVELOPMENT=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" 2>/dev/null \
| awk '/Apple Development/ { print $2; exit }' || true)
if [ -n "$APPLE_DEVELOPMENT" ] && [ "$REQUIRE_DEVELOPER_ID" != "true" ]; then
if [ -n "$APPLE_DEVELOPMENT" ]; then

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Filter Apple Development identities by team

When APPLE_TEAM_ID is set (mandatory for push/publish releases) and the imported PKCS#12 contains multiple Apple Development identities, the security find-identity pipeline above keeps the first one and this changed condition accepts it without checking the team. The later TeamIdentifier validation then fails after the full build even if a matching development identity exists later in the same keychain, so release success depends on export order; filter Apple Development identities by EXPECTED_TEAM_ID like the Developer ID path.

Useful? React with 👍 / 👎.

if [ -n "$APPLE_DEVELOPMENT" ]; then
echo "::add-mask::$APPLE_DEVELOPMENT"
echo "::warning::Using Apple Development signing; this build will not be notarized."
echo "::warning::Using Apple Development signing; this release will not be notarized."

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Block public Apple Development releases

When this branch is taken for a tag push or publish=true run, the workflow now continues to the GitHub release and stable Homebrew cask publishing steps even though the artifact is only Apple Development-signed and explicitly not notarized. Apple’s distribution guidance says Mac apps distributed outside the Mac App Store need Developer ID signing/notarization for Gatekeeper, so this scenario publishes a ZIP that normal Homebrew/GitHub users cannot launch without disabling Gatekeeper; keep Apple Development signing limited to non-published validation builds or do not publish the cask/release from this path. See https://help.apple.com/xcode/mac/current/en.lproj/dev033e997ca.html

Useful? React with 👍 / 👎.

@sozercan
sozercan deleted the agent/development-signed-releases branch July 16, 2026 17:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants