Embed TeamIdentifier in macOS CodeDirectory#392
Conversation
Sensitive Change Detection (shadow mode)This PR modifies control-plane files:
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 4 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/release.yml">
<violation number="1" location=".github/workflows/release.yml:339">
P2: The notarization verification step only warns on failure, so the workflow can pass without notarization being accepted.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
There was a problem hiding this comment.
Pull request overview
This PR updates the macOS release pipeline to ensure signed Mach-O binaries include a populated TeamIdentifier in the CodeDirectory by switching from GoReleaser’s embedded goreleaser/quill fork to direct anchore/quill CLI usage.
Changes:
- Add a GoReleaser build hook to sign darwin binaries via
scripts/sign-darwin.shbefore archiving. - Disable GoReleaser’s built-in macOS notarization and run
quill notarizeas a separate post-publish workflow step. - Add a post-release
macos-verifyjob and document signing/notarization tradeoffs inRELEASING.md.
Tip
If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
scripts/sign-darwin.sh |
New GoReleaser build hook script to sign darwin binaries using quill sign. |
RELEASING.md |
Documents the updated macOS signing/notarization flow and tradeoffs. |
.goreleaser.yaml |
Adds the signing hook and disables GoReleaser notarization. |
.github/workflows/release.yml |
Installs quill, prepares signing creds, notarizes post-publish, and adds a macOS verification job. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a0b99db3bd
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jeremy
force-pushed
the
macos-codesign-teamidentifier
branch
from
43fc75d to
8738e15
Compare
The goreleaser/quill fork (embedded in GoReleaser v2.14.x) never populates the TeamIdentifier field in the CodeDirectory during signing (anchore/quill#147). Replace the built-in notarize block with direct anchore/quill v0.7.1 CLI calls: - Build hook (scripts/sign-darwin.sh) signs darwin binaries before archiving so archives, checksums, and tap manifests are correct. Fails closed in CI when QUILL_SIGN_P12 is set; skips in local dev. - Notarization runs as a separate workflow step after GoReleaser publishes using --notary-* flags. Password via QUILL_SIGN_PASSWORD env var. - Post-release macos-verify job asserts TeamIdentifier and hardened runtime for both darwin/amd64 and darwin/arm64 on a macOS runner. Notarization status is best-effort telemetry (ticket propagation can lag). - Credentials written to $RUNNER_TEMP with umask 077, cleaned up via if: always(). Quill added to $GITHUB_PATH explicitly. Revert path: #393 tracks reverting when goreleaser/quill syncs the fix.
jeremy
force-pushed
the
macos-codesign-teamidentifier
branch
from
8738e15 to
0015482
Compare
Summary
goreleaser/quillfork) with directanchore/quillv0.7.1 CLI calls that correctly populate theTeamIdentifierfield in the CodeDirectorymacos-verifyjob on a macOS runner that asserts TeamIdentifier and hardened runtime for both darwin/amd64 and darwin/arm64; notarization status is best-effort telemetry$RUNNER_TEMPwithumask 077; quill added to$GITHUB_PATHexplicitlyQUILL_SIGN_PASSWORDenv var (quill's native config, not a CLI flag); notarize uses--notary-*flag namesFixes Help Scout #3270572064. Root cause: anchore/quill#147.
Follow-up: #393 tracks reverting when goreleaser/quill syncs the fix.
Test plan
make test-releasepasses locally (hook no-ops without quill/certs)goreleaser checkvalidates configactionlintpasses on release workflowbash -n scripts/sign-darwin.shpassescodesign -dv --verbose=4 basecamp 2>&1 | grep TeamIdentifierreturns2WNYUYRS7Gmacos-verifyjob passes in release workflowspctl -a -vvv -t install basecamp